1. Packages
  2. Azure Classic
  3. API Docs
  4. containerservice
  5. KubernetesCluster

We recommend using Azure Native.

Azure Classic v5.70.0 published on Wednesday, Mar 27, 2024 by Pulumi

azure.containerservice.KubernetesCluster

Explore with Pulumi AI

azure logo

We recommend using Azure Native.

Azure Classic v5.70.0 published on Wednesday, Mar 27, 2024 by Pulumi

    Manages a Managed Kubernetes Cluster (also known as AKS / Azure Kubernetes Service)

    Example Usage

    This example provisions a basic Managed Kubernetes Cluster.

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    
    const example = new azure.core.ResourceGroup("example", {
        name: "example-resources",
        location: "West Europe",
    });
    const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", {
        name: "example-aks1",
        location: example.location,
        resourceGroupName: example.name,
        dnsPrefix: "exampleaks1",
        defaultNodePool: {
            name: "default",
            nodeCount: 1,
            vmSize: "Standard_D2_v2",
        },
        identity: {
            type: "SystemAssigned",
        },
        tags: {
            Environment: "Production",
        },
    });
    export const clientCertificate = exampleKubernetesCluster.kubeConfigs.apply(kubeConfigs => kubeConfigs[0].clientCertificate);
    export const kubeConfig = exampleKubernetesCluster.kubeConfigRaw;
    
    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example-resources",
        location="West Europe")
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="example-aks1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="exampleaks1",
        default_node_pool=azure.containerservice.KubernetesClusterDefaultNodePoolArgs(
            name="default",
            node_count=1,
            vm_size="Standard_D2_v2",
        ),
        identity=azure.containerservice.KubernetesClusterIdentityArgs(
            type="SystemAssigned",
        ),
        tags={
            "Environment": "Production",
        })
    pulumi.export("clientCertificate", example_kubernetes_cluster.kube_configs[0].client_certificate)
    pulumi.export("kubeConfig", example_kubernetes_cluster.kube_config_raw)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example-resources"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleKubernetesCluster, err := containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:              pulumi.String("example-aks1"),
    			Location:          example.Location,
    			ResourceGroupName: example.Name,
    			DnsPrefix:         pulumi.String("exampleaks1"),
    			DefaultNodePool: &containerservice.KubernetesClusterDefaultNodePoolArgs{
    				Name:      pulumi.String("default"),
    				NodeCount: pulumi.Int(1),
    				VmSize:    pulumi.String("Standard_D2_v2"),
    			},
    			Identity: &containerservice.KubernetesClusterIdentityArgs{
    				Type: pulumi.String("SystemAssigned"),
    			},
    			Tags: pulumi.StringMap{
    				"Environment": pulumi.String("Production"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		ctx.Export("clientCertificate", exampleKubernetesCluster.KubeConfigs.ApplyT(func(kubeConfigs []containerservice.KubernetesClusterKubeConfig) (*string, error) {
    			return &kubeConfigs[0].ClientCertificate, nil
    		}).(pulumi.StringPtrOutput))
    		ctx.Export("kubeConfig", exampleKubernetesCluster.KubeConfigRaw)
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example-resources",
            Location = "West Europe",
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "example-aks1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "exampleaks1",
            DefaultNodePool = new Azure.ContainerService.Inputs.KubernetesClusterDefaultNodePoolArgs
            {
                Name = "default",
                NodeCount = 1,
                VmSize = "Standard_D2_v2",
            },
            Identity = new Azure.ContainerService.Inputs.KubernetesClusterIdentityArgs
            {
                Type = "SystemAssigned",
            },
            Tags = 
            {
                { "Environment", "Production" },
            },
        });
    
        return new Dictionary<string, object?>
        {
            ["clientCertificate"] = exampleKubernetesCluster.KubeConfigs.Apply(kubeConfigs => kubeConfigs[0].ClientCertificate),
            ["kubeConfig"] = exampleKubernetesCluster.KubeConfigRaw,
        };
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import com.pulumi.azure.containerservice.inputs.KubernetesClusterDefaultNodePoolArgs;
    import com.pulumi.azure.containerservice.inputs.KubernetesClusterIdentityArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example-resources")
                .location("West Europe")
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("example-aks1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("exampleaks1")
                .defaultNodePool(KubernetesClusterDefaultNodePoolArgs.builder()
                    .name("default")
                    .nodeCount(1)
                    .vmSize("Standard_D2_v2")
                    .build())
                .identity(KubernetesClusterIdentityArgs.builder()
                    .type("SystemAssigned")
                    .build())
                .tags(Map.of("Environment", "Production"))
                .build());
    
            ctx.export("clientCertificate", exampleKubernetesCluster.kubeConfigs().applyValue(kubeConfigs -> kubeConfigs[0].clientCertificate()));
            ctx.export("kubeConfig", exampleKubernetesCluster.kubeConfigRaw());
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example-resources
          location: West Europe
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: example-aks1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: exampleaks1
          defaultNodePool:
            name: default
            nodeCount: 1
            vmSize: Standard_D2_v2
          identity:
            type: SystemAssigned
          tags:
            Environment: Production
    outputs:
      clientCertificate: ${exampleKubernetesCluster.kubeConfigs[0].clientCertificate}
      kubeConfig: ${exampleKubernetesCluster.kubeConfigRaw}
    

    Create KubernetesCluster Resource

    new KubernetesCluster(name: string, args: KubernetesClusterArgs, opts?: CustomResourceOptions);
    @overload
    def KubernetesCluster(resource_name: str,
                          opts: Optional[ResourceOptions] = None,
                          aci_connector_linux: Optional[KubernetesClusterAciConnectorLinuxArgs] = None,
                          api_server_access_profile: Optional[KubernetesClusterApiServerAccessProfileArgs] = None,
                          api_server_authorized_ip_ranges: Optional[Sequence[str]] = None,
                          auto_scaler_profile: Optional[KubernetesClusterAutoScalerProfileArgs] = None,
                          automatic_channel_upgrade: Optional[str] = None,
                          azure_active_directory_role_based_access_control: Optional[KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs] = None,
                          azure_policy_enabled: Optional[bool] = None,
                          confidential_computing: Optional[KubernetesClusterConfidentialComputingArgs] = None,
                          custom_ca_trust_certificates_base64s: Optional[Sequence[str]] = None,
                          default_node_pool: Optional[KubernetesClusterDefaultNodePoolArgs] = None,
                          disk_encryption_set_id: Optional[str] = None,
                          dns_prefix: Optional[str] = None,
                          dns_prefix_private_cluster: Optional[str] = None,
                          edge_zone: Optional[str] = None,
                          enable_pod_security_policy: Optional[bool] = None,
                          http_application_routing_enabled: Optional[bool] = None,
                          http_proxy_config: Optional[KubernetesClusterHttpProxyConfigArgs] = None,
                          identity: Optional[KubernetesClusterIdentityArgs] = None,
                          image_cleaner_enabled: Optional[bool] = None,
                          image_cleaner_interval_hours: Optional[int] = None,
                          ingress_application_gateway: Optional[KubernetesClusterIngressApplicationGatewayArgs] = None,
                          key_management_service: Optional[KubernetesClusterKeyManagementServiceArgs] = None,
                          key_vault_secrets_provider: Optional[KubernetesClusterKeyVaultSecretsProviderArgs] = None,
                          kubelet_identity: Optional[KubernetesClusterKubeletIdentityArgs] = None,
                          kubernetes_version: Optional[str] = None,
                          linux_profile: Optional[KubernetesClusterLinuxProfileArgs] = None,
                          local_account_disabled: Optional[bool] = None,
                          location: Optional[str] = None,
                          maintenance_window: Optional[KubernetesClusterMaintenanceWindowArgs] = None,
                          maintenance_window_auto_upgrade: Optional[KubernetesClusterMaintenanceWindowAutoUpgradeArgs] = None,
                          maintenance_window_node_os: Optional[KubernetesClusterMaintenanceWindowNodeOsArgs] = None,
                          microsoft_defender: Optional[KubernetesClusterMicrosoftDefenderArgs] = None,
                          monitor_metrics: Optional[KubernetesClusterMonitorMetricsArgs] = None,
                          name: Optional[str] = None,
                          network_profile: Optional[KubernetesClusterNetworkProfileArgs] = None,
                          node_os_channel_upgrade: Optional[str] = None,
                          node_resource_group: Optional[str] = None,
                          oidc_issuer_enabled: Optional[bool] = None,
                          oms_agent: Optional[KubernetesClusterOmsAgentArgs] = None,
                          open_service_mesh_enabled: Optional[bool] = None,
                          private_cluster_enabled: Optional[bool] = None,
                          private_cluster_public_fqdn_enabled: Optional[bool] = None,
                          private_dns_zone_id: Optional[str] = None,
                          public_network_access_enabled: Optional[bool] = None,
                          resource_group_name: Optional[str] = None,
                          role_based_access_control_enabled: Optional[bool] = None,
                          run_command_enabled: Optional[bool] = None,
                          service_mesh_profile: Optional[KubernetesClusterServiceMeshProfileArgs] = None,
                          service_principal: Optional[KubernetesClusterServicePrincipalArgs] = None,
                          sku_tier: Optional[str] = None,
                          storage_profile: Optional[KubernetesClusterStorageProfileArgs] = None,
                          support_plan: Optional[str] = None,
                          tags: Optional[Mapping[str, str]] = None,
                          web_app_routing: Optional[KubernetesClusterWebAppRoutingArgs] = None,
                          windows_profile: Optional[KubernetesClusterWindowsProfileArgs] = None,
                          workload_autoscaler_profile: Optional[KubernetesClusterWorkloadAutoscalerProfileArgs] = None,
                          workload_identity_enabled: Optional[bool] = None)
    @overload
    def KubernetesCluster(resource_name: str,
                          args: KubernetesClusterArgs,
                          opts: Optional[ResourceOptions] = None)
    func NewKubernetesCluster(ctx *Context, name string, args KubernetesClusterArgs, opts ...ResourceOption) (*KubernetesCluster, error)
    public KubernetesCluster(string name, KubernetesClusterArgs args, CustomResourceOptions? opts = null)
    public KubernetesCluster(String name, KubernetesClusterArgs args)
    public KubernetesCluster(String name, KubernetesClusterArgs args, CustomResourceOptions options)
    
    type: azure:containerservice:KubernetesCluster
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args KubernetesClusterArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args KubernetesClusterArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args KubernetesClusterArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args KubernetesClusterArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args KubernetesClusterArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    KubernetesCluster Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The KubernetesCluster resource accepts the following input properties:

    DefaultNodePool KubernetesClusterDefaultNodePool
    A default_node_pool block as defined below.
    ResourceGroupName string
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    AciConnectorLinux KubernetesClusterAciConnectorLinux
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    ApiServerAccessProfile KubernetesClusterApiServerAccessProfile
    An api_server_access_profile block as defined below.
    ApiServerAuthorizedIpRanges List<string>

    Deprecated:This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    AutoScalerProfile KubernetesClusterAutoScalerProfile
    A auto_scaler_profile block as defined below.
    AutomaticChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    AzureActiveDirectoryRoleBasedAccessControl KubernetesClusterAzureActiveDirectoryRoleBasedAccessControl
    A azure_active_directory_role_based_access_control block as defined below.
    AzurePolicyEnabled bool
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    ConfidentialComputing KubernetesClusterConfidentialComputing
    A confidential_computing block as defined below. For more details please the documentation
    CustomCaTrustCertificatesBase64s List<string>

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    DiskEncryptionSetId string
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    DnsPrefix string
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    DnsPrefixPrivateCluster string

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    EdgeZone string
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    EnablePodSecurityPolicy bool

    Deprecated:The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    HttpApplicationRoutingEnabled bool

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    HttpProxyConfig KubernetesClusterHttpProxyConfig
    A http_proxy_config block as defined below.
    Identity KubernetesClusterIdentity

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    ImageCleanerEnabled bool
    Specifies whether Image Cleaner is enabled.
    ImageCleanerIntervalHours int
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    IngressApplicationGateway KubernetesClusterIngressApplicationGateway

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    KeyManagementService KubernetesClusterKeyManagementService
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    KeyVaultSecretsProvider KubernetesClusterKeyVaultSecretsProvider
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    KubeletIdentity KubernetesClusterKubeletIdentity
    A kubelet_identity block as defined below.
    KubernetesVersion string

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    LinuxProfile KubernetesClusterLinuxProfile
    A linux_profile block as defined below.
    LocalAccountDisabled bool

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    Location string
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    MaintenanceWindow KubernetesClusterMaintenanceWindow
    A maintenance_window block as defined below.
    MaintenanceWindowAutoUpgrade KubernetesClusterMaintenanceWindowAutoUpgrade
    A maintenance_window_auto_upgrade block as defined below.
    MaintenanceWindowNodeOs KubernetesClusterMaintenanceWindowNodeOs
    A maintenance_window_node_os block as defined below.
    MicrosoftDefender KubernetesClusterMicrosoftDefender
    A microsoft_defender block as defined below.
    MonitorMetrics KubernetesClusterMonitorMetrics

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    Name string
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    NetworkProfile KubernetesClusterNetworkProfile

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    NodeOsChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    NodeResourceGroup string

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    OidcIssuerEnabled bool
    Enable or Disable the OIDC issuer URL
    OmsAgent KubernetesClusterOmsAgent
    A oms_agent block as defined below.
    OpenServiceMeshEnabled bool
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    PrivateClusterEnabled bool
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    PrivateClusterPublicFqdnEnabled bool

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    PrivateDnsZoneId string
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    PublicNetworkAccessEnabled bool

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated:public_network_access_enabled is currently not functional and is not be passed to the API

    RoleBasedAccessControlEnabled bool
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    RunCommandEnabled bool
    Whether to enable run command for the cluster or not. Defaults to true.
    ServiceMeshProfile KubernetesClusterServiceMeshProfile

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    ServicePrincipal KubernetesClusterServicePrincipal

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    SkuTier string

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    StorageProfile KubernetesClusterStorageProfile
    A storage_profile block as defined below.
    SupportPlan string
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    Tags Dictionary<string, string>
    A mapping of tags to assign to the resource.
    WebAppRouting KubernetesClusterWebAppRouting
    A web_app_routing block as defined below.
    WindowsProfile KubernetesClusterWindowsProfile
    A windows_profile block as defined below.
    WorkloadAutoscalerProfile KubernetesClusterWorkloadAutoscalerProfile
    A workload_autoscaler_profile block defined below.
    WorkloadIdentityEnabled bool

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    DefaultNodePool KubernetesClusterDefaultNodePoolArgs
    A default_node_pool block as defined below.
    ResourceGroupName string
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    AciConnectorLinux KubernetesClusterAciConnectorLinuxArgs
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    ApiServerAccessProfile KubernetesClusterApiServerAccessProfileArgs
    An api_server_access_profile block as defined below.
    ApiServerAuthorizedIpRanges []string

    Deprecated:This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    AutoScalerProfile KubernetesClusterAutoScalerProfileArgs
    A auto_scaler_profile block as defined below.
    AutomaticChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    AzureActiveDirectoryRoleBasedAccessControl KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs
    A azure_active_directory_role_based_access_control block as defined below.
    AzurePolicyEnabled bool
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    ConfidentialComputing KubernetesClusterConfidentialComputingArgs
    A confidential_computing block as defined below. For more details please the documentation
    CustomCaTrustCertificatesBase64s []string

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    DiskEncryptionSetId string
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    DnsPrefix string
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    DnsPrefixPrivateCluster string

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    EdgeZone string
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    EnablePodSecurityPolicy bool

    Deprecated:The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    HttpApplicationRoutingEnabled bool

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    HttpProxyConfig KubernetesClusterHttpProxyConfigArgs
    A http_proxy_config block as defined below.
    Identity KubernetesClusterIdentityArgs

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    ImageCleanerEnabled bool
    Specifies whether Image Cleaner is enabled.
    ImageCleanerIntervalHours int
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    IngressApplicationGateway KubernetesClusterIngressApplicationGatewayArgs

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    KeyManagementService KubernetesClusterKeyManagementServiceArgs
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    KeyVaultSecretsProvider KubernetesClusterKeyVaultSecretsProviderArgs
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    KubeletIdentity KubernetesClusterKubeletIdentityArgs
    A kubelet_identity block as defined below.
    KubernetesVersion string

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    LinuxProfile KubernetesClusterLinuxProfileArgs
    A linux_profile block as defined below.
    LocalAccountDisabled bool

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    Location string
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    MaintenanceWindow KubernetesClusterMaintenanceWindowArgs
    A maintenance_window block as defined below.
    MaintenanceWindowAutoUpgrade KubernetesClusterMaintenanceWindowAutoUpgradeArgs
    A maintenance_window_auto_upgrade block as defined below.
    MaintenanceWindowNodeOs KubernetesClusterMaintenanceWindowNodeOsArgs
    A maintenance_window_node_os block as defined below.
    MicrosoftDefender KubernetesClusterMicrosoftDefenderArgs
    A microsoft_defender block as defined below.
    MonitorMetrics KubernetesClusterMonitorMetricsArgs

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    Name string
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    NetworkProfile KubernetesClusterNetworkProfileArgs

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    NodeOsChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    NodeResourceGroup string

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    OidcIssuerEnabled bool
    Enable or Disable the OIDC issuer URL
    OmsAgent KubernetesClusterOmsAgentArgs
    A oms_agent block as defined below.
    OpenServiceMeshEnabled bool
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    PrivateClusterEnabled bool
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    PrivateClusterPublicFqdnEnabled bool

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    PrivateDnsZoneId string
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    PublicNetworkAccessEnabled bool

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated:public_network_access_enabled is currently not functional and is not be passed to the API

    RoleBasedAccessControlEnabled bool
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    RunCommandEnabled bool
    Whether to enable run command for the cluster or not. Defaults to true.
    ServiceMeshProfile KubernetesClusterServiceMeshProfileArgs

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    ServicePrincipal KubernetesClusterServicePrincipalArgs

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    SkuTier string

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    StorageProfile KubernetesClusterStorageProfileArgs
    A storage_profile block as defined below.
    SupportPlan string
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    Tags map[string]string
    A mapping of tags to assign to the resource.
    WebAppRouting KubernetesClusterWebAppRoutingArgs
    A web_app_routing block as defined below.
    WindowsProfile KubernetesClusterWindowsProfileArgs
    A windows_profile block as defined below.
    WorkloadAutoscalerProfile KubernetesClusterWorkloadAutoscalerProfileArgs
    A workload_autoscaler_profile block defined below.
    WorkloadIdentityEnabled bool

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    defaultNodePool KubernetesClusterDefaultNodePool
    A default_node_pool block as defined below.
    resourceGroupName String
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    aciConnectorLinux KubernetesClusterAciConnectorLinux
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    apiServerAccessProfile KubernetesClusterApiServerAccessProfile
    An api_server_access_profile block as defined below.
    apiServerAuthorizedIpRanges List<String>

    Deprecated:This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    autoScalerProfile KubernetesClusterAutoScalerProfile
    A auto_scaler_profile block as defined below.
    automaticChannelUpgrade String

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    azureActiveDirectoryRoleBasedAccessControl KubernetesClusterAzureActiveDirectoryRoleBasedAccessControl
    A azure_active_directory_role_based_access_control block as defined below.
    azurePolicyEnabled Boolean
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    confidentialComputing KubernetesClusterConfidentialComputing
    A confidential_computing block as defined below. For more details please the documentation
    customCaTrustCertificatesBase64s List<String>

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    diskEncryptionSetId String
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    dnsPrefix String
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    dnsPrefixPrivateCluster String

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    edgeZone String
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    enablePodSecurityPolicy Boolean

    Deprecated:The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    httpApplicationRoutingEnabled Boolean

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    httpProxyConfig KubernetesClusterHttpProxyConfig
    A http_proxy_config block as defined below.
    identity KubernetesClusterIdentity

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    imageCleanerEnabled Boolean
    Specifies whether Image Cleaner is enabled.
    imageCleanerIntervalHours Integer
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    ingressApplicationGateway KubernetesClusterIngressApplicationGateway

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    keyManagementService KubernetesClusterKeyManagementService
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    keyVaultSecretsProvider KubernetesClusterKeyVaultSecretsProvider
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    kubeletIdentity KubernetesClusterKubeletIdentity
    A kubelet_identity block as defined below.
    kubernetesVersion String

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    linuxProfile KubernetesClusterLinuxProfile
    A linux_profile block as defined below.
    localAccountDisabled Boolean

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    location String
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    maintenanceWindow KubernetesClusterMaintenanceWindow
    A maintenance_window block as defined below.
    maintenanceWindowAutoUpgrade KubernetesClusterMaintenanceWindowAutoUpgrade
    A maintenance_window_auto_upgrade block as defined below.
    maintenanceWindowNodeOs KubernetesClusterMaintenanceWindowNodeOs
    A maintenance_window_node_os block as defined below.
    microsoftDefender KubernetesClusterMicrosoftDefender
    A microsoft_defender block as defined below.
    monitorMetrics KubernetesClusterMonitorMetrics

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    name String
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    networkProfile KubernetesClusterNetworkProfile

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    nodeOsChannelUpgrade String

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    nodeResourceGroup String

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    oidcIssuerEnabled Boolean
    Enable or Disable the OIDC issuer URL
    omsAgent KubernetesClusterOmsAgent
    A oms_agent block as defined below.
    openServiceMeshEnabled Boolean
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    privateClusterEnabled Boolean
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    privateClusterPublicFqdnEnabled Boolean

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    privateDnsZoneId String
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    publicNetworkAccessEnabled Boolean

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated:public_network_access_enabled is currently not functional and is not be passed to the API

    roleBasedAccessControlEnabled Boolean
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    runCommandEnabled Boolean
    Whether to enable run command for the cluster or not. Defaults to true.
    serviceMeshProfile KubernetesClusterServiceMeshProfile

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    servicePrincipal KubernetesClusterServicePrincipal

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    skuTier String

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    storageProfile KubernetesClusterStorageProfile
    A storage_profile block as defined below.
    supportPlan String
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    tags Map<String,String>
    A mapping of tags to assign to the resource.
    webAppRouting KubernetesClusterWebAppRouting
    A web_app_routing block as defined below.
    windowsProfile KubernetesClusterWindowsProfile
    A windows_profile block as defined below.
    workloadAutoscalerProfile KubernetesClusterWorkloadAutoscalerProfile
    A workload_autoscaler_profile block defined below.
    workloadIdentityEnabled Boolean

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    defaultNodePool KubernetesClusterDefaultNodePool
    A default_node_pool block as defined below.
    resourceGroupName string
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    aciConnectorLinux KubernetesClusterAciConnectorLinux
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    apiServerAccessProfile KubernetesClusterApiServerAccessProfile
    An api_server_access_profile block as defined below.
    apiServerAuthorizedIpRanges string[]

    Deprecated:This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    autoScalerProfile KubernetesClusterAutoScalerProfile
    A auto_scaler_profile block as defined below.
    automaticChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    azureActiveDirectoryRoleBasedAccessControl KubernetesClusterAzureActiveDirectoryRoleBasedAccessControl
    A azure_active_directory_role_based_access_control block as defined below.
    azurePolicyEnabled boolean
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    confidentialComputing KubernetesClusterConfidentialComputing
    A confidential_computing block as defined below. For more details please the documentation
    customCaTrustCertificatesBase64s string[]

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    diskEncryptionSetId string
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    dnsPrefix string
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    dnsPrefixPrivateCluster string

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    edgeZone string
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    enablePodSecurityPolicy boolean

    Deprecated:The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    httpApplicationRoutingEnabled boolean

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    httpProxyConfig KubernetesClusterHttpProxyConfig
    A http_proxy_config block as defined below.
    identity KubernetesClusterIdentity

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    imageCleanerEnabled boolean
    Specifies whether Image Cleaner is enabled.
    imageCleanerIntervalHours number
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    ingressApplicationGateway KubernetesClusterIngressApplicationGateway

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    keyManagementService KubernetesClusterKeyManagementService
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    keyVaultSecretsProvider KubernetesClusterKeyVaultSecretsProvider
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    kubeletIdentity KubernetesClusterKubeletIdentity
    A kubelet_identity block as defined below.
    kubernetesVersion string

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    linuxProfile KubernetesClusterLinuxProfile
    A linux_profile block as defined below.
    localAccountDisabled boolean

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    location string
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    maintenanceWindow KubernetesClusterMaintenanceWindow
    A maintenance_window block as defined below.
    maintenanceWindowAutoUpgrade KubernetesClusterMaintenanceWindowAutoUpgrade
    A maintenance_window_auto_upgrade block as defined below.
    maintenanceWindowNodeOs KubernetesClusterMaintenanceWindowNodeOs
    A maintenance_window_node_os block as defined below.
    microsoftDefender KubernetesClusterMicrosoftDefender
    A microsoft_defender block as defined below.
    monitorMetrics KubernetesClusterMonitorMetrics

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    name string
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    networkProfile KubernetesClusterNetworkProfile

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    nodeOsChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    nodeResourceGroup string

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    oidcIssuerEnabled boolean
    Enable or Disable the OIDC issuer URL
    omsAgent KubernetesClusterOmsAgent
    A oms_agent block as defined below.
    openServiceMeshEnabled boolean
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    privateClusterEnabled boolean
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    privateClusterPublicFqdnEnabled boolean

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    privateDnsZoneId string
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    publicNetworkAccessEnabled boolean

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated:public_network_access_enabled is currently not functional and is not be passed to the API

    roleBasedAccessControlEnabled boolean
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    runCommandEnabled boolean
    Whether to enable run command for the cluster or not. Defaults to true.
    serviceMeshProfile KubernetesClusterServiceMeshProfile

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    servicePrincipal KubernetesClusterServicePrincipal

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    skuTier string

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    storageProfile KubernetesClusterStorageProfile
    A storage_profile block as defined below.
    supportPlan string
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    tags {[key: string]: string}
    A mapping of tags to assign to the resource.
    webAppRouting KubernetesClusterWebAppRouting
    A web_app_routing block as defined below.
    windowsProfile KubernetesClusterWindowsProfile
    A windows_profile block as defined below.
    workloadAutoscalerProfile KubernetesClusterWorkloadAutoscalerProfile
    A workload_autoscaler_profile block defined below.
    workloadIdentityEnabled boolean

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    default_node_pool KubernetesClusterDefaultNodePoolArgs
    A default_node_pool block as defined below.
    resource_group_name str
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    aci_connector_linux KubernetesClusterAciConnectorLinuxArgs
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    api_server_access_profile KubernetesClusterApiServerAccessProfileArgs
    An api_server_access_profile block as defined below.
    api_server_authorized_ip_ranges Sequence[str]

    Deprecated:This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    auto_scaler_profile KubernetesClusterAutoScalerProfileArgs
    A auto_scaler_profile block as defined below.
    automatic_channel_upgrade str

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    azure_active_directory_role_based_access_control KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs
    A azure_active_directory_role_based_access_control block as defined below.
    azure_policy_enabled bool
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    confidential_computing KubernetesClusterConfidentialComputingArgs
    A confidential_computing block as defined below. For more details please the documentation
    custom_ca_trust_certificates_base64s Sequence[str]

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    disk_encryption_set_id str
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    dns_prefix str
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    dns_prefix_private_cluster str

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    edge_zone str
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    enable_pod_security_policy bool

    Deprecated:The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    http_application_routing_enabled bool

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    http_proxy_config KubernetesClusterHttpProxyConfigArgs
    A http_proxy_config block as defined below.
    identity KubernetesClusterIdentityArgs

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    image_cleaner_enabled bool
    Specifies whether Image Cleaner is enabled.
    image_cleaner_interval_hours int
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    ingress_application_gateway KubernetesClusterIngressApplicationGatewayArgs

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    key_management_service KubernetesClusterKeyManagementServiceArgs
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    key_vault_secrets_provider KubernetesClusterKeyVaultSecretsProviderArgs
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    kubelet_identity KubernetesClusterKubeletIdentityArgs
    A kubelet_identity block as defined below.
    kubernetes_version str

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    linux_profile KubernetesClusterLinuxProfileArgs
    A linux_profile block as defined below.
    local_account_disabled bool

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    location str
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    maintenance_window KubernetesClusterMaintenanceWindowArgs
    A maintenance_window block as defined below.
    maintenance_window_auto_upgrade KubernetesClusterMaintenanceWindowAutoUpgradeArgs
    A maintenance_window_auto_upgrade block as defined below.
    maintenance_window_node_os KubernetesClusterMaintenanceWindowNodeOsArgs
    A maintenance_window_node_os block as defined below.
    microsoft_defender KubernetesClusterMicrosoftDefenderArgs
    A microsoft_defender block as defined below.
    monitor_metrics KubernetesClusterMonitorMetricsArgs

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    name str
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    network_profile KubernetesClusterNetworkProfileArgs

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    node_os_channel_upgrade str

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    node_resource_group str

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    oidc_issuer_enabled bool
    Enable or Disable the OIDC issuer URL
    oms_agent KubernetesClusterOmsAgentArgs
    A oms_agent block as defined below.
    open_service_mesh_enabled bool
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    private_cluster_enabled bool
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    private_cluster_public_fqdn_enabled bool

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    private_dns_zone_id str
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    public_network_access_enabled bool

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated:public_network_access_enabled is currently not functional and is not be passed to the API

    role_based_access_control_enabled bool
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    run_command_enabled bool
    Whether to enable run command for the cluster or not. Defaults to true.
    service_mesh_profile KubernetesClusterServiceMeshProfileArgs

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    service_principal KubernetesClusterServicePrincipalArgs

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    sku_tier str

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    storage_profile KubernetesClusterStorageProfileArgs
    A storage_profile block as defined below.
    support_plan str
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    tags Mapping[str, str]
    A mapping of tags to assign to the resource.
    web_app_routing KubernetesClusterWebAppRoutingArgs
    A web_app_routing block as defined below.
    windows_profile KubernetesClusterWindowsProfileArgs
    A windows_profile block as defined below.
    workload_autoscaler_profile KubernetesClusterWorkloadAutoscalerProfileArgs
    A workload_autoscaler_profile block defined below.
    workload_identity_enabled bool

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    defaultNodePool Property Map
    A default_node_pool block as defined below.
    resourceGroupName String
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    aciConnectorLinux Property Map
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    apiServerAccessProfile Property Map
    An api_server_access_profile block as defined below.
    apiServerAuthorizedIpRanges List<String>

    Deprecated:This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    autoScalerProfile Property Map
    A auto_scaler_profile block as defined below.
    automaticChannelUpgrade String

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    azureActiveDirectoryRoleBasedAccessControl Property Map
    A azure_active_directory_role_based_access_control block as defined below.
    azurePolicyEnabled Boolean
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    confidentialComputing Property Map
    A confidential_computing block as defined below. For more details please the documentation
    customCaTrustCertificatesBase64s List<String>

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    diskEncryptionSetId String
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    dnsPrefix String
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    dnsPrefixPrivateCluster String

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    edgeZone String
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    enablePodSecurityPolicy Boolean

    Deprecated:The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    httpApplicationRoutingEnabled Boolean

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    httpProxyConfig Property Map
    A http_proxy_config block as defined below.
    identity Property Map

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    imageCleanerEnabled Boolean
    Specifies whether Image Cleaner is enabled.
    imageCleanerIntervalHours Number
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    ingressApplicationGateway Property Map

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    keyManagementService Property Map
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    keyVaultSecretsProvider Property Map
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    kubeletIdentity Property Map
    A kubelet_identity block as defined below.
    kubernetesVersion String

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    linuxProfile Property Map
    A linux_profile block as defined below.
    localAccountDisabled Boolean

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    location String
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    maintenanceWindow Property Map
    A maintenance_window block as defined below.
    maintenanceWindowAutoUpgrade Property Map
    A maintenance_window_auto_upgrade block as defined below.
    maintenanceWindowNodeOs Property Map
    A maintenance_window_node_os block as defined below.
    microsoftDefender Property Map
    A microsoft_defender block as defined below.
    monitorMetrics Property Map

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    name String
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    networkProfile Property Map

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    nodeOsChannelUpgrade String

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    nodeResourceGroup String

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    oidcIssuerEnabled Boolean
    Enable or Disable the OIDC issuer URL
    omsAgent Property Map
    A oms_agent block as defined below.
    openServiceMeshEnabled Boolean
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    privateClusterEnabled Boolean
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    privateClusterPublicFqdnEnabled Boolean

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    privateDnsZoneId String
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    publicNetworkAccessEnabled Boolean

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated:public_network_access_enabled is currently not functional and is not be passed to the API

    roleBasedAccessControlEnabled Boolean
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    runCommandEnabled Boolean
    Whether to enable run command for the cluster or not. Defaults to true.
    serviceMeshProfile Property Map

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    servicePrincipal Property Map

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    skuTier String

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    storageProfile Property Map
    A storage_profile block as defined below.
    supportPlan String
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    tags Map<String>
    A mapping of tags to assign to the resource.
    webAppRouting Property Map
    A web_app_routing block as defined below.
    windowsProfile Property Map
    A windows_profile block as defined below.
    workloadAutoscalerProfile Property Map
    A workload_autoscaler_profile block defined below.
    workloadIdentityEnabled Boolean

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the KubernetesCluster resource produces the following output properties:

    CurrentKubernetesVersion string
    The current version running on the Azure Kubernetes Managed Cluster.
    Fqdn string
    The FQDN of the Azure Kubernetes Managed Cluster.
    HttpApplicationRoutingZoneName string
    The Zone Name of the HTTP Application Routing.
    Id string
    The provider-assigned unique ID for this managed resource.
    KubeAdminConfigRaw string
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    KubeAdminConfigs List<KubernetesClusterKubeAdminConfig>
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    KubeConfigRaw string
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    KubeConfigs List<KubernetesClusterKubeConfig>
    A kube_config block as defined below.
    NodeResourceGroupId string
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    OidcIssuerUrl string
    The OIDC issuer URL that is associated with the cluster.
    PortalFqdn string
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    PrivateFqdn string
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    CurrentKubernetesVersion string
    The current version running on the Azure Kubernetes Managed Cluster.
    Fqdn string
    The FQDN of the Azure Kubernetes Managed Cluster.
    HttpApplicationRoutingZoneName string
    The Zone Name of the HTTP Application Routing.
    Id string
    The provider-assigned unique ID for this managed resource.
    KubeAdminConfigRaw string
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    KubeAdminConfigs []KubernetesClusterKubeAdminConfig
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    KubeConfigRaw string
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    KubeConfigs []KubernetesClusterKubeConfig
    A kube_config block as defined below.
    NodeResourceGroupId string
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    OidcIssuerUrl string
    The OIDC issuer URL that is associated with the cluster.
    PortalFqdn string
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    PrivateFqdn string
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    currentKubernetesVersion String
    The current version running on the Azure Kubernetes Managed Cluster.
    fqdn String
    The FQDN of the Azure Kubernetes Managed Cluster.
    httpApplicationRoutingZoneName String
    The Zone Name of the HTTP Application Routing.
    id String
    The provider-assigned unique ID for this managed resource.
    kubeAdminConfigRaw String
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeAdminConfigs List<KubernetesClusterKubeAdminConfig>
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeConfigRaw String
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    kubeConfigs List<KubernetesClusterKubeConfig>
    A kube_config block as defined below.
    nodeResourceGroupId String
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    oidcIssuerUrl String
    The OIDC issuer URL that is associated with the cluster.
    portalFqdn String
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    privateFqdn String
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    currentKubernetesVersion string
    The current version running on the Azure Kubernetes Managed Cluster.
    fqdn string
    The FQDN of the Azure Kubernetes Managed Cluster.
    httpApplicationRoutingZoneName string
    The Zone Name of the HTTP Application Routing.
    id string
    The provider-assigned unique ID for this managed resource.
    kubeAdminConfigRaw string
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeAdminConfigs KubernetesClusterKubeAdminConfig[]
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeConfigRaw string
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    kubeConfigs KubernetesClusterKubeConfig[]
    A kube_config block as defined below.
    nodeResourceGroupId string
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    oidcIssuerUrl string
    The OIDC issuer URL that is associated with the cluster.
    portalFqdn string
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    privateFqdn string
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    current_kubernetes_version str
    The current version running on the Azure Kubernetes Managed Cluster.
    fqdn str
    The FQDN of the Azure Kubernetes Managed Cluster.
    http_application_routing_zone_name str
    The Zone Name of the HTTP Application Routing.
    id str
    The provider-assigned unique ID for this managed resource.
    kube_admin_config_raw str
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kube_admin_configs Sequence[KubernetesClusterKubeAdminConfig]
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kube_config_raw str
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    kube_configs Sequence[KubernetesClusterKubeConfig]
    A kube_config block as defined below.
    node_resource_group_id str
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    oidc_issuer_url str
    The OIDC issuer URL that is associated with the cluster.
    portal_fqdn str
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    private_fqdn str
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    currentKubernetesVersion String
    The current version running on the Azure Kubernetes Managed Cluster.
    fqdn String
    The FQDN of the Azure Kubernetes Managed Cluster.
    httpApplicationRoutingZoneName String
    The Zone Name of the HTTP Application Routing.
    id String
    The provider-assigned unique ID for this managed resource.
    kubeAdminConfigRaw String
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeAdminConfigs List<Property Map>
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeConfigRaw String
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    kubeConfigs List<Property Map>
    A kube_config block as defined below.
    nodeResourceGroupId String
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    oidcIssuerUrl String
    The OIDC issuer URL that is associated with the cluster.
    portalFqdn String
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    privateFqdn String
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.

    Look up Existing KubernetesCluster Resource

    Get an existing KubernetesCluster resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: KubernetesClusterState, opts?: CustomResourceOptions): KubernetesCluster
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            aci_connector_linux: Optional[KubernetesClusterAciConnectorLinuxArgs] = None,
            api_server_access_profile: Optional[KubernetesClusterApiServerAccessProfileArgs] = None,
            api_server_authorized_ip_ranges: Optional[Sequence[str]] = None,
            auto_scaler_profile: Optional[KubernetesClusterAutoScalerProfileArgs] = None,
            automatic_channel_upgrade: Optional[str] = None,
            azure_active_directory_role_based_access_control: Optional[KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs] = None,
            azure_policy_enabled: Optional[bool] = None,
            confidential_computing: Optional[KubernetesClusterConfidentialComputingArgs] = None,
            current_kubernetes_version: Optional[str] = None,
            custom_ca_trust_certificates_base64s: Optional[Sequence[str]] = None,
            default_node_pool: Optional[KubernetesClusterDefaultNodePoolArgs] = None,
            disk_encryption_set_id: Optional[str] = None,
            dns_prefix: Optional[str] = None,
            dns_prefix_private_cluster: Optional[str] = None,
            edge_zone: Optional[str] = None,
            enable_pod_security_policy: Optional[bool] = None,
            fqdn: Optional[str] = None,
            http_application_routing_enabled: Optional[bool] = None,
            http_application_routing_zone_name: Optional[str] = None,
            http_proxy_config: Optional[KubernetesClusterHttpProxyConfigArgs] = None,
            identity: Optional[KubernetesClusterIdentityArgs] = None,
            image_cleaner_enabled: Optional[bool] = None,
            image_cleaner_interval_hours: Optional[int] = None,
            ingress_application_gateway: Optional[KubernetesClusterIngressApplicationGatewayArgs] = None,
            key_management_service: Optional[KubernetesClusterKeyManagementServiceArgs] = None,
            key_vault_secrets_provider: Optional[KubernetesClusterKeyVaultSecretsProviderArgs] = None,
            kube_admin_config_raw: Optional[str] = None,
            kube_admin_configs: Optional[Sequence[KubernetesClusterKubeAdminConfigArgs]] = None,
            kube_config_raw: Optional[str] = None,
            kube_configs: Optional[Sequence[KubernetesClusterKubeConfigArgs]] = None,
            kubelet_identity: Optional[KubernetesClusterKubeletIdentityArgs] = None,
            kubernetes_version: Optional[str] = None,
            linux_profile: Optional[KubernetesClusterLinuxProfileArgs] = None,
            local_account_disabled: Optional[bool] = None,
            location: Optional[str] = None,
            maintenance_window: Optional[KubernetesClusterMaintenanceWindowArgs] = None,
            maintenance_window_auto_upgrade: Optional[KubernetesClusterMaintenanceWindowAutoUpgradeArgs] = None,
            maintenance_window_node_os: Optional[KubernetesClusterMaintenanceWindowNodeOsArgs] = None,
            microsoft_defender: Optional[KubernetesClusterMicrosoftDefenderArgs] = None,
            monitor_metrics: Optional[KubernetesClusterMonitorMetricsArgs] = None,
            name: Optional[str] = None,
            network_profile: Optional[KubernetesClusterNetworkProfileArgs] = None,
            node_os_channel_upgrade: Optional[str] = None,
            node_resource_group: Optional[str] = None,
            node_resource_group_id: Optional[str] = None,
            oidc_issuer_enabled: Optional[bool] = None,
            oidc_issuer_url: Optional[str] = None,
            oms_agent: Optional[KubernetesClusterOmsAgentArgs] = None,
            open_service_mesh_enabled: Optional[bool] = None,
            portal_fqdn: Optional[str] = None,
            private_cluster_enabled: Optional[bool] = None,
            private_cluster_public_fqdn_enabled: Optional[bool] = None,
            private_dns_zone_id: Optional[str] = None,
            private_fqdn: Optional[str] = None,
            public_network_access_enabled: Optional[bool] = None,
            resource_group_name: Optional[str] = None,
            role_based_access_control_enabled: Optional[bool] = None,
            run_command_enabled: Optional[bool] = None,
            service_mesh_profile: Optional[KubernetesClusterServiceMeshProfileArgs] = None,
            service_principal: Optional[KubernetesClusterServicePrincipalArgs] = None,
            sku_tier: Optional[str] = None,
            storage_profile: Optional[KubernetesClusterStorageProfileArgs] = None,
            support_plan: Optional[str] = None,
            tags: Optional[Mapping[str, str]] = None,
            web_app_routing: Optional[KubernetesClusterWebAppRoutingArgs] = None,
            windows_profile: Optional[KubernetesClusterWindowsProfileArgs] = None,
            workload_autoscaler_profile: Optional[KubernetesClusterWorkloadAutoscalerProfileArgs] = None,
            workload_identity_enabled: Optional[bool] = None) -> KubernetesCluster
    func GetKubernetesCluster(ctx *Context, name string, id IDInput, state *KubernetesClusterState, opts ...ResourceOption) (*KubernetesCluster, error)
    public static KubernetesCluster Get(string name, Input<string> id, KubernetesClusterState? state, CustomResourceOptions? opts = null)
    public static KubernetesCluster get(String name, Output<String> id, KubernetesClusterState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AciConnectorLinux KubernetesClusterAciConnectorLinux
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    ApiServerAccessProfile KubernetesClusterApiServerAccessProfile
    An api_server_access_profile block as defined below.
    ApiServerAuthorizedIpRanges List<string>

    Deprecated:This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    AutoScalerProfile KubernetesClusterAutoScalerProfile
    A auto_scaler_profile block as defined below.
    AutomaticChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    AzureActiveDirectoryRoleBasedAccessControl KubernetesClusterAzureActiveDirectoryRoleBasedAccessControl
    A azure_active_directory_role_based_access_control block as defined below.
    AzurePolicyEnabled bool
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    ConfidentialComputing KubernetesClusterConfidentialComputing
    A confidential_computing block as defined below. For more details please the documentation
    CurrentKubernetesVersion string
    The current version running on the Azure Kubernetes Managed Cluster.
    CustomCaTrustCertificatesBase64s List<string>

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    DefaultNodePool KubernetesClusterDefaultNodePool
    A default_node_pool block as defined below.
    DiskEncryptionSetId string
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    DnsPrefix string
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    DnsPrefixPrivateCluster string

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    EdgeZone string
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    EnablePodSecurityPolicy bool

    Deprecated:The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    Fqdn string
    The FQDN of the Azure Kubernetes Managed Cluster.
    HttpApplicationRoutingEnabled bool

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    HttpApplicationRoutingZoneName string
    The Zone Name of the HTTP Application Routing.
    HttpProxyConfig KubernetesClusterHttpProxyConfig
    A http_proxy_config block as defined below.
    Identity KubernetesClusterIdentity

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    ImageCleanerEnabled bool
    Specifies whether Image Cleaner is enabled.
    ImageCleanerIntervalHours int
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    IngressApplicationGateway KubernetesClusterIngressApplicationGateway

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    KeyManagementService KubernetesClusterKeyManagementService
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    KeyVaultSecretsProvider KubernetesClusterKeyVaultSecretsProvider
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    KubeAdminConfigRaw string
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    KubeAdminConfigs List<KubernetesClusterKubeAdminConfig>
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    KubeConfigRaw string
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    KubeConfigs List<KubernetesClusterKubeConfig>
    A kube_config block as defined below.
    KubeletIdentity KubernetesClusterKubeletIdentity
    A kubelet_identity block as defined below.
    KubernetesVersion string

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    LinuxProfile KubernetesClusterLinuxProfile
    A linux_profile block as defined below.
    LocalAccountDisabled bool

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    Location string
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    MaintenanceWindow KubernetesClusterMaintenanceWindow
    A maintenance_window block as defined below.
    MaintenanceWindowAutoUpgrade KubernetesClusterMaintenanceWindowAutoUpgrade
    A maintenance_window_auto_upgrade block as defined below.
    MaintenanceWindowNodeOs KubernetesClusterMaintenanceWindowNodeOs
    A maintenance_window_node_os block as defined below.
    MicrosoftDefender KubernetesClusterMicrosoftDefender
    A microsoft_defender block as defined below.
    MonitorMetrics KubernetesClusterMonitorMetrics

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    Name string
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    NetworkProfile KubernetesClusterNetworkProfile

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    NodeOsChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    NodeResourceGroup string

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    NodeResourceGroupId string
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    OidcIssuerEnabled bool
    Enable or Disable the OIDC issuer URL
    OidcIssuerUrl string
    The OIDC issuer URL that is associated with the cluster.
    OmsAgent KubernetesClusterOmsAgent
    A oms_agent block as defined below.
    OpenServiceMeshEnabled bool
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    PortalFqdn string
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    PrivateClusterEnabled bool
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    PrivateClusterPublicFqdnEnabled bool

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    PrivateDnsZoneId string
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    PrivateFqdn string
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    PublicNetworkAccessEnabled bool

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated:public_network_access_enabled is currently not functional and is not be passed to the API

    ResourceGroupName string
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    RoleBasedAccessControlEnabled bool
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    RunCommandEnabled bool
    Whether to enable run command for the cluster or not. Defaults to true.
    ServiceMeshProfile KubernetesClusterServiceMeshProfile

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    ServicePrincipal KubernetesClusterServicePrincipal

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    SkuTier string

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    StorageProfile KubernetesClusterStorageProfile
    A storage_profile block as defined below.
    SupportPlan string
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    Tags Dictionary<string, string>
    A mapping of tags to assign to the resource.
    WebAppRouting KubernetesClusterWebAppRouting
    A web_app_routing block as defined below.
    WindowsProfile KubernetesClusterWindowsProfile
    A windows_profile block as defined below.
    WorkloadAutoscalerProfile KubernetesClusterWorkloadAutoscalerProfile
    A workload_autoscaler_profile block defined below.
    WorkloadIdentityEnabled bool

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    AciConnectorLinux KubernetesClusterAciConnectorLinuxArgs
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    ApiServerAccessProfile KubernetesClusterApiServerAccessProfileArgs
    An api_server_access_profile block as defined below.
    ApiServerAuthorizedIpRanges []string

    Deprecated:This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    AutoScalerProfile KubernetesClusterAutoScalerProfileArgs
    A auto_scaler_profile block as defined below.
    AutomaticChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    AzureActiveDirectoryRoleBasedAccessControl KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs
    A azure_active_directory_role_based_access_control block as defined below.
    AzurePolicyEnabled bool
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    ConfidentialComputing KubernetesClusterConfidentialComputingArgs
    A confidential_computing block as defined below. For more details please the documentation
    CurrentKubernetesVersion string
    The current version running on the Azure Kubernetes Managed Cluster.
    CustomCaTrustCertificatesBase64s []string

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    DefaultNodePool KubernetesClusterDefaultNodePoolArgs
    A default_node_pool block as defined below.
    DiskEncryptionSetId string
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    DnsPrefix string
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    DnsPrefixPrivateCluster string

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    EdgeZone string
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    EnablePodSecurityPolicy bool

    Deprecated:The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    Fqdn string
    The FQDN of the Azure Kubernetes Managed Cluster.
    HttpApplicationRoutingEnabled bool

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    HttpApplicationRoutingZoneName string
    The Zone Name of the HTTP Application Routing.
    HttpProxyConfig KubernetesClusterHttpProxyConfigArgs
    A http_proxy_config block as defined below.
    Identity KubernetesClusterIdentityArgs

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    ImageCleanerEnabled bool
    Specifies whether Image Cleaner is enabled.
    ImageCleanerIntervalHours int
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    IngressApplicationGateway KubernetesClusterIngressApplicationGatewayArgs

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    KeyManagementService KubernetesClusterKeyManagementServiceArgs
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    KeyVaultSecretsProvider KubernetesClusterKeyVaultSecretsProviderArgs
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    KubeAdminConfigRaw string
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    KubeAdminConfigs []KubernetesClusterKubeAdminConfigArgs
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    KubeConfigRaw string
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    KubeConfigs []KubernetesClusterKubeConfigArgs
    A kube_config block as defined below.
    KubeletIdentity KubernetesClusterKubeletIdentityArgs
    A kubelet_identity block as defined below.
    KubernetesVersion string

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    LinuxProfile KubernetesClusterLinuxProfileArgs
    A linux_profile block as defined below.
    LocalAccountDisabled bool

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    Location string
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    MaintenanceWindow KubernetesClusterMaintenanceWindowArgs
    A maintenance_window block as defined below.
    MaintenanceWindowAutoUpgrade KubernetesClusterMaintenanceWindowAutoUpgradeArgs
    A maintenance_window_auto_upgrade block as defined below.
    MaintenanceWindowNodeOs KubernetesClusterMaintenanceWindowNodeOsArgs
    A maintenance_window_node_os block as defined below.
    MicrosoftDefender KubernetesClusterMicrosoftDefenderArgs
    A microsoft_defender block as defined below.
    MonitorMetrics KubernetesClusterMonitorMetricsArgs

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    Name string
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    NetworkProfile KubernetesClusterNetworkProfileArgs

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    NodeOsChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    NodeResourceGroup string

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    NodeResourceGroupId string
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    OidcIssuerEnabled bool
    Enable or Disable the OIDC issuer URL
    OidcIssuerUrl string
    The OIDC issuer URL that is associated with the cluster.
    OmsAgent KubernetesClusterOmsAgentArgs
    A oms_agent block as defined below.
    OpenServiceMeshEnabled bool
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    PortalFqdn string
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    PrivateClusterEnabled bool
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    PrivateClusterPublicFqdnEnabled bool

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    PrivateDnsZoneId string
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    PrivateFqdn string
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    PublicNetworkAccessEnabled bool

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated:public_network_access_enabled is currently not functional and is not be passed to the API

    ResourceGroupName string
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    RoleBasedAccessControlEnabled bool
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    RunCommandEnabled bool
    Whether to enable run command for the cluster or not. Defaults to true.
    ServiceMeshProfile KubernetesClusterServiceMeshProfileArgs

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    ServicePrincipal KubernetesClusterServicePrincipalArgs

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    SkuTier string

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    StorageProfile KubernetesClusterStorageProfileArgs
    A storage_profile block as defined below.
    SupportPlan string
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    Tags map[string]string
    A mapping of tags to assign to the resource.
    WebAppRouting KubernetesClusterWebAppRoutingArgs
    A web_app_routing block as defined below.
    WindowsProfile KubernetesClusterWindowsProfileArgs
    A windows_profile block as defined below.
    WorkloadAutoscalerProfile KubernetesClusterWorkloadAutoscalerProfileArgs
    A workload_autoscaler_profile block defined below.
    WorkloadIdentityEnabled bool

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    aciConnectorLinux KubernetesClusterAciConnectorLinux
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    apiServerAccessProfile KubernetesClusterApiServerAccessProfile
    An api_server_access_profile block as defined below.
    apiServerAuthorizedIpRanges List<String>

    Deprecated:This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    autoScalerProfile KubernetesClusterAutoScalerProfile
    A auto_scaler_profile block as defined below.
    automaticChannelUpgrade String

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    azureActiveDirectoryRoleBasedAccessControl KubernetesClusterAzureActiveDirectoryRoleBasedAccessControl
    A azure_active_directory_role_based_access_control block as defined below.
    azurePolicyEnabled Boolean
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    confidentialComputing KubernetesClusterConfidentialComputing
    A confidential_computing block as defined below. For more details please the documentation
    currentKubernetesVersion String
    The current version running on the Azure Kubernetes Managed Cluster.
    customCaTrustCertificatesBase64s List<String>

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    defaultNodePool KubernetesClusterDefaultNodePool
    A default_node_pool block as defined below.
    diskEncryptionSetId String
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    dnsPrefix String
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    dnsPrefixPrivateCluster String

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    edgeZone String
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    enablePodSecurityPolicy Boolean

    Deprecated:The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    fqdn String
    The FQDN of the Azure Kubernetes Managed Cluster.
    httpApplicationRoutingEnabled Boolean

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    httpApplicationRoutingZoneName String
    The Zone Name of the HTTP Application Routing.
    httpProxyConfig KubernetesClusterHttpProxyConfig
    A http_proxy_config block as defined below.
    identity KubernetesClusterIdentity

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    imageCleanerEnabled Boolean
    Specifies whether Image Cleaner is enabled.
    imageCleanerIntervalHours Integer
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    ingressApplicationGateway KubernetesClusterIngressApplicationGateway

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    keyManagementService KubernetesClusterKeyManagementService
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    keyVaultSecretsProvider KubernetesClusterKeyVaultSecretsProvider
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    kubeAdminConfigRaw String
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeAdminConfigs List<KubernetesClusterKubeAdminConfig>
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeConfigRaw String
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    kubeConfigs List<KubernetesClusterKubeConfig>
    A kube_config block as defined below.
    kubeletIdentity KubernetesClusterKubeletIdentity
    A kubelet_identity block as defined below.
    kubernetesVersion String

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    linuxProfile KubernetesClusterLinuxProfile
    A linux_profile block as defined below.
    localAccountDisabled Boolean

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    location String
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    maintenanceWindow KubernetesClusterMaintenanceWindow
    A maintenance_window block as defined below.
    maintenanceWindowAutoUpgrade KubernetesClusterMaintenanceWindowAutoUpgrade
    A maintenance_window_auto_upgrade block as defined below.
    maintenanceWindowNodeOs KubernetesClusterMaintenanceWindowNodeOs
    A maintenance_window_node_os block as defined below.
    microsoftDefender KubernetesClusterMicrosoftDefender
    A microsoft_defender block as defined below.
    monitorMetrics KubernetesClusterMonitorMetrics

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    name String
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    networkProfile KubernetesClusterNetworkProfile

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    nodeOsChannelUpgrade String

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    nodeResourceGroup String

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    nodeResourceGroupId String
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    oidcIssuerEnabled Boolean
    Enable or Disable the OIDC issuer URL
    oidcIssuerUrl String
    The OIDC issuer URL that is associated with the cluster.
    omsAgent KubernetesClusterOmsAgent
    A oms_agent block as defined below.
    openServiceMeshEnabled Boolean
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    portalFqdn String
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    privateClusterEnabled Boolean
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    privateClusterPublicFqdnEnabled Boolean

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    privateDnsZoneId String
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    privateFqdn String
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    publicNetworkAccessEnabled Boolean

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated:public_network_access_enabled is currently not functional and is not be passed to the API

    resourceGroupName String
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    roleBasedAccessControlEnabled Boolean
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    runCommandEnabled Boolean
    Whether to enable run command for the cluster or not. Defaults to true.
    serviceMeshProfile KubernetesClusterServiceMeshProfile

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    servicePrincipal KubernetesClusterServicePrincipal

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    skuTier String

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    storageProfile KubernetesClusterStorageProfile
    A storage_profile block as defined below.
    supportPlan String
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    tags Map<String,String>
    A mapping of tags to assign to the resource.
    webAppRouting KubernetesClusterWebAppRouting
    A web_app_routing block as defined below.
    windowsProfile KubernetesClusterWindowsProfile
    A windows_profile block as defined below.
    workloadAutoscalerProfile KubernetesClusterWorkloadAutoscalerProfile
    A workload_autoscaler_profile block defined below.
    workloadIdentityEnabled Boolean

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    aciConnectorLinux KubernetesClusterAciConnectorLinux
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    apiServerAccessProfile KubernetesClusterApiServerAccessProfile
    An api_server_access_profile block as defined below.
    apiServerAuthorizedIpRanges string[]

    Deprecated:This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    autoScalerProfile KubernetesClusterAutoScalerProfile
    A auto_scaler_profile block as defined below.
    automaticChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    azureActiveDirectoryRoleBasedAccessControl KubernetesClusterAzureActiveDirectoryRoleBasedAccessControl
    A azure_active_directory_role_based_access_control block as defined below.
    azurePolicyEnabled boolean
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    confidentialComputing KubernetesClusterConfidentialComputing
    A confidential_computing block as defined below. For more details please the documentation
    currentKubernetesVersion string
    The current version running on the Azure Kubernetes Managed Cluster.
    customCaTrustCertificatesBase64s string[]

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    defaultNodePool KubernetesClusterDefaultNodePool
    A default_node_pool block as defined below.
    diskEncryptionSetId string
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    dnsPrefix string
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    dnsPrefixPrivateCluster string

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    edgeZone string
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    enablePodSecurityPolicy boolean

    Deprecated:The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    fqdn string
    The FQDN of the Azure Kubernetes Managed Cluster.
    httpApplicationRoutingEnabled boolean

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    httpApplicationRoutingZoneName string
    The Zone Name of the HTTP Application Routing.
    httpProxyConfig KubernetesClusterHttpProxyConfig
    A http_proxy_config block as defined below.
    identity KubernetesClusterIdentity

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    imageCleanerEnabled boolean
    Specifies whether Image Cleaner is enabled.
    imageCleanerIntervalHours number
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    ingressApplicationGateway KubernetesClusterIngressApplicationGateway

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    keyManagementService KubernetesClusterKeyManagementService
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    keyVaultSecretsProvider KubernetesClusterKeyVaultSecretsProvider
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    kubeAdminConfigRaw string
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeAdminConfigs KubernetesClusterKubeAdminConfig[]
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeConfigRaw string
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    kubeConfigs KubernetesClusterKubeConfig[]
    A kube_config block as defined below.
    kubeletIdentity KubernetesClusterKubeletIdentity
    A kubelet_identity block as defined below.
    kubernetesVersion string

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    linuxProfile KubernetesClusterLinuxProfile
    A linux_profile block as defined below.
    localAccountDisabled boolean

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    location string
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    maintenanceWindow KubernetesClusterMaintenanceWindow
    A maintenance_window block as defined below.
    maintenanceWindowAutoUpgrade KubernetesClusterMaintenanceWindowAutoUpgrade
    A maintenance_window_auto_upgrade block as defined below.
    maintenanceWindowNodeOs KubernetesClusterMaintenanceWindowNodeOs
    A maintenance_window_node_os block as defined below.
    microsoftDefender KubernetesClusterMicrosoftDefender
    A microsoft_defender block as defined below.
    monitorMetrics KubernetesClusterMonitorMetrics

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    name string
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    networkProfile KubernetesClusterNetworkProfile

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    nodeOsChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    nodeResourceGroup string

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    nodeResourceGroupId string
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    oidcIssuerEnabled boolean
    Enable or Disable the OIDC issuer URL
    oidcIssuerUrl string
    The OIDC issuer URL that is associated with the cluster.
    omsAgent KubernetesClusterOmsAgent
    A oms_agent block as defined below.
    openServiceMeshEnabled boolean
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    portalFqdn string
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    privateClusterEnabled boolean
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    privateClusterPublicFqdnEnabled boolean

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    privateDnsZoneId string
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    privateFqdn string
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    publicNetworkAccessEnabled boolean

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated:public_network_access_enabled is currently not functional and is not be passed to the API

    resourceGroupName string
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    roleBasedAccessControlEnabled boolean
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    runCommandEnabled boolean
    Whether to enable run command for the cluster or not. Defaults to true.
    serviceMeshProfile KubernetesClusterServiceMeshProfile

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    servicePrincipal KubernetesClusterServicePrincipal

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    skuTier string

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    storageProfile KubernetesClusterStorageProfile
    A storage_profile block as defined below.
    supportPlan string
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    tags {[key: string]: string}
    A mapping of tags to assign to the resource.
    webAppRouting KubernetesClusterWebAppRouting
    A web_app_routing block as defined below.
    windowsProfile KubernetesClusterWindowsProfile
    A windows_profile block as defined below.
    workloadAutoscalerProfile KubernetesClusterWorkloadAutoscalerProfile
    A workload_autoscaler_profile block defined below.
    workloadIdentityEnabled boolean

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    aci_connector_linux KubernetesClusterAciConnectorLinuxArgs
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    api_server_access_profile KubernetesClusterApiServerAccessProfileArgs
    An api_server_access_profile block as defined below.
    api_server_authorized_ip_ranges Sequence[str]

    Deprecated:This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    auto_scaler_profile KubernetesClusterAutoScalerProfileArgs
    A auto_scaler_profile block as defined below.
    automatic_channel_upgrade str

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    azure_active_directory_role_based_access_control KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs
    A azure_active_directory_role_based_access_control block as defined below.
    azure_policy_enabled bool
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    confidential_computing KubernetesClusterConfidentialComputingArgs
    A confidential_computing block as defined below. For more details please the documentation
    current_kubernetes_version str
    The current version running on the Azure Kubernetes Managed Cluster.
    custom_ca_trust_certificates_base64s Sequence[str]

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    default_node_pool KubernetesClusterDefaultNodePoolArgs
    A default_node_pool block as defined below.
    disk_encryption_set_id str
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    dns_prefix str
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    dns_prefix_private_cluster str

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    edge_zone str
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    enable_pod_security_policy bool

    Deprecated:The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    fqdn str
    The FQDN of the Azure Kubernetes Managed Cluster.
    http_application_routing_enabled bool

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    http_application_routing_zone_name str
    The Zone Name of the HTTP Application Routing.
    http_proxy_config KubernetesClusterHttpProxyConfigArgs
    A http_proxy_config block as defined below.
    identity KubernetesClusterIdentityArgs

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    image_cleaner_enabled bool
    Specifies whether Image Cleaner is enabled.
    image_cleaner_interval_hours int
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    ingress_application_gateway KubernetesClusterIngressApplicationGatewayArgs

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    key_management_service KubernetesClusterKeyManagementServiceArgs
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    key_vault_secrets_provider KubernetesClusterKeyVaultSecretsProviderArgs
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    kube_admin_config_raw str
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kube_admin_configs Sequence[KubernetesClusterKubeAdminConfigArgs]
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kube_config_raw str
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    kube_configs Sequence[KubernetesClusterKubeConfigArgs]
    A kube_config block as defined below.
    kubelet_identity KubernetesClusterKubeletIdentityArgs
    A kubelet_identity block as defined below.
    kubernetes_version str

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    linux_profile KubernetesClusterLinuxProfileArgs
    A linux_profile block as defined below.
    local_account_disabled bool

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    location str
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    maintenance_window KubernetesClusterMaintenanceWindowArgs
    A maintenance_window block as defined below.
    maintenance_window_auto_upgrade KubernetesClusterMaintenanceWindowAutoUpgradeArgs
    A maintenance_window_auto_upgrade block as defined below.
    maintenance_window_node_os KubernetesClusterMaintenanceWindowNodeOsArgs
    A maintenance_window_node_os block as defined below.
    microsoft_defender KubernetesClusterMicrosoftDefenderArgs
    A microsoft_defender block as defined below.
    monitor_metrics KubernetesClusterMonitorMetricsArgs

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    name str
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    network_profile KubernetesClusterNetworkProfileArgs

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    node_os_channel_upgrade str

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    node_resource_group str

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    node_resource_group_id str
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    oidc_issuer_enabled bool
    Enable or Disable the OIDC issuer URL
    oidc_issuer_url str
    The OIDC issuer URL that is associated with the cluster.
    oms_agent KubernetesClusterOmsAgentArgs
    A oms_agent block as defined below.
    open_service_mesh_enabled bool
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    portal_fqdn str
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    private_cluster_enabled bool
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    private_cluster_public_fqdn_enabled bool

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    private_dns_zone_id str
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    private_fqdn str
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    public_network_access_enabled bool

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated:public_network_access_enabled is currently not functional and is not be passed to the API

    resource_group_name str
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    role_based_access_control_enabled bool
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    run_command_enabled bool
    Whether to enable run command for the cluster or not. Defaults to true.
    service_mesh_profile KubernetesClusterServiceMeshProfileArgs

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    service_principal KubernetesClusterServicePrincipalArgs

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    sku_tier str

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    storage_profile KubernetesClusterStorageProfileArgs
    A storage_profile block as defined below.
    support_plan str
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    tags Mapping[str, str]
    A mapping of tags to assign to the resource.
    web_app_routing KubernetesClusterWebAppRoutingArgs
    A web_app_routing block as defined below.
    windows_profile KubernetesClusterWindowsProfileArgs
    A windows_profile block as defined below.
    workload_autoscaler_profile KubernetesClusterWorkloadAutoscalerProfileArgs
    A workload_autoscaler_profile block defined below.
    workload_identity_enabled bool

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    aciConnectorLinux Property Map
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    apiServerAccessProfile Property Map
    An api_server_access_profile block as defined below.
    apiServerAuthorizedIpRanges List<String>

    Deprecated:This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    autoScalerProfile Property Map
    A auto_scaler_profile block as defined below.
    automaticChannelUpgrade String

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    azureActiveDirectoryRoleBasedAccessControl Property Map
    A azure_active_directory_role_based_access_control block as defined below.
    azurePolicyEnabled Boolean
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    confidentialComputing Property Map
    A confidential_computing block as defined below. For more details please the documentation
    currentKubernetesVersion String
    The current version running on the Azure Kubernetes Managed Cluster.
    customCaTrustCertificatesBase64s List<String>

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    defaultNodePool Property Map
    A default_node_pool block as defined below.
    diskEncryptionSetId String
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    dnsPrefix String
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    dnsPrefixPrivateCluster String

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    edgeZone String
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    enablePodSecurityPolicy Boolean

    Deprecated:The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    fqdn String
    The FQDN of the Azure Kubernetes Managed Cluster.
    httpApplicationRoutingEnabled Boolean

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    httpApplicationRoutingZoneName String
    The Zone Name of the HTTP Application Routing.
    httpProxyConfig Property Map
    A http_proxy_config block as defined below.
    identity Property Map

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    imageCleanerEnabled Boolean
    Specifies whether Image Cleaner is enabled.
    imageCleanerIntervalHours Number
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    ingressApplicationGateway Property Map

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    keyManagementService Property Map
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    keyVaultSecretsProvider Property Map
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    kubeAdminConfigRaw String
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeAdminConfigs List<Property Map>
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeConfigRaw String
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    kubeConfigs List<Property Map>
    A kube_config block as defined below.
    kubeletIdentity Property Map
    A kubelet_identity block as defined below.
    kubernetesVersion String

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    linuxProfile Property Map
    A linux_profile block as defined below.
    localAccountDisabled Boolean

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    location String
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    maintenanceWindow Property Map
    A maintenance_window block as defined below.
    maintenanceWindowAutoUpgrade Property Map
    A maintenance_window_auto_upgrade block as defined below.
    maintenanceWindowNodeOs Property Map
    A maintenance_window_node_os block as defined below.
    microsoftDefender Property Map
    A microsoft_defender block as defined below.
    monitorMetrics Property Map

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    name String
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    networkProfile Property Map

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    nodeOsChannelUpgrade String

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    nodeResourceGroup String

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    nodeResourceGroupId String
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    oidcIssuerEnabled Boolean
    Enable or Disable the OIDC issuer URL
    oidcIssuerUrl String
    The OIDC issuer URL that is associated with the cluster.
    omsAgent Property Map
    A oms_agent block as defined below.
    openServiceMeshEnabled Boolean
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    portalFqdn String
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    privateClusterEnabled Boolean
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    privateClusterPublicFqdnEnabled Boolean

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    privateDnsZoneId String
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    privateFqdn String
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    publicNetworkAccessEnabled Boolean

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated:public_network_access_enabled is currently not functional and is not be passed to the API

    resourceGroupName String
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    roleBasedAccessControlEnabled Boolean
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    runCommandEnabled Boolean
    Whether to enable run command for the cluster or not. Defaults to true.
    serviceMeshProfile Property Map

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    servicePrincipal Property Map

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    skuTier String

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    storageProfile Property Map
    A storage_profile block as defined below.
    supportPlan String
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    tags Map<String>
    A mapping of tags to assign to the resource.
    webAppRouting Property Map
    A web_app_routing block as defined below.
    windowsProfile Property Map
    A windows_profile block as defined below.
    workloadAutoscalerProfile Property Map
    A workload_autoscaler_profile block defined below.
    workloadIdentityEnabled Boolean

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    Supporting Types

    KubernetesClusterAciConnectorLinux, KubernetesClusterAciConnectorLinuxArgs

    SubnetName string

    The subnet name for the virtual nodes to run.

    Note: At this time ACI Connectors are not supported in Azure China.

    Note: AKS will add a delegation to the subnet named here. To prevent further runs from failing you should make sure that the subnet you create for virtual nodes has a delegation, like so.

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const virtual = new azure.network.Subnet("virtual", {delegations: [{ name: "aciDelegation", serviceDelegation: { name: "Microsoft.ContainerInstance/containerGroups", actions: ["Microsoft.Network/virtualNetworks/subnets/action"], }, }]});

    import pulumi
    import pulumi_azure as azure
    
    virtual = azure.network.Subnet("virtual", delegations=[azure.network.SubnetDelegationArgs(
        name="aciDelegation",
        service_delegation=azure.network.SubnetDelegationServiceDelegationArgs(
            name="Microsoft.ContainerInstance/containerGroups",
            actions=["Microsoft.Network/virtualNetworks/subnets/action"],
        ),
    )])
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var @virtual = new Azure.Network.Subnet("virtual", new()
        {
            Delegations = new[]
            {
                new Azure.Network.Inputs.SubnetDelegationArgs
                {
                    Name = "aciDelegation",
                    ServiceDelegation = new Azure.Network.Inputs.SubnetDelegationServiceDelegationArgs
                    {
                        Name = "Microsoft.ContainerInstance/containerGroups",
                        Actions = new[]
                        {
                            "Microsoft.Network/virtualNetworks/subnets/action",
                        },
                    },
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/network"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := network.NewSubnet(ctx, "virtual", &network.SubnetArgs{
    			Delegations: network.SubnetDelegationArray{
    				&network.SubnetDelegationArgs{
    					Name: pulumi.String("aciDelegation"),
    					ServiceDelegation: &network.SubnetDelegationServiceDelegationArgs{
    						Name: pulumi.String("Microsoft.ContainerInstance/containerGroups"),
    						Actions: pulumi.StringArray{
    							pulumi.String("Microsoft.Network/virtualNetworks/subnets/action"),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.network.Subnet;
    import com.pulumi.azure.network.SubnetArgs;
    import com.pulumi.azure.network.inputs.SubnetDelegationArgs;
    import com.pulumi.azure.network.inputs.SubnetDelegationServiceDelegationArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var virtual = new Subnet("virtual", SubnetArgs.builder()        
                .delegations(SubnetDelegationArgs.builder()
                    .name("aciDelegation")
                    .serviceDelegation(SubnetDelegationServiceDelegationArgs.builder()
                        .name("Microsoft.ContainerInstance/containerGroups")
                        .actions("Microsoft.Network/virtualNetworks/subnets/action")
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      virtual:
        type: azure:network:Subnet
        properties:
          delegations:
            - name: aciDelegation
              serviceDelegation:
                name: Microsoft.ContainerInstance/containerGroups
                actions:
                  - Microsoft.Network/virtualNetworks/subnets/action
    
    ConnectorIdentities List<KubernetesClusterAciConnectorLinuxConnectorIdentity>
    A connector_identity block is exported. The exported attributes are defined below.
    SubnetName string

    The subnet name for the virtual nodes to run.

    Note: At this time ACI Connectors are not supported in Azure China.

    Note: AKS will add a delegation to the subnet named here. To prevent further runs from failing you should make sure that the subnet you create for virtual nodes has a delegation, like so.

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const virtual = new azure.network.Subnet("virtual", {delegations: [{ name: "aciDelegation", serviceDelegation: { name: "Microsoft.ContainerInstance/containerGroups", actions: ["Microsoft.Network/virtualNetworks/subnets/action"], }, }]});

    import pulumi
    import pulumi_azure as azure
    
    virtual = azure.network.Subnet("virtual", delegations=[azure.network.SubnetDelegationArgs(
        name="aciDelegation",
        service_delegation=azure.network.SubnetDelegationServiceDelegationArgs(
            name="Microsoft.ContainerInstance/containerGroups",
            actions=["Microsoft.Network/virtualNetworks/subnets/action"],
        ),
    )])
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var @virtual = new Azure.Network.Subnet("virtual", new()
        {
            Delegations = new[]
            {
                new Azure.Network.Inputs.SubnetDelegationArgs
                {
                    Name = "aciDelegation",
                    ServiceDelegation = new Azure.Network.Inputs.SubnetDelegationServiceDelegationArgs
                    {
                        Name = "Microsoft.ContainerInstance/containerGroups",
                        Actions = new[]
                        {
                            "Microsoft.Network/virtualNetworks/subnets/action",
                        },
                    },
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/network"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := network.NewSubnet(ctx, "virtual", &network.SubnetArgs{
    			Delegations: network.SubnetDelegationArray{
    				&network.SubnetDelegationArgs{
    					Name: pulumi.String("aciDelegation"),
    					ServiceDelegation: &network.SubnetDelegationServiceDelegationArgs{
    						Name: pulumi.String("Microsoft.ContainerInstance/containerGroups"),
    						Actions: pulumi.StringArray{
    							pulumi.String("Microsoft.Network/virtualNetworks/subnets/action"),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.network.Subnet;
    import com.pulumi.azure.network.SubnetArgs;
    import com.pulumi.azure.network.inputs.SubnetDelegationArgs;
    import com.pulumi.azure.network.inputs.SubnetDelegationServiceDelegationArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var virtual = new Subnet("virtual", SubnetArgs.builder()        
                .delegations(SubnetDelegationArgs.builder()
                    .name("aciDelegation")
                    .serviceDelegation(SubnetDelegationServiceDelegationArgs.builder()
                        .name("Microsoft.ContainerInstance/containerGroups")
                        .actions("Microsoft.Network/virtualNetworks/subnets/action")
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      virtual:
        type: azure:network:Subnet
        properties:
          delegations:
            - name: aciDelegation
              serviceDelegation:
                name: Microsoft.ContainerInstance/containerGroups
                actions:
                  - Microsoft.Network/virtualNetworks/subnets/action
    
    ConnectorIdentities []KubernetesClusterAciConnectorLinuxConnectorIdentity
    A connector_identity block is exported. The exported attributes are defined below.
    subnetName String

    The subnet name for the virtual nodes to run.

    Note: At this time ACI Connectors are not supported in Azure China.

    Note: AKS will add a delegation to the subnet named here. To prevent further runs from failing you should make sure that the subnet you create for virtual nodes has a delegation, like so.

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const virtual = new azure.network.Subnet("virtual", {delegations: [{ name: "aciDelegation", serviceDelegation: { name: "Microsoft.ContainerInstance/containerGroups", actions: ["Microsoft.Network/virtualNetworks/subnets/action"], }, }]});

    import pulumi
    import pulumi_azure as azure
    
    virtual = azure.network.Subnet("virtual", delegations=[azure.network.SubnetDelegationArgs(
        name="aciDelegation",
        service_delegation=azure.network.SubnetDelegationServiceDelegationArgs(
            name="Microsoft.ContainerInstance/containerGroups",
            actions=["Microsoft.Network/virtualNetworks/subnets/action"],
        ),
    )])
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var @virtual = new Azure.Network.Subnet("virtual", new()
        {
            Delegations = new[]
            {
                new Azure.Network.Inputs.SubnetDelegationArgs
                {
                    Name = "aciDelegation",
                    ServiceDelegation = new Azure.Network.Inputs.SubnetDelegationServiceDelegationArgs
                    {
                        Name = "Microsoft.ContainerInstance/containerGroups",
                        Actions = new[]
                        {
                            "Microsoft.Network/virtualNetworks/subnets/action",
                        },
                    },
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/network"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := network.NewSubnet(ctx, "virtual", &network.SubnetArgs{
    			Delegations: network.SubnetDelegationArray{
    				&network.SubnetDelegationArgs{
    					Name: pulumi.String("aciDelegation"),
    					ServiceDelegation: &network.SubnetDelegationServiceDelegationArgs{
    						Name: pulumi.String("Microsoft.ContainerInstance/containerGroups"),
    						Actions: pulumi.StringArray{
    							pulumi.String("Microsoft.Network/virtualNetworks/subnets/action"),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.network.Subnet;
    import com.pulumi.azure.network.SubnetArgs;
    import com.pulumi.azure.network.inputs.SubnetDelegationArgs;
    import com.pulumi.azure.network.inputs.SubnetDelegationServiceDelegationArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var virtual = new Subnet("virtual", SubnetArgs.builder()        
                .delegations(SubnetDelegationArgs.builder()
                    .name("aciDelegation")
                    .serviceDelegation(SubnetDelegationServiceDelegationArgs.builder()
                        .name("Microsoft.ContainerInstance/containerGroups")
                        .actions("Microsoft.Network/virtualNetworks/subnets/action")
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      virtual:
        type: azure:network:Subnet
        properties:
          delegations:
            - name: aciDelegation
              serviceDelegation:
                name: Microsoft.ContainerInstance/containerGroups
                actions:
                  - Microsoft.Network/virtualNetworks/subnets/action
    
    connectorIdentities List<KubernetesClusterAciConnectorLinuxConnectorIdentity>
    A connector_identity block is exported. The exported attributes are defined below.
    subnetName string

    The subnet name for the virtual nodes to run.

    Note: At this time ACI Connectors are not supported in Azure China.

    Note: AKS will add a delegation to the subnet named here. To prevent further runs from failing you should make sure that the subnet you create for virtual nodes has a delegation, like so.

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const virtual = new azure.network.Subnet("virtual", {delegations: [{ name: "aciDelegation", serviceDelegation: { name: "Microsoft.ContainerInstance/containerGroups", actions: ["Microsoft.Network/virtualNetworks/subnets/action"], }, }]});

    import pulumi
    import pulumi_azure as azure
    
    virtual = azure.network.Subnet("virtual", delegations=[azure.network.SubnetDelegationArgs(
        name="aciDelegation",
        service_delegation=azure.network.SubnetDelegationServiceDelegationArgs(
            name="Microsoft.ContainerInstance/containerGroups",
            actions=["Microsoft.Network/virtualNetworks/subnets/action"],
        ),
    )])
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var @virtual = new Azure.Network.Subnet("virtual", new()
        {
            Delegations = new[]
            {
                new Azure.Network.Inputs.SubnetDelegationArgs
                {
                    Name = "aciDelegation",
                    ServiceDelegation = new Azure.Network.Inputs.SubnetDelegationServiceDelegationArgs
                    {
                        Name = "Microsoft.ContainerInstance/containerGroups",
                        Actions = new[]
                        {
                            "Microsoft.Network/virtualNetworks/subnets/action",
                        },
                    },
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/network"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := network.NewSubnet(ctx, "virtual", &network.SubnetArgs{
    			Delegations: network.SubnetDelegationArray{
    				&network.SubnetDelegationArgs{
    					Name: pulumi.String("aciDelegation"),
    					ServiceDelegation: &network.SubnetDelegationServiceDelegationArgs{
    						Name: pulumi.String("Microsoft.ContainerInstance/containerGroups"),
    						Actions: pulumi.StringArray{
    							pulumi.String("Microsoft.Network/virtualNetworks/subnets/action"),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.network.Subnet;
    import com.pulumi.azure.network.SubnetArgs;
    import com.pulumi.azure.network.inputs.SubnetDelegationArgs;
    import com.pulumi.azure.network.inputs.SubnetDelegationServiceDelegationArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var virtual = new Subnet("virtual", SubnetArgs.builder()        
                .delegations(SubnetDelegationArgs.builder()
                    .name("aciDelegation")
                    .serviceDelegation(SubnetDelegationServiceDelegationArgs.builder()
                        .name("Microsoft.ContainerInstance/containerGroups")
                        .actions("Microsoft.Network/virtualNetworks/subnets/action")
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      virtual:
        type: azure:network:Subnet
        properties:
          delegations:
            - name: aciDelegation
              serviceDelegation:
                name: Microsoft.ContainerInstance/containerGroups
                actions:
                  - Microsoft.Network/virtualNetworks/subnets/action
    
    connectorIdentities KubernetesClusterAciConnectorLinuxConnectorIdentity[]
    A connector_identity block is exported. The exported attributes are defined below.
    subnet_name str

    The subnet name for the virtual nodes to run.

    Note: At this time ACI Connectors are not supported in Azure China.

    Note: AKS will add a delegation to the subnet named here. To prevent further runs from failing you should make sure that the subnet you create for virtual nodes has a delegation, like so.

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const virtual = new azure.network.Subnet("virtual", {delegations: [{ name: "aciDelegation", serviceDelegation: { name: "Microsoft.ContainerInstance/containerGroups", actions: ["Microsoft.Network/virtualNetworks/subnets/action"], }, }]});

    import pulumi
    import pulumi_azure as azure
    
    virtual = azure.network.Subnet("virtual", delegations=[azure.network.SubnetDelegationArgs(
        name="aciDelegation",
        service_delegation=azure.network.SubnetDelegationServiceDelegationArgs(
            name="Microsoft.ContainerInstance/containerGroups",
            actions=["Microsoft.Network/virtualNetworks/subnets/action"],
        ),
    )])
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var @virtual = new Azure.Network.Subnet("virtual", new()
        {
            Delegations = new[]
            {
                new Azure.Network.Inputs.SubnetDelegationArgs
                {
                    Name = "aciDelegation",
                    ServiceDelegation = new Azure.Network.Inputs.SubnetDelegationServiceDelegationArgs
                    {
                        Name = "Microsoft.ContainerInstance/containerGroups",
                        Actions = new[]
                        {
                            "Microsoft.Network/virtualNetworks/subnets/action",
                        },
                    },
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/network"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := network.NewSubnet(ctx, "virtual", &network.SubnetArgs{
    			Delegations: network.SubnetDelegationArray{
    				&network.SubnetDelegationArgs{
    					Name: pulumi.String("aciDelegation"),
    					ServiceDelegation: &network.SubnetDelegationServiceDelegationArgs{
    						Name: pulumi.String("Microsoft.ContainerInstance/containerGroups"),
    						Actions: pulumi.StringArray{
    							pulumi.String("Microsoft.Network/virtualNetworks/subnets/action"),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.network.Subnet;
    import com.pulumi.azure.network.SubnetArgs;
    import com.pulumi.azure.network.inputs.SubnetDelegationArgs;
    import com.pulumi.azure.network.inputs.SubnetDelegationServiceDelegationArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var virtual = new Subnet("virtual", SubnetArgs.builder()        
                .delegations(SubnetDelegationArgs.builder()
                    .name("aciDelegation")
                    .serviceDelegation(SubnetDelegationServiceDelegationArgs.builder()
                        .name("Microsoft.ContainerInstance/containerGroups")
                        .actions("Microsoft.Network/virtualNetworks/subnets/action")
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      virtual:
        type: azure:network:Subnet
        properties:
          delegations:
            - name: aciDelegation
              serviceDelegation:
                name: Microsoft.ContainerInstance/containerGroups
                actions:
                  - Microsoft.Network/virtualNetworks/subnets/action
    
    connector_identities Sequence[KubernetesClusterAciConnectorLinuxConnectorIdentity]
    A connector_identity block is exported. The exported attributes are defined below.
    subnetName String

    The subnet name for the virtual nodes to run.

    Note: At this time ACI Connectors are not supported in Azure China.

    Note: AKS will add a delegation to the subnet named here. To prevent further runs from failing you should make sure that the subnet you create for virtual nodes has a delegation, like so.

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const virtual = new azure.network.Subnet("virtual", {delegations: [{ name: "aciDelegation", serviceDelegation: { name: "Microsoft.ContainerInstance/containerGroups", actions: ["Microsoft.Network/virtualNetworks/subnets/action"], }, }]});

    import pulumi
    import pulumi_azure as azure
    
    virtual = azure.network.Subnet("virtual", delegations=[azure.network.SubnetDelegationArgs(
        name="aciDelegation",
        service_delegation=azure.network.SubnetDelegationServiceDelegationArgs(
            name="Microsoft.ContainerInstance/containerGroups",
            actions=["Microsoft.Network/virtualNetworks/subnets/action"],
        ),
    )])
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var @virtual = new Azure.Network.Subnet("virtual", new()
        {
            Delegations = new[]
            {
                new Azure.Network.Inputs.SubnetDelegationArgs
                {
                    Name = "aciDelegation",
                    ServiceDelegation = new Azure.Network.Inputs.SubnetDelegationServiceDelegationArgs
                    {
                        Name = "Microsoft.ContainerInstance/containerGroups",
                        Actions = new[]
                        {
                            "Microsoft.Network/virtualNetworks/subnets/action",
                        },
                    },
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/network"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := network.NewSubnet(ctx, "virtual", &network.SubnetArgs{
    			Delegations: network.SubnetDelegationArray{
    				&network.SubnetDelegationArgs{
    					Name: pulumi.String("aciDelegation"),
    					ServiceDelegation: &network.SubnetDelegationServiceDelegationArgs{
    						Name: pulumi.String("Microsoft.ContainerInstance/containerGroups"),
    						Actions: pulumi.StringArray{
    							pulumi.String("Microsoft.Network/virtualNetworks/subnets/action"),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.network.Subnet;
    import com.pulumi.azure.network.SubnetArgs;
    import com.pulumi.azure.network.inputs.SubnetDelegationArgs;
    import com.pulumi.azure.network.inputs.SubnetDelegationServiceDelegationArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var virtual = new Subnet("virtual", SubnetArgs.builder()        
                .delegations(SubnetDelegationArgs.builder()
                    .name("aciDelegation")
                    .serviceDelegation(SubnetDelegationServiceDelegationArgs.builder()
                        .name("Microsoft.ContainerInstance/containerGroups")
                        .actions("Microsoft.Network/virtualNetworks/subnets/action")
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      virtual:
        type: azure:network:Subnet
        properties:
          delegations:
            - name: aciDelegation
              serviceDelegation:
                name: Microsoft.ContainerInstance/containerGroups
                actions:
                  - Microsoft.Network/virtualNetworks/subnets/action
    
    connectorIdentities List<Property Map>
    A connector_identity block is exported. The exported attributes are defined below.

    KubernetesClusterAciConnectorLinuxConnectorIdentity, KubernetesClusterAciConnectorLinuxConnectorIdentityArgs

    ClientId string
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    ObjectId string
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    UserAssignedIdentityId string

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    ClientId string
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    ObjectId string
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    UserAssignedIdentityId string

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    clientId String
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    objectId String
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    userAssignedIdentityId String

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    clientId string
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    objectId string
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    userAssignedIdentityId string

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    client_id str
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    object_id str
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    user_assigned_identity_id str

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    clientId String
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    objectId String
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    userAssignedIdentityId String

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    KubernetesClusterApiServerAccessProfile, KubernetesClusterApiServerAccessProfileArgs

    AuthorizedIpRanges List<string>
    Set of authorized IP ranges to allow access to API server, e.g. ["198.51.100.0/24"].
    SubnetId string
    The ID of the Subnet where the API server endpoint is delegated to.
    VnetIntegrationEnabled bool

    Should API Server VNet Integration be enabled? For more details please visit Use API Server VNet Integration.

    Note: This requires that the Preview Feature Microsoft.ContainerService/EnableAPIServerVnetIntegrationPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    AuthorizedIpRanges []string
    Set of authorized IP ranges to allow access to API server, e.g. ["198.51.100.0/24"].
    SubnetId string
    The ID of the Subnet where the API server endpoint is delegated to.
    VnetIntegrationEnabled bool

    Should API Server VNet Integration be enabled? For more details please visit Use API Server VNet Integration.

    Note: This requires that the Preview Feature Microsoft.ContainerService/EnableAPIServerVnetIntegrationPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    authorizedIpRanges List<String>
    Set of authorized IP ranges to allow access to API server, e.g. ["198.51.100.0/24"].
    subnetId String
    The ID of the Subnet where the API server endpoint is delegated to.
    vnetIntegrationEnabled Boolean

    Should API Server VNet Integration be enabled? For more details please visit Use API Server VNet Integration.

    Note: This requires that the Preview Feature Microsoft.ContainerService/EnableAPIServerVnetIntegrationPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    authorizedIpRanges string[]
    Set of authorized IP ranges to allow access to API server, e.g. ["198.51.100.0/24"].
    subnetId string
    The ID of the Subnet where the API server endpoint is delegated to.
    vnetIntegrationEnabled boolean

    Should API Server VNet Integration be enabled? For more details please visit Use API Server VNet Integration.

    Note: This requires that the Preview Feature Microsoft.ContainerService/EnableAPIServerVnetIntegrationPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    authorized_ip_ranges Sequence[str]
    Set of authorized IP ranges to allow access to API server, e.g. ["198.51.100.0/24"].
    subnet_id str
    The ID of the Subnet where the API server endpoint is delegated to.
    vnet_integration_enabled bool

    Should API Server VNet Integration be enabled? For more details please visit Use API Server VNet Integration.

    Note: This requires that the Preview Feature Microsoft.ContainerService/EnableAPIServerVnetIntegrationPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    authorizedIpRanges List<String>
    Set of authorized IP ranges to allow access to API server, e.g. ["198.51.100.0/24"].
    subnetId String
    The ID of the Subnet where the API server endpoint is delegated to.
    vnetIntegrationEnabled Boolean

    Should API Server VNet Integration be enabled? For more details please visit Use API Server VNet Integration.

    Note: This requires that the Preview Feature Microsoft.ContainerService/EnableAPIServerVnetIntegrationPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    KubernetesClusterAutoScalerProfile, KubernetesClusterAutoScalerProfileArgs

    BalanceSimilarNodeGroups bool
    Detect similar node groups and balance the number of nodes between them. Defaults to false.
    EmptyBulkDeleteMax string
    Maximum number of empty nodes that can be deleted at the same time. Defaults to 10.
    Expander string
    Expander to use. Possible values are least-waste, priority, most-pods and random. Defaults to random.
    MaxGracefulTerminationSec string
    Maximum number of seconds the cluster autoscaler waits for pod termination when trying to scale down a node. Defaults to 600.
    MaxNodeProvisioningTime string
    Maximum time the autoscaler waits for a node to be provisioned. Defaults to 15m.
    MaxUnreadyNodes int
    Maximum Number of allowed unready nodes. Defaults to 3.
    MaxUnreadyPercentage double
    Maximum percentage of unready nodes the cluster autoscaler will stop if the percentage is exceeded. Defaults to 45.
    NewPodScaleUpDelay string
    For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. Defaults to 10s.
    ScaleDownDelayAfterAdd string
    How long after the scale up of AKS nodes the scale down evaluation resumes. Defaults to 10m.
    ScaleDownDelayAfterDelete string
    How long after node deletion that scale down evaluation resumes. Defaults to the value used for scan_interval.
    ScaleDownDelayAfterFailure string
    How long after scale down failure that scale down evaluation resumes. Defaults to 3m.
    ScaleDownUnneeded string
    How long a node should be unneeded before it is eligible for scale down. Defaults to 10m.
    ScaleDownUnready string
    How long an unready node should be unneeded before it is eligible for scale down. Defaults to 20m.
    ScaleDownUtilizationThreshold string
    Node utilization level, defined as sum of requested resources divided by capacity, below which a node can be considered for scale down. Defaults to 0.5.
    ScanInterval string
    How often the AKS Cluster should be re-evaluated for scale up/down. Defaults to 10s.
    SkipNodesWithLocalStorage bool
    If true cluster autoscaler will never delete nodes with pods with local storage, for example, EmptyDir or HostPath. Defaults to true.
    SkipNodesWithSystemPods bool
    If true cluster autoscaler will never delete nodes with pods from kube-system (except for DaemonSet or mirror pods). Defaults to true.
    BalanceSimilarNodeGroups bool
    Detect similar node groups and balance the number of nodes between them. Defaults to false.
    EmptyBulkDeleteMax string
    Maximum number of empty nodes that can be deleted at the same time. Defaults to 10.
    Expander string
    Expander to use. Possible values are least-waste, priority, most-pods and random. Defaults to random.
    MaxGracefulTerminationSec string
    Maximum number of seconds the cluster autoscaler waits for pod termination when trying to scale down a node. Defaults to 600.
    MaxNodeProvisioningTime string
    Maximum time the autoscaler waits for a node to be provisioned. Defaults to 15m.
    MaxUnreadyNodes int
    Maximum Number of allowed unready nodes. Defaults to 3.
    MaxUnreadyPercentage float64
    Maximum percentage of unready nodes the cluster autoscaler will stop if the percentage is exceeded. Defaults to 45.
    NewPodScaleUpDelay string
    For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. Defaults to 10s.
    ScaleDownDelayAfterAdd string
    How long after the scale up of AKS nodes the scale down evaluation resumes. Defaults to 10m.
    ScaleDownDelayAfterDelete string
    How long after node deletion that scale down evaluation resumes. Defaults to the value used for scan_interval.
    ScaleDownDelayAfterFailure string
    How long after scale down failure that scale down evaluation resumes. Defaults to 3m.
    ScaleDownUnneeded string
    How long a node should be unneeded before it is eligible for scale down. Defaults to 10m.
    ScaleDownUnready string
    How long an unready node should be unneeded before it is eligible for scale down. Defaults to 20m.
    ScaleDownUtilizationThreshold string
    Node utilization level, defined as sum of requested resources divided by capacity, below which a node can be considered for scale down. Defaults to 0.5.
    ScanInterval string
    How often the AKS Cluster should be re-evaluated for scale up/down. Defaults to 10s.
    SkipNodesWithLocalStorage bool
    If true cluster autoscaler will never delete nodes with pods with local storage, for example, EmptyDir or HostPath. Defaults to true.
    SkipNodesWithSystemPods bool
    If true cluster autoscaler will never delete nodes with pods from kube-system (except for DaemonSet or mirror pods). Defaults to true.
    balanceSimilarNodeGroups Boolean
    Detect similar node groups and balance the number of nodes between them. Defaults to false.
    emptyBulkDeleteMax String
    Maximum number of empty nodes that can be deleted at the same time. Defaults to 10.
    expander String
    Expander to use. Possible values are least-waste, priority, most-pods and random. Defaults to random.
    maxGracefulTerminationSec String
    Maximum number of seconds the cluster autoscaler waits for pod termination when trying to scale down a node. Defaults to 600.
    maxNodeProvisioningTime String
    Maximum time the autoscaler waits for a node to be provisioned. Defaults to 15m.
    maxUnreadyNodes Integer
    Maximum Number of allowed unready nodes. Defaults to 3.
    maxUnreadyPercentage Double
    Maximum percentage of unready nodes the cluster autoscaler will stop if the percentage is exceeded. Defaults to 45.
    newPodScaleUpDelay String
    For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. Defaults to 10s.
    scaleDownDelayAfterAdd String
    How long after the scale up of AKS nodes the scale down evaluation resumes. Defaults to 10m.
    scaleDownDelayAfterDelete String
    How long after node deletion that scale down evaluation resumes. Defaults to the value used for scan_interval.
    scaleDownDelayAfterFailure String
    How long after scale down failure that scale down evaluation resumes. Defaults to 3m.
    scaleDownUnneeded String
    How long a node should be unneeded before it is eligible for scale down. Defaults to 10m.
    scaleDownUnready String
    How long an unready node should be unneeded before it is eligible for scale down. Defaults to 20m.
    scaleDownUtilizationThreshold String
    Node utilization level, defined as sum of requested resources divided by capacity, below which a node can be considered for scale down. Defaults to 0.5.
    scanInterval String
    How often the AKS Cluster should be re-evaluated for scale up/down. Defaults to 10s.
    skipNodesWithLocalStorage Boolean
    If true cluster autoscaler will never delete nodes with pods with local storage, for example, EmptyDir or HostPath. Defaults to true.
    skipNodesWithSystemPods Boolean
    If true cluster autoscaler will never delete nodes with pods from kube-system (except for DaemonSet or mirror pods). Defaults to true.
    balanceSimilarNodeGroups boolean
    Detect similar node groups and balance the number of nodes between them. Defaults to false.
    emptyBulkDeleteMax string
    Maximum number of empty nodes that can be deleted at the same time. Defaults to 10.
    expander string
    Expander to use. Possible values are least-waste, priority, most-pods and random. Defaults to random.
    maxGracefulTerminationSec string
    Maximum number of seconds the cluster autoscaler waits for pod termination when trying to scale down a node. Defaults to 600.
    maxNodeProvisioningTime string
    Maximum time the autoscaler waits for a node to be provisioned. Defaults to 15m.
    maxUnreadyNodes number
    Maximum Number of allowed unready nodes. Defaults to 3.
    maxUnreadyPercentage number
    Maximum percentage of unready nodes the cluster autoscaler will stop if the percentage is exceeded. Defaults to 45.
    newPodScaleUpDelay string
    For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. Defaults to 10s.
    scaleDownDelayAfterAdd string
    How long after the scale up of AKS nodes the scale down evaluation resumes. Defaults to 10m.
    scaleDownDelayAfterDelete string
    How long after node deletion that scale down evaluation resumes. Defaults to the value used for scan_interval.
    scaleDownDelayAfterFailure string
    How long after scale down failure that scale down evaluation resumes. Defaults to 3m.
    scaleDownUnneeded string
    How long a node should be unneeded before it is eligible for scale down. Defaults to 10m.
    scaleDownUnready string
    How long an unready node should be unneeded before it is eligible for scale down. Defaults to 20m.
    scaleDownUtilizationThreshold string
    Node utilization level, defined as sum of requested resources divided by capacity, below which a node can be considered for scale down. Defaults to 0.5.
    scanInterval string
    How often the AKS Cluster should be re-evaluated for scale up/down. Defaults to 10s.
    skipNodesWithLocalStorage boolean
    If true cluster autoscaler will never delete nodes with pods with local storage, for example, EmptyDir or HostPath. Defaults to true.
    skipNodesWithSystemPods boolean
    If true cluster autoscaler will never delete nodes with pods from kube-system (except for DaemonSet or mirror pods). Defaults to true.
    balance_similar_node_groups bool
    Detect similar node groups and balance the number of nodes between them. Defaults to false.
    empty_bulk_delete_max str
    Maximum number of empty nodes that can be deleted at the same time. Defaults to 10.
    expander str
    Expander to use. Possible values are least-waste, priority, most-pods and random. Defaults to random.
    max_graceful_termination_sec str
    Maximum number of seconds the cluster autoscaler waits for pod termination when trying to scale down a node. Defaults to 600.
    max_node_provisioning_time str
    Maximum time the autoscaler waits for a node to be provisioned. Defaults to 15m.
    max_unready_nodes int
    Maximum Number of allowed unready nodes. Defaults to 3.
    max_unready_percentage float
    Maximum percentage of unready nodes the cluster autoscaler will stop if the percentage is exceeded. Defaults to 45.
    new_pod_scale_up_delay str
    For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. Defaults to 10s.
    scale_down_delay_after_add str
    How long after the scale up of AKS nodes the scale down evaluation resumes. Defaults to 10m.
    scale_down_delay_after_delete str
    How long after node deletion that scale down evaluation resumes. Defaults to the value used for scan_interval.
    scale_down_delay_after_failure str
    How long after scale down failure that scale down evaluation resumes. Defaults to 3m.
    scale_down_unneeded str
    How long a node should be unneeded before it is eligible for scale down. Defaults to 10m.
    scale_down_unready str
    How long an unready node should be unneeded before it is eligible for scale down. Defaults to 20m.
    scale_down_utilization_threshold str
    Node utilization level, defined as sum of requested resources divided by capacity, below which a node can be considered for scale down. Defaults to 0.5.
    scan_interval str
    How often the AKS Cluster should be re-evaluated for scale up/down. Defaults to 10s.
    skip_nodes_with_local_storage bool
    If true cluster autoscaler will never delete nodes with pods with local storage, for example, EmptyDir or HostPath. Defaults to true.
    skip_nodes_with_system_pods bool
    If true cluster autoscaler will never delete nodes with pods from kube-system (except for DaemonSet or mirror pods). Defaults to true.
    balanceSimilarNodeGroups Boolean
    Detect similar node groups and balance the number of nodes between them. Defaults to false.
    emptyBulkDeleteMax String
    Maximum number of empty nodes that can be deleted at the same time. Defaults to 10.
    expander String
    Expander to use. Possible values are least-waste, priority, most-pods and random. Defaults to random.
    maxGracefulTerminationSec String
    Maximum number of seconds the cluster autoscaler waits for pod termination when trying to scale down a node. Defaults to 600.
    maxNodeProvisioningTime String
    Maximum time the autoscaler waits for a node to be provisioned. Defaults to 15m.
    maxUnreadyNodes Number
    Maximum Number of allowed unready nodes. Defaults to 3.
    maxUnreadyPercentage Number
    Maximum percentage of unready nodes the cluster autoscaler will stop if the percentage is exceeded. Defaults to 45.
    newPodScaleUpDelay String
    For scenarios like burst/batch scale where you don't want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they're a certain age. Defaults to 10s.
    scaleDownDelayAfterAdd String
    How long after the scale up of AKS nodes the scale down evaluation resumes. Defaults to 10m.
    scaleDownDelayAfterDelete String
    How long after node deletion that scale down evaluation resumes. Defaults to the value used for scan_interval.
    scaleDownDelayAfterFailure String
    How long after scale down failure that scale down evaluation resumes. Defaults to 3m.
    scaleDownUnneeded String
    How long a node should be unneeded before it is eligible for scale down. Defaults to 10m.
    scaleDownUnready String
    How long an unready node should be unneeded before it is eligible for scale down. Defaults to 20m.
    scaleDownUtilizationThreshold String
    Node utilization level, defined as sum of requested resources divided by capacity, below which a node can be considered for scale down. Defaults to 0.5.
    scanInterval String
    How often the AKS Cluster should be re-evaluated for scale up/down. Defaults to 10s.
    skipNodesWithLocalStorage Boolean
    If true cluster autoscaler will never delete nodes with pods with local storage, for example, EmptyDir or HostPath. Defaults to true.
    skipNodesWithSystemPods Boolean
    If true cluster autoscaler will never delete nodes with pods from kube-system (except for DaemonSet or mirror pods). Defaults to true.

    KubernetesClusterAzureActiveDirectoryRoleBasedAccessControl, KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs

    AdminGroupObjectIds List<string>
    A list of Object IDs of Azure Active Directory Groups which should have Admin Role on the Cluster.
    AzureRbacEnabled bool
    Is Role Based Access Control based on Azure AD enabled?
    ClientAppId string
    The Client ID of an Azure Active Directory Application.
    Managed bool
    Is the Azure Active Directory integration Managed, meaning that Azure will create/manage the Service Principal used for integration.
    ServerAppId string
    The Server ID of an Azure Active Directory Application.
    ServerAppSecret string
    The Server Secret of an Azure Active Directory Application.
    TenantId string
    The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used.
    AdminGroupObjectIds []string
    A list of Object IDs of Azure Active Directory Groups which should have Admin Role on the Cluster.
    AzureRbacEnabled bool
    Is Role Based Access Control based on Azure AD enabled?
    ClientAppId string
    The Client ID of an Azure Active Directory Application.
    Managed bool
    Is the Azure Active Directory integration Managed, meaning that Azure will create/manage the Service Principal used for integration.
    ServerAppId string
    The Server ID of an Azure Active Directory Application.
    ServerAppSecret string
    The Server Secret of an Azure Active Directory Application.
    TenantId string
    The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used.
    adminGroupObjectIds List<String>
    A list of Object IDs of Azure Active Directory Groups which should have Admin Role on the Cluster.
    azureRbacEnabled Boolean
    Is Role Based Access Control based on Azure AD enabled?
    clientAppId String
    The Client ID of an Azure Active Directory Application.
    managed Boolean
    Is the Azure Active Directory integration Managed, meaning that Azure will create/manage the Service Principal used for integration.
    serverAppId String
    The Server ID of an Azure Active Directory Application.
    serverAppSecret String
    The Server Secret of an Azure Active Directory Application.
    tenantId String
    The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used.
    adminGroupObjectIds string[]
    A list of Object IDs of Azure Active Directory Groups which should have Admin Role on the Cluster.
    azureRbacEnabled boolean
    Is Role Based Access Control based on Azure AD enabled?
    clientAppId string
    The Client ID of an Azure Active Directory Application.
    managed boolean
    Is the Azure Active Directory integration Managed, meaning that Azure will create/manage the Service Principal used for integration.
    serverAppId string
    The Server ID of an Azure Active Directory Application.
    serverAppSecret string
    The Server Secret of an Azure Active Directory Application.
    tenantId string
    The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used.
    admin_group_object_ids Sequence[str]
    A list of Object IDs of Azure Active Directory Groups which should have Admin Role on the Cluster.
    azure_rbac_enabled bool
    Is Role Based Access Control based on Azure AD enabled?
    client_app_id str
    The Client ID of an Azure Active Directory Application.
    managed bool
    Is the Azure Active Directory integration Managed, meaning that Azure will create/manage the Service Principal used for integration.
    server_app_id str
    The Server ID of an Azure Active Directory Application.
    server_app_secret str
    The Server Secret of an Azure Active Directory Application.
    tenant_id str
    The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used.
    adminGroupObjectIds List<String>
    A list of Object IDs of Azure Active Directory Groups which should have Admin Role on the Cluster.
    azureRbacEnabled Boolean
    Is Role Based Access Control based on Azure AD enabled?
    clientAppId String
    The Client ID of an Azure Active Directory Application.
    managed Boolean
    Is the Azure Active Directory integration Managed, meaning that Azure will create/manage the Service Principal used for integration.
    serverAppId String
    The Server ID of an Azure Active Directory Application.
    serverAppSecret String
    The Server Secret of an Azure Active Directory Application.
    tenantId String
    The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used.

    KubernetesClusterConfidentialComputing, KubernetesClusterConfidentialComputingArgs

    SgxQuoteHelperEnabled bool
    Should the SGX quote helper be enabled?
    SgxQuoteHelperEnabled bool
    Should the SGX quote helper be enabled?
    sgxQuoteHelperEnabled Boolean
    Should the SGX quote helper be enabled?
    sgxQuoteHelperEnabled boolean
    Should the SGX quote helper be enabled?
    sgx_quote_helper_enabled bool
    Should the SGX quote helper be enabled?
    sgxQuoteHelperEnabled Boolean
    Should the SGX quote helper be enabled?

    KubernetesClusterDefaultNodePool, KubernetesClusterDefaultNodePoolArgs

    Name string
    The name which should be used for the default Kubernetes Node Pool.
    VmSize string
    The size of the Virtual Machine, such as Standard_DS2_v2. temporary_name_for_rotation must be specified when attempting a resize.
    CapacityReservationGroupId string
    Specifies the ID of the Capacity Reservation Group within which this AKS Cluster should be created. Changing this forces a new resource to be created.
    CustomCaTrustEnabled bool

    Specifies whether to trust a Custom CA.

    Note: This requires that the Preview Feature Microsoft.ContainerService/CustomCATrustPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    EnableAutoScaling bool

    Should the Kubernetes Auto Scaler be enabled for this Node Pool?

    Note: This requires that the type is set to VirtualMachineScaleSets.

    Note: If you're using AutoScaling, you may wish to use ignoreChanges functionality to ignore changes to the node_count field.

    EnableHostEncryption bool

    Should the nodes in the Default Node Pool have host encryption enabled? temporary_name_for_rotation must be specified when changing this property.

    Note: This requires that the Feature Microsoft.ContainerService/EnableEncryptionAtHost is enabled and the Resource Provider is registered.

    EnableNodePublicIp bool
    Should nodes in this Node Pool have a Public IP Address? temporary_name_for_rotation must be specified when changing this property.
    FipsEnabled bool
    Should the nodes in this Node Pool have Federal Information Processing Standard enabled? temporary_name_for_rotation must be specified when changing this block. Changing this forces a new resource to be created.
    GpuInstance string
    Specifies the GPU MIG instance profile for supported GPU VM SKU. The allowed values are MIG1g, MIG2g, MIG3g, MIG4g and MIG7g. Changing this forces a new resource to be created.
    HostGroupId string
    Specifies the ID of the Host Group within which this AKS Cluster should be created. Changing this forces a new resource to be created.
    KubeletConfig KubernetesClusterDefaultNodePoolKubeletConfig
    A kubelet_config block as defined below. temporary_name_for_rotation must be specified when changing this block.
    KubeletDiskType string
    The type of disk used by kubelet. Possible values are OS and Temporary.
    LinuxOsConfig KubernetesClusterDefaultNodePoolLinuxOsConfig
    A linux_os_config block as defined below. temporary_name_for_rotation must be specified when changing this block.
    MaxCount int
    The maximum number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000.
    MaxPods int
    The maximum number of pods that can run on each agent. temporary_name_for_rotation must be specified when changing this property.
    MessageOfTheDay string
    A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It cannot be specified for Windows nodes and must be a static string (i.e. will be printed raw and not executed as a script). Changing this forces a new resource to be created.
    MinCount int
    The minimum number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000.
    NodeCount int

    The initial number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000 and between min_count and max_count.

    Note: If specified you may wish to use ignoreChanges functionality to ignore changes to this field.

    Note: If enable_auto_scaling is set to false both min_count and max_count fields need to be set to null or omitted from the configuration.

    NodeLabels Dictionary<string, string>
    A map of Kubernetes labels which should be applied to nodes in the Default Node Pool.
    NodeNetworkProfile KubernetesClusterDefaultNodePoolNodeNetworkProfile
    A node_network_profile block as documented below.
    NodePublicIpPrefixId string
    Resource ID for the Public IP Addresses Prefix for the nodes in this Node Pool. enable_node_public_ip should be true. Changing this forces a new resource to be created.
    NodeTaints List<string>

    Deprecated:This field will be removed in v4.0 of the Azure Provider since the AKS API doesn't allow arbitrary node taints on the default node pool

    OnlyCriticalAddonsEnabled bool
    Enabling this option will taint default node pool with CriticalAddonsOnly=true:NoSchedule taint. temporary_name_for_rotation must be specified when changing this property.
    OrchestratorVersion string

    Version of Kubernetes used for the Agents. If not specified, the default node pool will be created with the version specified by kubernetes_version. If both are unspecified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: This version must be supported by the Kubernetes Cluster - as such the version of Kubernetes used on the Cluster/Control Plane may need to be upgraded first.

    OsDiskSizeGb int
    The size of the OS Disk which should be used for each agent in the Node Pool. temporary_name_for_rotation must be specified when attempting a change.
    OsDiskType string
    The type of disk which should be used for the Operating System. Possible values are Ephemeral and Managed. Defaults to Managed. temporary_name_for_rotation must be specified when attempting a change.
    OsSku string
    Specifies the OS SKU used by the agent pool. Possible values are AzureLinux, Ubuntu, Windows2019 and Windows2022. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated. temporary_name_for_rotation must be specified when attempting a change.
    PodSubnetId string
    The ID of the Subnet where the pods in the default Node Pool should exist.
    ProximityPlacementGroupId string
    The ID of the Proximity Placement Group. Changing this forces a new resource to be created.
    ScaleDownMode string
    Specifies the autoscaling behaviour of the Kubernetes Cluster. Allowed values are Delete and Deallocate. Defaults to Delete.
    SnapshotId string
    The ID of the Snapshot which should be used to create this default Node Pool. temporary_name_for_rotation must be specified when changing this property.
    Tags Dictionary<string, string>

    A mapping of tags to assign to the Node Pool.

    At this time there's a bug in the AKS API where Tags for a Node Pool are not stored in the correct case - you may wish to use ignore_changes functionality to ignore changes to the casing until this is fixed in the AKS API.

    TemporaryNameForRotation string
    Specifies the name of the temporary node pool used to cycle the default node pool for VM resizing.
    Type string

    The type of Node Pool which should be created. Possible values are AvailabilitySet and VirtualMachineScaleSets. Defaults to VirtualMachineScaleSets. Changing this forces a new resource to be created.

    Note: When creating a cluster that supports multiple node pools, the cluster must use VirtualMachineScaleSets. For more information on the limitations of clusters using multiple node pools see the documentation.

    UltraSsdEnabled bool
    Used to specify whether the UltraSSD is enabled in the Default Node Pool. Defaults to false. See the documentation for more information. temporary_name_for_rotation must be specified when attempting a change.
    UpgradeSettings KubernetesClusterDefaultNodePoolUpgradeSettings
    A upgrade_settings block as documented below.
    VnetSubnetId string

    The ID of a Subnet where the Kubernetes Node Pool should exist.

    Note: A Route Table must be configured on this Subnet.

    WorkloadRuntime string

    Specifies the workload runtime used by the node pool. Possible values are OCIContainer and KataMshvVmIsolation.

    Note: Pod Sandboxing / KataVM Isolation node pools are in Public Preview - more information and details on how to opt into the preview can be found in this article

    Zones List<string>

    Specifies a list of Availability Zones in which this Kubernetes Cluster should be located. temporary_name_for_rotation must be specified when changing this property.

    Note: This requires that the type is set to VirtualMachineScaleSets and that load_balancer_sku is set to standard.

    Name string
    The name which should be used for the default Kubernetes Node Pool.
    VmSize string
    The size of the Virtual Machine, such as Standard_DS2_v2. temporary_name_for_rotation must be specified when attempting a resize.
    CapacityReservationGroupId string
    Specifies the ID of the Capacity Reservation Group within which this AKS Cluster should be created. Changing this forces a new resource to be created.
    CustomCaTrustEnabled bool

    Specifies whether to trust a Custom CA.

    Note: This requires that the Preview Feature Microsoft.ContainerService/CustomCATrustPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    EnableAutoScaling bool

    Should the Kubernetes Auto Scaler be enabled for this Node Pool?

    Note: This requires that the type is set to VirtualMachineScaleSets.

    Note: If you're using AutoScaling, you may wish to use ignoreChanges functionality to ignore changes to the node_count field.

    EnableHostEncryption bool

    Should the nodes in the Default Node Pool have host encryption enabled? temporary_name_for_rotation must be specified when changing this property.

    Note: This requires that the Feature Microsoft.ContainerService/EnableEncryptionAtHost is enabled and the Resource Provider is registered.

    EnableNodePublicIp bool
    Should nodes in this Node Pool have a Public IP Address? temporary_name_for_rotation must be specified when changing this property.
    FipsEnabled bool
    Should the nodes in this Node Pool have Federal Information Processing Standard enabled? temporary_name_for_rotation must be specified when changing this block. Changing this forces a new resource to be created.
    GpuInstance string
    Specifies the GPU MIG instance profile for supported GPU VM SKU. The allowed values are MIG1g, MIG2g, MIG3g, MIG4g and MIG7g. Changing this forces a new resource to be created.
    HostGroupId string
    Specifies the ID of the Host Group within which this AKS Cluster should be created. Changing this forces a new resource to be created.
    KubeletConfig KubernetesClusterDefaultNodePoolKubeletConfig
    A kubelet_config block as defined below. temporary_name_for_rotation must be specified when changing this block.
    KubeletDiskType string
    The type of disk used by kubelet. Possible values are OS and Temporary.
    LinuxOsConfig KubernetesClusterDefaultNodePoolLinuxOsConfig
    A linux_os_config block as defined below. temporary_name_for_rotation must be specified when changing this block.
    MaxCount int
    The maximum number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000.
    MaxPods int
    The maximum number of pods that can run on each agent. temporary_name_for_rotation must be specified when changing this property.
    MessageOfTheDay string
    A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It cannot be specified for Windows nodes and must be a static string (i.e. will be printed raw and not executed as a script). Changing this forces a new resource to be created.
    MinCount int
    The minimum number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000.
    NodeCount int

    The initial number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000 and between min_count and max_count.

    Note: If specified you may wish to use ignoreChanges functionality to ignore changes to this field.

    Note: If enable_auto_scaling is set to false both min_count and max_count fields need to be set to null or omitted from the configuration.

    NodeLabels map[string]string
    A map of Kubernetes labels which should be applied to nodes in the Default Node Pool.
    NodeNetworkProfile KubernetesClusterDefaultNodePoolNodeNetworkProfile
    A node_network_profile block as documented below.
    NodePublicIpPrefixId string
    Resource ID for the Public IP Addresses Prefix for the nodes in this Node Pool. enable_node_public_ip should be true. Changing this forces a new resource to be created.
    NodeTaints []string

    Deprecated:This field will be removed in v4.0 of the Azure Provider since the AKS API doesn't allow arbitrary node taints on the default node pool

    OnlyCriticalAddonsEnabled bool
    Enabling this option will taint default node pool with CriticalAddonsOnly=true:NoSchedule taint. temporary_name_for_rotation must be specified when changing this property.
    OrchestratorVersion string

    Version of Kubernetes used for the Agents. If not specified, the default node pool will be created with the version specified by kubernetes_version. If both are unspecified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: This version must be supported by the Kubernetes Cluster - as such the version of Kubernetes used on the Cluster/Control Plane may need to be upgraded first.

    OsDiskSizeGb int
    The size of the OS Disk which should be used for each agent in the Node Pool. temporary_name_for_rotation must be specified when attempting a change.
    OsDiskType string
    The type of disk which should be used for the Operating System. Possible values are Ephemeral and Managed. Defaults to Managed. temporary_name_for_rotation must be specified when attempting a change.
    OsSku string
    Specifies the OS SKU used by the agent pool. Possible values are AzureLinux, Ubuntu, Windows2019 and Windows2022. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated. temporary_name_for_rotation must be specified when attempting a change.
    PodSubnetId string
    The ID of the Subnet where the pods in the default Node Pool should exist.
    ProximityPlacementGroupId string
    The ID of the Proximity Placement Group. Changing this forces a new resource to be created.
    ScaleDownMode string
    Specifies the autoscaling behaviour of the Kubernetes Cluster. Allowed values are Delete and Deallocate. Defaults to Delete.
    SnapshotId string
    The ID of the Snapshot which should be used to create this default Node Pool. temporary_name_for_rotation must be specified when changing this property.
    Tags map[string]string

    A mapping of tags to assign to the Node Pool.

    At this time there's a bug in the AKS API where Tags for a Node Pool are not stored in the correct case - you may wish to use ignore_changes functionality to ignore changes to the casing until this is fixed in the AKS API.

    TemporaryNameForRotation string
    Specifies the name of the temporary node pool used to cycle the default node pool for VM resizing.
    Type string

    The type of Node Pool which should be created. Possible values are AvailabilitySet and VirtualMachineScaleSets. Defaults to VirtualMachineScaleSets. Changing this forces a new resource to be created.

    Note: When creating a cluster that supports multiple node pools, the cluster must use VirtualMachineScaleSets. For more information on the limitations of clusters using multiple node pools see the documentation.

    UltraSsdEnabled bool
    Used to specify whether the UltraSSD is enabled in the Default Node Pool. Defaults to false. See the documentation for more information. temporary_name_for_rotation must be specified when attempting a change.
    UpgradeSettings KubernetesClusterDefaultNodePoolUpgradeSettings
    A upgrade_settings block as documented below.
    VnetSubnetId string

    The ID of a Subnet where the Kubernetes Node Pool should exist.

    Note: A Route Table must be configured on this Subnet.

    WorkloadRuntime string

    Specifies the workload runtime used by the node pool. Possible values are OCIContainer and KataMshvVmIsolation.

    Note: Pod Sandboxing / KataVM Isolation node pools are in Public Preview - more information and details on how to opt into the preview can be found in this article

    Zones []string

    Specifies a list of Availability Zones in which this Kubernetes Cluster should be located. temporary_name_for_rotation must be specified when changing this property.

    Note: This requires that the type is set to VirtualMachineScaleSets and that load_balancer_sku is set to standard.

    name String
    The name which should be used for the default Kubernetes Node Pool.
    vmSize String
    The size of the Virtual Machine, such as Standard_DS2_v2. temporary_name_for_rotation must be specified when attempting a resize.
    capacityReservationGroupId String
    Specifies the ID of the Capacity Reservation Group within which this AKS Cluster should be created. Changing this forces a new resource to be created.
    customCaTrustEnabled Boolean

    Specifies whether to trust a Custom CA.

    Note: This requires that the Preview Feature Microsoft.ContainerService/CustomCATrustPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    enableAutoScaling Boolean

    Should the Kubernetes Auto Scaler be enabled for this Node Pool?

    Note: This requires that the type is set to VirtualMachineScaleSets.

    Note: If you're using AutoScaling, you may wish to use ignoreChanges functionality to ignore changes to the node_count field.

    enableHostEncryption Boolean

    Should the nodes in the Default Node Pool have host encryption enabled? temporary_name_for_rotation must be specified when changing this property.

    Note: This requires that the Feature Microsoft.ContainerService/EnableEncryptionAtHost is enabled and the Resource Provider is registered.

    enableNodePublicIp Boolean
    Should nodes in this Node Pool have a Public IP Address? temporary_name_for_rotation must be specified when changing this property.
    fipsEnabled Boolean
    Should the nodes in this Node Pool have Federal Information Processing Standard enabled? temporary_name_for_rotation must be specified when changing this block. Changing this forces a new resource to be created.
    gpuInstance String
    Specifies the GPU MIG instance profile for supported GPU VM SKU. The allowed values are MIG1g, MIG2g, MIG3g, MIG4g and MIG7g. Changing this forces a new resource to be created.
    hostGroupId String
    Specifies the ID of the Host Group within which this AKS Cluster should be created. Changing this forces a new resource to be created.
    kubeletConfig KubernetesClusterDefaultNodePoolKubeletConfig
    A kubelet_config block as defined below. temporary_name_for_rotation must be specified when changing this block.
    kubeletDiskType String
    The type of disk used by kubelet. Possible values are OS and Temporary.
    linuxOsConfig KubernetesClusterDefaultNodePoolLinuxOsConfig
    A linux_os_config block as defined below. temporary_name_for_rotation must be specified when changing this block.
    maxCount Integer
    The maximum number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000.
    maxPods Integer
    The maximum number of pods that can run on each agent. temporary_name_for_rotation must be specified when changing this property.
    messageOfTheDay String
    A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It cannot be specified for Windows nodes and must be a static string (i.e. will be printed raw and not executed as a script). Changing this forces a new resource to be created.
    minCount Integer
    The minimum number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000.
    nodeCount Integer

    The initial number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000 and between min_count and max_count.

    Note: If specified you may wish to use ignoreChanges functionality to ignore changes to this field.

    Note: If enable_auto_scaling is set to false both min_count and max_count fields need to be set to null or omitted from the configuration.

    nodeLabels Map<String,String>
    A map of Kubernetes labels which should be applied to nodes in the Default Node Pool.
    nodeNetworkProfile KubernetesClusterDefaultNodePoolNodeNetworkProfile
    A node_network_profile block as documented below.
    nodePublicIpPrefixId String
    Resource ID for the Public IP Addresses Prefix for the nodes in this Node Pool. enable_node_public_ip should be true. Changing this forces a new resource to be created.
    nodeTaints List<String>

    Deprecated:This field will be removed in v4.0 of the Azure Provider since the AKS API doesn't allow arbitrary node taints on the default node pool

    onlyCriticalAddonsEnabled Boolean
    Enabling this option will taint default node pool with CriticalAddonsOnly=true:NoSchedule taint. temporary_name_for_rotation must be specified when changing this property.
    orchestratorVersion String

    Version of Kubernetes used for the Agents. If not specified, the default node pool will be created with the version specified by kubernetes_version. If both are unspecified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: This version must be supported by the Kubernetes Cluster - as such the version of Kubernetes used on the Cluster/Control Plane may need to be upgraded first.

    osDiskSizeGb Integer
    The size of the OS Disk which should be used for each agent in the Node Pool. temporary_name_for_rotation must be specified when attempting a change.
    osDiskType String
    The type of disk which should be used for the Operating System. Possible values are Ephemeral and Managed. Defaults to Managed. temporary_name_for_rotation must be specified when attempting a change.
    osSku String
    Specifies the OS SKU used by the agent pool. Possible values are AzureLinux, Ubuntu, Windows2019 and Windows2022. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated. temporary_name_for_rotation must be specified when attempting a change.
    podSubnetId String
    The ID of the Subnet where the pods in the default Node Pool should exist.
    proximityPlacementGroupId String
    The ID of the Proximity Placement Group. Changing this forces a new resource to be created.
    scaleDownMode String
    Specifies the autoscaling behaviour of the Kubernetes Cluster. Allowed values are Delete and Deallocate. Defaults to Delete.
    snapshotId String
    The ID of the Snapshot which should be used to create this default Node Pool. temporary_name_for_rotation must be specified when changing this property.
    tags Map<String,String>

    A mapping of tags to assign to the Node Pool.

    At this time there's a bug in the AKS API where Tags for a Node Pool are not stored in the correct case - you may wish to use ignore_changes functionality to ignore changes to the casing until this is fixed in the AKS API.

    temporaryNameForRotation String
    Specifies the name of the temporary node pool used to cycle the default node pool for VM resizing.
    type String

    The type of Node Pool which should be created. Possible values are AvailabilitySet and VirtualMachineScaleSets. Defaults to VirtualMachineScaleSets. Changing this forces a new resource to be created.

    Note: When creating a cluster that supports multiple node pools, the cluster must use VirtualMachineScaleSets. For more information on the limitations of clusters using multiple node pools see the documentation.

    ultraSsdEnabled Boolean
    Used to specify whether the UltraSSD is enabled in the Default Node Pool. Defaults to false. See the documentation for more information. temporary_name_for_rotation must be specified when attempting a change.
    upgradeSettings KubernetesClusterDefaultNodePoolUpgradeSettings
    A upgrade_settings block as documented below.
    vnetSubnetId String

    The ID of a Subnet where the Kubernetes Node Pool should exist.

    Note: A Route Table must be configured on this Subnet.

    workloadRuntime String

    Specifies the workload runtime used by the node pool. Possible values are OCIContainer and KataMshvVmIsolation.

    Note: Pod Sandboxing / KataVM Isolation node pools are in Public Preview - more information and details on how to opt into the preview can be found in this article

    zones List<String>

    Specifies a list of Availability Zones in which this Kubernetes Cluster should be located. temporary_name_for_rotation must be specified when changing this property.

    Note: This requires that the type is set to VirtualMachineScaleSets and that load_balancer_sku is set to standard.

    name string
    The name which should be used for the default Kubernetes Node Pool.
    vmSize string
    The size of the Virtual Machine, such as Standard_DS2_v2. temporary_name_for_rotation must be specified when attempting a resize.
    capacityReservationGroupId string
    Specifies the ID of the Capacity Reservation Group within which this AKS Cluster should be created. Changing this forces a new resource to be created.
    customCaTrustEnabled boolean

    Specifies whether to trust a Custom CA.

    Note: This requires that the Preview Feature Microsoft.ContainerService/CustomCATrustPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    enableAutoScaling boolean

    Should the Kubernetes Auto Scaler be enabled for this Node Pool?

    Note: This requires that the type is set to VirtualMachineScaleSets.

    Note: If you're using AutoScaling, you may wish to use ignoreChanges functionality to ignore changes to the node_count field.

    enableHostEncryption boolean

    Should the nodes in the Default Node Pool have host encryption enabled? temporary_name_for_rotation must be specified when changing this property.

    Note: This requires that the Feature Microsoft.ContainerService/EnableEncryptionAtHost is enabled and the Resource Provider is registered.

    enableNodePublicIp boolean
    Should nodes in this Node Pool have a Public IP Address? temporary_name_for_rotation must be specified when changing this property.
    fipsEnabled boolean
    Should the nodes in this Node Pool have Federal Information Processing Standard enabled? temporary_name_for_rotation must be specified when changing this block. Changing this forces a new resource to be created.
    gpuInstance string
    Specifies the GPU MIG instance profile for supported GPU VM SKU. The allowed values are MIG1g, MIG2g, MIG3g, MIG4g and MIG7g. Changing this forces a new resource to be created.
    hostGroupId string
    Specifies the ID of the Host Group within which this AKS Cluster should be created. Changing this forces a new resource to be created.
    kubeletConfig KubernetesClusterDefaultNodePoolKubeletConfig
    A kubelet_config block as defined below. temporary_name_for_rotation must be specified when changing this block.
    kubeletDiskType string
    The type of disk used by kubelet. Possible values are OS and Temporary.
    linuxOsConfig KubernetesClusterDefaultNodePoolLinuxOsConfig
    A linux_os_config block as defined below. temporary_name_for_rotation must be specified when changing this block.
    maxCount number
    The maximum number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000.
    maxPods number
    The maximum number of pods that can run on each agent. temporary_name_for_rotation must be specified when changing this property.
    messageOfTheDay string
    A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It cannot be specified for Windows nodes and must be a static string (i.e. will be printed raw and not executed as a script). Changing this forces a new resource to be created.
    minCount number
    The minimum number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000.
    nodeCount number

    The initial number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000 and between min_count and max_count.

    Note: If specified you may wish to use ignoreChanges functionality to ignore changes to this field.

    Note: If enable_auto_scaling is set to false both min_count and max_count fields need to be set to null or omitted from the configuration.

    nodeLabels {[key: string]: string}
    A map of Kubernetes labels which should be applied to nodes in the Default Node Pool.
    nodeNetworkProfile KubernetesClusterDefaultNodePoolNodeNetworkProfile
    A node_network_profile block as documented below.
    nodePublicIpPrefixId string
    Resource ID for the Public IP Addresses Prefix for the nodes in this Node Pool. enable_node_public_ip should be true. Changing this forces a new resource to be created.
    nodeTaints string[]

    Deprecated:This field will be removed in v4.0 of the Azure Provider since the AKS API doesn't allow arbitrary node taints on the default node pool

    onlyCriticalAddonsEnabled boolean
    Enabling this option will taint default node pool with CriticalAddonsOnly=true:NoSchedule taint. temporary_name_for_rotation must be specified when changing this property.
    orchestratorVersion string

    Version of Kubernetes used for the Agents. If not specified, the default node pool will be created with the version specified by kubernetes_version. If both are unspecified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: This version must be supported by the Kubernetes Cluster - as such the version of Kubernetes used on the Cluster/Control Plane may need to be upgraded first.

    osDiskSizeGb number
    The size of the OS Disk which should be used for each agent in the Node Pool. temporary_name_for_rotation must be specified when attempting a change.
    osDiskType string
    The type of disk which should be used for the Operating System. Possible values are Ephemeral and Managed. Defaults to Managed. temporary_name_for_rotation must be specified when attempting a change.
    osSku string
    Specifies the OS SKU used by the agent pool. Possible values are AzureLinux, Ubuntu, Windows2019 and Windows2022. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated. temporary_name_for_rotation must be specified when attempting a change.
    podSubnetId string
    The ID of the Subnet where the pods in the default Node Pool should exist.
    proximityPlacementGroupId string
    The ID of the Proximity Placement Group. Changing this forces a new resource to be created.
    scaleDownMode string
    Specifies the autoscaling behaviour of the Kubernetes Cluster. Allowed values are Delete and Deallocate. Defaults to Delete.
    snapshotId string
    The ID of the Snapshot which should be used to create this default Node Pool. temporary_name_for_rotation must be specified when changing this property.
    tags {[key: string]: string}

    A mapping of tags to assign to the Node Pool.

    At this time there's a bug in the AKS API where Tags for a Node Pool are not stored in the correct case - you may wish to use ignore_changes functionality to ignore changes to the casing until this is fixed in the AKS API.

    temporaryNameForRotation string
    Specifies the name of the temporary node pool used to cycle the default node pool for VM resizing.
    type string

    The type of Node Pool which should be created. Possible values are AvailabilitySet and VirtualMachineScaleSets. Defaults to VirtualMachineScaleSets. Changing this forces a new resource to be created.

    Note: When creating a cluster that supports multiple node pools, the cluster must use VirtualMachineScaleSets. For more information on the limitations of clusters using multiple node pools see the documentation.

    ultraSsdEnabled boolean
    Used to specify whether the UltraSSD is enabled in the Default Node Pool. Defaults to false. See the documentation for more information. temporary_name_for_rotation must be specified when attempting a change.
    upgradeSettings KubernetesClusterDefaultNodePoolUpgradeSettings
    A upgrade_settings block as documented below.
    vnetSubnetId string

    The ID of a Subnet where the Kubernetes Node Pool should exist.

    Note: A Route Table must be configured on this Subnet.

    workloadRuntime string

    Specifies the workload runtime used by the node pool. Possible values are OCIContainer and KataMshvVmIsolation.

    Note: Pod Sandboxing / KataVM Isolation node pools are in Public Preview - more information and details on how to opt into the preview can be found in this article

    zones string[]

    Specifies a list of Availability Zones in which this Kubernetes Cluster should be located. temporary_name_for_rotation must be specified when changing this property.

    Note: This requires that the type is set to VirtualMachineScaleSets and that load_balancer_sku is set to standard.

    name str
    The name which should be used for the default Kubernetes Node Pool.
    vm_size str
    The size of the Virtual Machine, such as Standard_DS2_v2. temporary_name_for_rotation must be specified when attempting a resize.
    capacity_reservation_group_id str
    Specifies the ID of the Capacity Reservation Group within which this AKS Cluster should be created. Changing this forces a new resource to be created.
    custom_ca_trust_enabled bool

    Specifies whether to trust a Custom CA.

    Note: This requires that the Preview Feature Microsoft.ContainerService/CustomCATrustPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    enable_auto_scaling bool

    Should the Kubernetes Auto Scaler be enabled for this Node Pool?

    Note: This requires that the type is set to VirtualMachineScaleSets.

    Note: If you're using AutoScaling, you may wish to use ignoreChanges functionality to ignore changes to the node_count field.

    enable_host_encryption bool

    Should the nodes in the Default Node Pool have host encryption enabled? temporary_name_for_rotation must be specified when changing this property.

    Note: This requires that the Feature Microsoft.ContainerService/EnableEncryptionAtHost is enabled and the Resource Provider is registered.

    enable_node_public_ip bool
    Should nodes in this Node Pool have a Public IP Address? temporary_name_for_rotation must be specified when changing this property.
    fips_enabled bool
    Should the nodes in this Node Pool have Federal Information Processing Standard enabled? temporary_name_for_rotation must be specified when changing this block. Changing this forces a new resource to be created.
    gpu_instance str
    Specifies the GPU MIG instance profile for supported GPU VM SKU. The allowed values are MIG1g, MIG2g, MIG3g, MIG4g and MIG7g. Changing this forces a new resource to be created.
    host_group_id str
    Specifies the ID of the Host Group within which this AKS Cluster should be created. Changing this forces a new resource to be created.
    kubelet_config KubernetesClusterDefaultNodePoolKubeletConfig
    A kubelet_config block as defined below. temporary_name_for_rotation must be specified when changing this block.
    kubelet_disk_type str
    The type of disk used by kubelet. Possible values are OS and Temporary.
    linux_os_config KubernetesClusterDefaultNodePoolLinuxOsConfig
    A linux_os_config block as defined below. temporary_name_for_rotation must be specified when changing this block.
    max_count int
    The maximum number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000.
    max_pods int
    The maximum number of pods that can run on each agent. temporary_name_for_rotation must be specified when changing this property.
    message_of_the_day str
    A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It cannot be specified for Windows nodes and must be a static string (i.e. will be printed raw and not executed as a script). Changing this forces a new resource to be created.
    min_count int
    The minimum number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000.
    node_count int

    The initial number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000 and between min_count and max_count.

    Note: If specified you may wish to use ignoreChanges functionality to ignore changes to this field.

    Note: If enable_auto_scaling is set to false both min_count and max_count fields need to be set to null or omitted from the configuration.

    node_labels Mapping[str, str]
    A map of Kubernetes labels which should be applied to nodes in the Default Node Pool.
    node_network_profile KubernetesClusterDefaultNodePoolNodeNetworkProfile
    A node_network_profile block as documented below.
    node_public_ip_prefix_id str
    Resource ID for the Public IP Addresses Prefix for the nodes in this Node Pool. enable_node_public_ip should be true. Changing this forces a new resource to be created.
    node_taints Sequence[str]

    Deprecated:This field will be removed in v4.0 of the Azure Provider since the AKS API doesn't allow arbitrary node taints on the default node pool

    only_critical_addons_enabled bool
    Enabling this option will taint default node pool with CriticalAddonsOnly=true:NoSchedule taint. temporary_name_for_rotation must be specified when changing this property.
    orchestrator_version str

    Version of Kubernetes used for the Agents. If not specified, the default node pool will be created with the version specified by kubernetes_version. If both are unspecified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: This version must be supported by the Kubernetes Cluster - as such the version of Kubernetes used on the Cluster/Control Plane may need to be upgraded first.

    os_disk_size_gb int
    The size of the OS Disk which should be used for each agent in the Node Pool. temporary_name_for_rotation must be specified when attempting a change.
    os_disk_type str
    The type of disk which should be used for the Operating System. Possible values are Ephemeral and Managed. Defaults to Managed. temporary_name_for_rotation must be specified when attempting a change.
    os_sku str
    Specifies the OS SKU used by the agent pool. Possible values are AzureLinux, Ubuntu, Windows2019 and Windows2022. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated. temporary_name_for_rotation must be specified when attempting a change.
    pod_subnet_id str
    The ID of the Subnet where the pods in the default Node Pool should exist.
    proximity_placement_group_id str
    The ID of the Proximity Placement Group. Changing this forces a new resource to be created.
    scale_down_mode str
    Specifies the autoscaling behaviour of the Kubernetes Cluster. Allowed values are Delete and Deallocate. Defaults to Delete.
    snapshot_id str
    The ID of the Snapshot which should be used to create this default Node Pool. temporary_name_for_rotation must be specified when changing this property.
    tags Mapping[str, str]

    A mapping of tags to assign to the Node Pool.

    At this time there's a bug in the AKS API where Tags for a Node Pool are not stored in the correct case - you may wish to use ignore_changes functionality to ignore changes to the casing until this is fixed in the AKS API.

    temporary_name_for_rotation str
    Specifies the name of the temporary node pool used to cycle the default node pool for VM resizing.
    type str

    The type of Node Pool which should be created. Possible values are AvailabilitySet and VirtualMachineScaleSets. Defaults to VirtualMachineScaleSets. Changing this forces a new resource to be created.

    Note: When creating a cluster that supports multiple node pools, the cluster must use VirtualMachineScaleSets. For more information on the limitations of clusters using multiple node pools see the documentation.

    ultra_ssd_enabled bool
    Used to specify whether the UltraSSD is enabled in the Default Node Pool. Defaults to false. See the documentation for more information. temporary_name_for_rotation must be specified when attempting a change.
    upgrade_settings KubernetesClusterDefaultNodePoolUpgradeSettings
    A upgrade_settings block as documented below.
    vnet_subnet_id str

    The ID of a Subnet where the Kubernetes Node Pool should exist.

    Note: A Route Table must be configured on this Subnet.

    workload_runtime str

    Specifies the workload runtime used by the node pool. Possible values are OCIContainer and KataMshvVmIsolation.

    Note: Pod Sandboxing / KataVM Isolation node pools are in Public Preview - more information and details on how to opt into the preview can be found in this article

    zones Sequence[str]

    Specifies a list of Availability Zones in which this Kubernetes Cluster should be located. temporary_name_for_rotation must be specified when changing this property.

    Note: This requires that the type is set to VirtualMachineScaleSets and that load_balancer_sku is set to standard.

    name String
    The name which should be used for the default Kubernetes Node Pool.
    vmSize String
    The size of the Virtual Machine, such as Standard_DS2_v2. temporary_name_for_rotation must be specified when attempting a resize.
    capacityReservationGroupId String
    Specifies the ID of the Capacity Reservation Group within which this AKS Cluster should be created. Changing this forces a new resource to be created.
    customCaTrustEnabled Boolean

    Specifies whether to trust a Custom CA.

    Note: This requires that the Preview Feature Microsoft.ContainerService/CustomCATrustPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    enableAutoScaling Boolean

    Should the Kubernetes Auto Scaler be enabled for this Node Pool?

    Note: This requires that the type is set to VirtualMachineScaleSets.

    Note: If you're using AutoScaling, you may wish to use ignoreChanges functionality to ignore changes to the node_count field.

    enableHostEncryption Boolean

    Should the nodes in the Default Node Pool have host encryption enabled? temporary_name_for_rotation must be specified when changing this property.

    Note: This requires that the Feature Microsoft.ContainerService/EnableEncryptionAtHost is enabled and the Resource Provider is registered.

    enableNodePublicIp Boolean
    Should nodes in this Node Pool have a Public IP Address? temporary_name_for_rotation must be specified when changing this property.
    fipsEnabled Boolean
    Should the nodes in this Node Pool have Federal Information Processing Standard enabled? temporary_name_for_rotation must be specified when changing this block. Changing this forces a new resource to be created.
    gpuInstance String
    Specifies the GPU MIG instance profile for supported GPU VM SKU. The allowed values are MIG1g, MIG2g, MIG3g, MIG4g and MIG7g. Changing this forces a new resource to be created.
    hostGroupId String
    Specifies the ID of the Host Group within which this AKS Cluster should be created. Changing this forces a new resource to be created.
    kubeletConfig Property Map
    A kubelet_config block as defined below. temporary_name_for_rotation must be specified when changing this block.
    kubeletDiskType String
    The type of disk used by kubelet. Possible values are OS and Temporary.
    linuxOsConfig Property Map
    A linux_os_config block as defined below. temporary_name_for_rotation must be specified when changing this block.
    maxCount Number
    The maximum number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000.
    maxPods Number
    The maximum number of pods that can run on each agent. temporary_name_for_rotation must be specified when changing this property.
    messageOfTheDay String
    A base64-encoded string which will be written to /etc/motd after decoding. This allows customization of the message of the day for Linux nodes. It cannot be specified for Windows nodes and must be a static string (i.e. will be printed raw and not executed as a script). Changing this forces a new resource to be created.
    minCount Number
    The minimum number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000.
    nodeCount Number

    The initial number of nodes which should exist in this Node Pool. If specified this must be between 1 and 1000 and between min_count and max_count.

    Note: If specified you may wish to use ignoreChanges functionality to ignore changes to this field.

    Note: If enable_auto_scaling is set to false both min_count and max_count fields need to be set to null or omitted from the configuration.

    nodeLabels Map<String>
    A map of Kubernetes labels which should be applied to nodes in the Default Node Pool.
    nodeNetworkProfile Property Map
    A node_network_profile block as documented below.
    nodePublicIpPrefixId String
    Resource ID for the Public IP Addresses Prefix for the nodes in this Node Pool. enable_node_public_ip should be true. Changing this forces a new resource to be created.
    nodeTaints List<String>

    Deprecated:This field will be removed in v4.0 of the Azure Provider since the AKS API doesn't allow arbitrary node taints on the default node pool

    onlyCriticalAddonsEnabled Boolean
    Enabling this option will taint default node pool with CriticalAddonsOnly=true:NoSchedule taint. temporary_name_for_rotation must be specified when changing this property.
    orchestratorVersion String

    Version of Kubernetes used for the Agents. If not specified, the default node pool will be created with the version specified by kubernetes_version. If both are unspecified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: This version must be supported by the Kubernetes Cluster - as such the version of Kubernetes used on the Cluster/Control Plane may need to be upgraded first.

    osDiskSizeGb Number
    The size of the OS Disk which should be used for each agent in the Node Pool. temporary_name_for_rotation must be specified when attempting a change.
    osDiskType String
    The type of disk which should be used for the Operating System. Possible values are Ephemeral and Managed. Defaults to Managed. temporary_name_for_rotation must be specified when attempting a change.
    osSku String
    Specifies the OS SKU used by the agent pool. Possible values are AzureLinux, Ubuntu, Windows2019 and Windows2022. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated. temporary_name_for_rotation must be specified when attempting a change.
    podSubnetId String
    The ID of the Subnet where the pods in the default Node Pool should exist.
    proximityPlacementGroupId String
    The ID of the Proximity Placement Group. Changing this forces a new resource to be created.
    scaleDownMode String
    Specifies the autoscaling behaviour of the Kubernetes Cluster. Allowed values are Delete and Deallocate. Defaults to Delete.
    snapshotId String
    The ID of the Snapshot which should be used to create this default Node Pool. temporary_name_for_rotation must be specified when changing this property.
    tags Map<String>

    A mapping of tags to assign to the Node Pool.

    At this time there's a bug in the AKS API where Tags for a Node Pool are not stored in the correct case - you may wish to use ignore_changes functionality to ignore changes to the casing until this is fixed in the AKS API.

    temporaryNameForRotation String
    Specifies the name of the temporary node pool used to cycle the default node pool for VM resizing.
    type String

    The type of Node Pool which should be created. Possible values are AvailabilitySet and VirtualMachineScaleSets. Defaults to VirtualMachineScaleSets. Changing this forces a new resource to be created.

    Note: When creating a cluster that supports multiple node pools, the cluster must use VirtualMachineScaleSets. For more information on the limitations of clusters using multiple node pools see the documentation.

    ultraSsdEnabled Boolean
    Used to specify whether the UltraSSD is enabled in the Default Node Pool. Defaults to false. See the documentation for more information. temporary_name_for_rotation must be specified when attempting a change.
    upgradeSettings Property Map
    A upgrade_settings block as documented below.
    vnetSubnetId String

    The ID of a Subnet where the Kubernetes Node Pool should exist.

    Note: A Route Table must be configured on this Subnet.

    workloadRuntime String

    Specifies the workload runtime used by the node pool. Possible values are OCIContainer and KataMshvVmIsolation.

    Note: Pod Sandboxing / KataVM Isolation node pools are in Public Preview - more information and details on how to opt into the preview can be found in this article

    zones List<String>

    Specifies a list of Availability Zones in which this Kubernetes Cluster should be located. temporary_name_for_rotation must be specified when changing this property.

    Note: This requires that the type is set to VirtualMachineScaleSets and that load_balancer_sku is set to standard.

    KubernetesClusterDefaultNodePoolKubeletConfig, KubernetesClusterDefaultNodePoolKubeletConfigArgs

    AllowedUnsafeSysctls List<string>
    Specifies the allow list of unsafe sysctls command or patterns (ending in *).
    ContainerLogMaxLine int
    Specifies the maximum number of container log files that can be present for a container. must be at least 2.
    ContainerLogMaxSizeMb int
    Specifies the maximum size (e.g. 10MB) of container log file before it is rotated.
    CpuCfsQuotaEnabled bool
    Is CPU CFS quota enforcement for containers enabled?
    CpuCfsQuotaPeriod string
    Specifies the CPU CFS quota period value.
    CpuManagerPolicy string
    Specifies the CPU Manager policy to use. Possible values are none and static,.
    ImageGcHighThreshold int
    Specifies the percent of disk usage above which image garbage collection is always run. Must be between 0 and 100.
    ImageGcLowThreshold int
    Specifies the percent of disk usage lower than which image garbage collection is never run. Must be between 0 and 100.
    PodMaxPid int
    Specifies the maximum number of processes per pod.
    TopologyManagerPolicy string
    Specifies the Topology Manager policy to use. Possible values are none, best-effort, restricted or single-numa-node.
    AllowedUnsafeSysctls []string
    Specifies the allow list of unsafe sysctls command or patterns (ending in *).
    ContainerLogMaxLine int
    Specifies the maximum number of container log files that can be present for a container. must be at least 2.
    ContainerLogMaxSizeMb int
    Specifies the maximum size (e.g. 10MB) of container log file before it is rotated.
    CpuCfsQuotaEnabled bool
    Is CPU CFS quota enforcement for containers enabled?
    CpuCfsQuotaPeriod string
    Specifies the CPU CFS quota period value.
    CpuManagerPolicy string
    Specifies the CPU Manager policy to use. Possible values are none and static,.
    ImageGcHighThreshold int
    Specifies the percent of disk usage above which image garbage collection is always run. Must be between 0 and 100.
    ImageGcLowThreshold int
    Specifies the percent of disk usage lower than which image garbage collection is never run. Must be between 0 and 100.
    PodMaxPid int
    Specifies the maximum number of processes per pod.
    TopologyManagerPolicy string
    Specifies the Topology Manager policy to use. Possible values are none, best-effort, restricted or single-numa-node.
    allowedUnsafeSysctls List<String>
    Specifies the allow list of unsafe sysctls command or patterns (ending in *).
    containerLogMaxLine Integer
    Specifies the maximum number of container log files that can be present for a container. must be at least 2.
    containerLogMaxSizeMb Integer
    Specifies the maximum size (e.g. 10MB) of container log file before it is rotated.
    cpuCfsQuotaEnabled Boolean
    Is CPU CFS quota enforcement for containers enabled?
    cpuCfsQuotaPeriod String
    Specifies the CPU CFS quota period value.
    cpuManagerPolicy String
    Specifies the CPU Manager policy to use. Possible values are none and static,.
    imageGcHighThreshold Integer
    Specifies the percent of disk usage above which image garbage collection is always run. Must be between 0 and 100.
    imageGcLowThreshold Integer
    Specifies the percent of disk usage lower than which image garbage collection is never run. Must be between 0 and 100.
    podMaxPid Integer
    Specifies the maximum number of processes per pod.
    topologyManagerPolicy String
    Specifies the Topology Manager policy to use. Possible values are none, best-effort, restricted or single-numa-node.
    allowedUnsafeSysctls string[]
    Specifies the allow list of unsafe sysctls command or patterns (ending in *).
    containerLogMaxLine number
    Specifies the maximum number of container log files that can be present for a container. must be at least 2.
    containerLogMaxSizeMb number
    Specifies the maximum size (e.g. 10MB) of container log file before it is rotated.
    cpuCfsQuotaEnabled boolean
    Is CPU CFS quota enforcement for containers enabled?
    cpuCfsQuotaPeriod string
    Specifies the CPU CFS quota period value.
    cpuManagerPolicy string
    Specifies the CPU Manager policy to use. Possible values are none and static,.
    imageGcHighThreshold number
    Specifies the percent of disk usage above which image garbage collection is always run. Must be between 0 and 100.
    imageGcLowThreshold number
    Specifies the percent of disk usage lower than which image garbage collection is never run. Must be between 0 and 100.
    podMaxPid number
    Specifies the maximum number of processes per pod.
    topologyManagerPolicy string
    Specifies the Topology Manager policy to use. Possible values are none, best-effort, restricted or single-numa-node.
    allowed_unsafe_sysctls Sequence[str]
    Specifies the allow list of unsafe sysctls command or patterns (ending in *).
    container_log_max_line int
    Specifies the maximum number of container log files that can be present for a container. must be at least 2.
    container_log_max_size_mb int
    Specifies the maximum size (e.g. 10MB) of container log file before it is rotated.
    cpu_cfs_quota_enabled bool
    Is CPU CFS quota enforcement for containers enabled?
    cpu_cfs_quota_period str
    Specifies the CPU CFS quota period value.
    cpu_manager_policy str
    Specifies the CPU Manager policy to use. Possible values are none and static,.
    image_gc_high_threshold int
    Specifies the percent of disk usage above which image garbage collection is always run. Must be between 0 and 100.
    image_gc_low_threshold int
    Specifies the percent of disk usage lower than which image garbage collection is never run. Must be between 0 and 100.
    pod_max_pid int
    Specifies the maximum number of processes per pod.
    topology_manager_policy str
    Specifies the Topology Manager policy to use. Possible values are none, best-effort, restricted or single-numa-node.
    allowedUnsafeSysctls List<String>
    Specifies the allow list of unsafe sysctls command or patterns (ending in *).
    containerLogMaxLine Number
    Specifies the maximum number of container log files that can be present for a container. must be at least 2.
    containerLogMaxSizeMb Number
    Specifies the maximum size (e.g. 10MB) of container log file before it is rotated.
    cpuCfsQuotaEnabled Boolean
    Is CPU CFS quota enforcement for containers enabled?
    cpuCfsQuotaPeriod String
    Specifies the CPU CFS quota period value.
    cpuManagerPolicy String
    Specifies the CPU Manager policy to use. Possible values are none and static,.
    imageGcHighThreshold Number
    Specifies the percent of disk usage above which image garbage collection is always run. Must be between 0 and 100.
    imageGcLowThreshold Number
    Specifies the percent of disk usage lower than which image garbage collection is never run. Must be between 0 and 100.
    podMaxPid Number
    Specifies the maximum number of processes per pod.
    topologyManagerPolicy String
    Specifies the Topology Manager policy to use. Possible values are none, best-effort, restricted or single-numa-node.

    KubernetesClusterDefaultNodePoolLinuxOsConfig, KubernetesClusterDefaultNodePoolLinuxOsConfigArgs

    SwapFileSizeMb int
    Specifies the size of the swap file on each node in MB.
    SysctlConfig KubernetesClusterDefaultNodePoolLinuxOsConfigSysctlConfig
    A sysctl_config block as defined below.
    TransparentHugePageDefrag string
    specifies the defrag configuration for Transparent Huge Page. Possible values are always, defer, defer+madvise, madvise and never.
    TransparentHugePageEnabled string
    Specifies the Transparent Huge Page enabled configuration. Possible values are always, madvise and never.
    SwapFileSizeMb int
    Specifies the size of the swap file on each node in MB.
    SysctlConfig KubernetesClusterDefaultNodePoolLinuxOsConfigSysctlConfig
    A sysctl_config block as defined below.
    TransparentHugePageDefrag string
    specifies the defrag configuration for Transparent Huge Page. Possible values are always, defer, defer+madvise, madvise and never.
    TransparentHugePageEnabled string
    Specifies the Transparent Huge Page enabled configuration. Possible values are always, madvise and never.
    swapFileSizeMb Integer
    Specifies the size of the swap file on each node in MB.
    sysctlConfig KubernetesClusterDefaultNodePoolLinuxOsConfigSysctlConfig
    A sysctl_config block as defined below.
    transparentHugePageDefrag String
    specifies the defrag configuration for Transparent Huge Page. Possible values are always, defer, defer+madvise, madvise and never.
    transparentHugePageEnabled String
    Specifies the Transparent Huge Page enabled configuration. Possible values are always, madvise and never.
    swapFileSizeMb number
    Specifies the size of the swap file on each node in MB.
    sysctlConfig KubernetesClusterDefaultNodePoolLinuxOsConfigSysctlConfig
    A sysctl_config block as defined below.
    transparentHugePageDefrag string
    specifies the defrag configuration for Transparent Huge Page. Possible values are always, defer, defer+madvise, madvise and never.
    transparentHugePageEnabled string
    Specifies the Transparent Huge Page enabled configuration. Possible values are always, madvise and never.
    swap_file_size_mb int
    Specifies the size of the swap file on each node in MB.
    sysctl_config KubernetesClusterDefaultNodePoolLinuxOsConfigSysctlConfig
    A sysctl_config block as defined below.
    transparent_huge_page_defrag str
    specifies the defrag configuration for Transparent Huge Page. Possible values are always, defer, defer+madvise, madvise and never.
    transparent_huge_page_enabled str
    Specifies the Transparent Huge Page enabled configuration. Possible values are always, madvise and never.
    swapFileSizeMb Number
    Specifies the size of the swap file on each node in MB.
    sysctlConfig Property Map
    A sysctl_config block as defined below.
    transparentHugePageDefrag String
    specifies the defrag configuration for Transparent Huge Page. Possible values are always, defer, defer+madvise, madvise and never.
    transparentHugePageEnabled String
    Specifies the Transparent Huge Page enabled configuration. Possible values are always, madvise and never.

    KubernetesClusterDefaultNodePoolLinuxOsConfigSysctlConfig, KubernetesClusterDefaultNodePoolLinuxOsConfigSysctlConfigArgs

    FsAioMaxNr int
    The sysctl setting fs.aio-max-nr. Must be between 65536 and 6553500.
    FsFileMax int
    The sysctl setting fs.file-max. Must be between 8192 and 12000500.
    FsInotifyMaxUserWatches int
    The sysctl setting fs.inotify.max_user_watches. Must be between 781250 and 2097152.
    FsNrOpen int
    The sysctl setting fs.nr_open. Must be between 8192 and 20000500.
    KernelThreadsMax int
    The sysctl setting kernel.threads-max. Must be between 20 and 513785.
    NetCoreNetdevMaxBacklog int
    The sysctl setting net.core.netdev_max_backlog. Must be between 1000 and 3240000.
    NetCoreOptmemMax int
    The sysctl setting net.core.optmem_max. Must be between 20480 and 4194304.
    NetCoreRmemDefault int
    The sysctl setting net.core.rmem_default. Must be between 212992 and 134217728.
    NetCoreRmemMax int
    The sysctl setting net.core.rmem_max. Must be between 212992 and 134217728.
    NetCoreSomaxconn int
    The sysctl setting net.core.somaxconn. Must be between 4096 and 3240000.
    NetCoreWmemDefault int
    The sysctl setting net.core.wmem_default. Must be between 212992 and 134217728.
    NetCoreWmemMax int
    The sysctl setting net.core.wmem_max. Must be between 212992 and 134217728.
    NetIpv4IpLocalPortRangeMax int
    The sysctl setting net.ipv4.ip_local_port_range max value. Must be between 32768 and 65535.
    NetIpv4IpLocalPortRangeMin int
    The sysctl setting net.ipv4.ip_local_port_range min value. Must be between 1024 and 60999.
    NetIpv4NeighDefaultGcThresh1 int
    The sysctl setting net.ipv4.neigh.default.gc_thresh1. Must be between 128 and 80000.
    NetIpv4NeighDefaultGcThresh2 int
    The sysctl setting net.ipv4.neigh.default.gc_thresh2. Must be between 512 and 90000.
    NetIpv4NeighDefaultGcThresh3 int
    The sysctl setting net.ipv4.neigh.default.gc_thresh3. Must be between 1024 and 100000.
    NetIpv4TcpFinTimeout int
    The sysctl setting net.ipv4.tcp_fin_timeout. Must be between 5 and 120.
    NetIpv4TcpKeepaliveIntvl int
    The sysctl setting net.ipv4.tcp_keepalive_intvl. Must be between 10 and 90.
    NetIpv4TcpKeepaliveProbes int
    The sysctl setting net.ipv4.tcp_keepalive_probes. Must be between 1 and 15.
    NetIpv4TcpKeepaliveTime int
    The sysctl setting net.ipv4.tcp_keepalive_time. Must be between 30 and 432000.
    NetIpv4TcpMaxSynBacklog int
    The sysctl setting net.ipv4.tcp_max_syn_backlog. Must be between 128 and 3240000.
    NetIpv4TcpMaxTwBuckets int
    The sysctl setting net.ipv4.tcp_max_tw_buckets. Must be between 8000 and 1440000.
    NetIpv4TcpTwReuse bool
    The sysctl setting net.ipv4.tcp_tw_reuse.
    NetNetfilterNfConntrackBuckets int
    The sysctl setting net.netfilter.nf_conntrack_buckets. Must be between 65536 and 524288.
    NetNetfilterNfConntrackMax int
    The sysctl setting net.netfilter.nf_conntrack_max. Must be between 131072 and 2097152.
    VmMaxMapCount int
    The sysctl setting vm.max_map_count. Must be between 65530 and 262144.
    VmSwappiness int
    The sysctl setting vm.swappiness. Must be between 0 and 100.
    VmVfsCachePressure int
    The sysctl setting vm.vfs_cache_pressure. Must be between 0 and 100.
    FsAioMaxNr int
    The sysctl setting fs.aio-max-nr. Must be between 65536 and 6553500.
    FsFileMax int
    The sysctl setting fs.file-max. Must be between 8192 and 12000500.
    FsInotifyMaxUserWatches int
    The sysctl setting fs.inotify.max_user_watches. Must be between 781250 and 2097152.
    FsNrOpen int
    The sysctl setting fs.nr_open. Must be between 8192 and 20000500.
    KernelThreadsMax int
    The sysctl setting kernel.threads-max. Must be between 20 and 513785.
    NetCoreNetdevMaxBacklog int
    The sysctl setting net.core.netdev_max_backlog. Must be between 1000 and 3240000.
    NetCoreOptmemMax int
    The sysctl setting net.core.optmem_max. Must be between 20480 and 4194304.
    NetCoreRmemDefault int
    The sysctl setting net.core.rmem_default. Must be between 212992 and 134217728.
    NetCoreRmemMax int
    The sysctl setting net.core.rmem_max. Must be between 212992 and 134217728.
    NetCoreSomaxconn int
    The sysctl setting net.core.somaxconn. Must be between 4096 and 3240000.
    NetCoreWmemDefault int
    The sysctl setting net.core.wmem_default. Must be between 212992 and 134217728.
    NetCoreWmemMax int
    The sysctl setting net.core.wmem_max. Must be between 212992 and 134217728.
    NetIpv4IpLocalPortRangeMax int
    The sysctl setting net.ipv4.ip_local_port_range max value. Must be between 32768 and 65535.
    NetIpv4IpLocalPortRangeMin int
    The sysctl setting net.ipv4.ip_local_port_range min value. Must be between 1024 and 60999.
    NetIpv4NeighDefaultGcThresh1 int
    The sysctl setting net.ipv4.neigh.default.gc_thresh1. Must be between 128 and 80000.
    NetIpv4NeighDefaultGcThresh2 int
    The sysctl setting net.ipv4.neigh.default.gc_thresh2. Must be between 512 and 90000.
    NetIpv4NeighDefaultGcThresh3 int
    The sysctl setting net.ipv4.neigh.default.gc_thresh3. Must be between 1024 and 100000.
    NetIpv4TcpFinTimeout int
    The sysctl setting net.ipv4.tcp_fin_timeout. Must be between 5 and 120.
    NetIpv4TcpKeepaliveIntvl int
    The sysctl setting net.ipv4.tcp_keepalive_intvl. Must be between 10 and 90.
    NetIpv4TcpKeepaliveProbes int
    The sysctl setting net.ipv4.tcp_keepalive_probes. Must be between 1 and 15.
    NetIpv4TcpKeepaliveTime int
    The sysctl setting net.ipv4.tcp_keepalive_time. Must be between 30 and 432000.
    NetIpv4TcpMaxSynBacklog int
    The sysctl setting net.ipv4.tcp_max_syn_backlog. Must be between 128 and 3240000.
    NetIpv4TcpMaxTwBuckets int
    The sysctl setting net.ipv4.tcp_max_tw_buckets. Must be between 8000 and 1440000.
    NetIpv4TcpTwReuse bool
    The sysctl setting net.ipv4.tcp_tw_reuse.
    NetNetfilterNfConntrackBuckets int
    The sysctl setting net.netfilter.nf_conntrack_buckets. Must be between 65536 and 524288.
    NetNetfilterNfConntrackMax int
    The sysctl setting net.netfilter.nf_conntrack_max. Must be between 131072 and 2097152.
    VmMaxMapCount int
    The sysctl setting vm.max_map_count. Must be between 65530 and 262144.
    VmSwappiness int
    The sysctl setting vm.swappiness. Must be between 0 and 100.
    VmVfsCachePressure int
    The sysctl setting vm.vfs_cache_pressure. Must be between 0 and 100.
    fsAioMaxNr Integer
    The sysctl setting fs.aio-max-nr. Must be between 65536 and 6553500.
    fsFileMax Integer
    The sysctl setting fs.file-max. Must be between 8192 and 12000500.
    fsInotifyMaxUserWatches Integer
    The sysctl setting fs.inotify.max_user_watches. Must be between 781250 and 2097152.
    fsNrOpen Integer
    The sysctl setting fs.nr_open. Must be between 8192 and 20000500.
    kernelThreadsMax Integer
    The sysctl setting kernel.threads-max. Must be between 20 and 513785.
    netCoreNetdevMaxBacklog Integer
    The sysctl setting net.core.netdev_max_backlog. Must be between 1000 and 3240000.
    netCoreOptmemMax Integer
    The sysctl setting net.core.optmem_max. Must be between 20480 and 4194304.
    netCoreRmemDefault Integer
    The sysctl setting net.core.rmem_default. Must be between 212992 and 134217728.
    netCoreRmemMax Integer
    The sysctl setting net.core.rmem_max. Must be between 212992 and 134217728.
    netCoreSomaxconn Integer
    The sysctl setting net.core.somaxconn. Must be between 4096 and 3240000.
    netCoreWmemDefault Integer
    The sysctl setting net.core.wmem_default. Must be between 212992 and 134217728.
    netCoreWmemMax Integer
    The sysctl setting net.core.wmem_max. Must be between 212992 and 134217728.
    netIpv4IpLocalPortRangeMax Integer
    The sysctl setting net.ipv4.ip_local_port_range max value. Must be between 32768 and 65535.
    netIpv4IpLocalPortRangeMin Integer
    The sysctl setting net.ipv4.ip_local_port_range min value. Must be between 1024 and 60999.
    netIpv4NeighDefaultGcThresh1 Integer
    The sysctl setting net.ipv4.neigh.default.gc_thresh1. Must be between 128 and 80000.
    netIpv4NeighDefaultGcThresh2 Integer
    The sysctl setting net.ipv4.neigh.default.gc_thresh2. Must be between 512 and 90000.
    netIpv4NeighDefaultGcThresh3 Integer
    The sysctl setting net.ipv4.neigh.default.gc_thresh3. Must be between 1024 and 100000.
    netIpv4TcpFinTimeout Integer
    The sysctl setting net.ipv4.tcp_fin_timeout. Must be between 5 and 120.
    netIpv4TcpKeepaliveIntvl Integer
    The sysctl setting net.ipv4.tcp_keepalive_intvl. Must be between 10 and 90.
    netIpv4TcpKeepaliveProbes Integer
    The sysctl setting net.ipv4.tcp_keepalive_probes. Must be between 1 and 15.
    netIpv4TcpKeepaliveTime Integer
    The sysctl setting net.ipv4.tcp_keepalive_time. Must be between 30 and 432000.
    netIpv4TcpMaxSynBacklog Integer
    The sysctl setting net.ipv4.tcp_max_syn_backlog. Must be between 128 and 3240000.
    netIpv4TcpMaxTwBuckets Integer
    The sysctl setting net.ipv4.tcp_max_tw_buckets. Must be between 8000 and 1440000.
    netIpv4TcpTwReuse Boolean
    The sysctl setting net.ipv4.tcp_tw_reuse.
    netNetfilterNfConntrackBuckets Integer
    The sysctl setting net.netfilter.nf_conntrack_buckets. Must be between 65536 and 524288.
    netNetfilterNfConntrackMax Integer
    The sysctl setting net.netfilter.nf_conntrack_max. Must be between 131072 and 2097152.
    vmMaxMapCount Integer
    The sysctl setting vm.max_map_count. Must be between 65530 and 262144.
    vmSwappiness Integer
    The sysctl setting vm.swappiness. Must be between 0 and 100.
    vmVfsCachePressure Integer
    The sysctl setting vm.vfs_cache_pressure. Must be between 0 and 100.
    fsAioMaxNr number
    The sysctl setting fs.aio-max-nr. Must be between 65536 and 6553500.
    fsFileMax number
    The sysctl setting fs.file-max. Must be between 8192 and 12000500.
    fsInotifyMaxUserWatches number
    The sysctl setting fs.inotify.max_user_watches. Must be between 781250 and 2097152.
    fsNrOpen number
    The sysctl setting fs.nr_open. Must be between 8192 and 20000500.
    kernelThreadsMax number
    The sysctl setting kernel.threads-max. Must be between 20 and 513785.
    netCoreNetdevMaxBacklog number
    The sysctl setting net.core.netdev_max_backlog. Must be between 1000 and 3240000.
    netCoreOptmemMax number
    The sysctl setting net.core.optmem_max. Must be between 20480 and 4194304.
    netCoreRmemDefault number
    The sysctl setting net.core.rmem_default. Must be between 212992 and 134217728.
    netCoreRmemMax number
    The sysctl setting net.core.rmem_max. Must be between 212992 and 134217728.
    netCoreSomaxconn number
    The sysctl setting net.core.somaxconn. Must be between 4096 and 3240000.
    netCoreWmemDefault number
    The sysctl setting net.core.wmem_default. Must be between 212992 and 134217728.
    netCoreWmemMax number
    The sysctl setting net.core.wmem_max. Must be between 212992 and 134217728.
    netIpv4IpLocalPortRangeMax number
    The sysctl setting net.ipv4.ip_local_port_range max value. Must be between 32768 and 65535.
    netIpv4IpLocalPortRangeMin number
    The sysctl setting net.ipv4.ip_local_port_range min value. Must be between 1024 and 60999.
    netIpv4NeighDefaultGcThresh1 number
    The sysctl setting net.ipv4.neigh.default.gc_thresh1. Must be between 128 and 80000.
    netIpv4NeighDefaultGcThresh2 number
    The sysctl setting net.ipv4.neigh.default.gc_thresh2. Must be between 512 and 90000.
    netIpv4NeighDefaultGcThresh3 number
    The sysctl setting net.ipv4.neigh.default.gc_thresh3. Must be between 1024 and 100000.
    netIpv4TcpFinTimeout number
    The sysctl setting net.ipv4.tcp_fin_timeout. Must be between 5 and 120.
    netIpv4TcpKeepaliveIntvl number
    The sysctl setting net.ipv4.tcp_keepalive_intvl. Must be between 10 and 90.
    netIpv4TcpKeepaliveProbes number
    The sysctl setting net.ipv4.tcp_keepalive_probes. Must be between 1 and 15.
    netIpv4TcpKeepaliveTime number
    The sysctl setting net.ipv4.tcp_keepalive_time. Must be between 30 and 432000.
    netIpv4TcpMaxSynBacklog number
    The sysctl setting net.ipv4.tcp_max_syn_backlog. Must be between 128 and 3240000.
    netIpv4TcpMaxTwBuckets number
    The sysctl setting net.ipv4.tcp_max_tw_buckets. Must be between 8000 and 1440000.
    netIpv4TcpTwReuse boolean
    The sysctl setting net.ipv4.tcp_tw_reuse.
    netNetfilterNfConntrackBuckets number
    The sysctl setting net.netfilter.nf_conntrack_buckets. Must be between 65536 and 524288.
    netNetfilterNfConntrackMax number
    The sysctl setting net.netfilter.nf_conntrack_max. Must be between 131072 and 2097152.
    vmMaxMapCount number
    The sysctl setting vm.max_map_count. Must be between 65530 and 262144.
    vmSwappiness number
    The sysctl setting vm.swappiness. Must be between 0 and 100.
    vmVfsCachePressure number
    The sysctl setting vm.vfs_cache_pressure. Must be between 0 and 100.
    fs_aio_max_nr int
    The sysctl setting fs.aio-max-nr. Must be between 65536 and 6553500.
    fs_file_max int
    The sysctl setting fs.file-max. Must be between 8192 and 12000500.
    fs_inotify_max_user_watches int
    The sysctl setting fs.inotify.max_user_watches. Must be between 781250 and 2097152.
    fs_nr_open int
    The sysctl setting fs.nr_open. Must be between 8192 and 20000500.
    kernel_threads_max int
    The sysctl setting kernel.threads-max. Must be between 20 and 513785.
    net_core_netdev_max_backlog int
    The sysctl setting net.core.netdev_max_backlog. Must be between 1000 and 3240000.
    net_core_optmem_max int
    The sysctl setting net.core.optmem_max. Must be between 20480 and 4194304.
    net_core_rmem_default int
    The sysctl setting net.core.rmem_default. Must be between 212992 and 134217728.
    net_core_rmem_max int
    The sysctl setting net.core.rmem_max. Must be between 212992 and 134217728.
    net_core_somaxconn int
    The sysctl setting net.core.somaxconn. Must be between 4096 and 3240000.
    net_core_wmem_default int
    The sysctl setting net.core.wmem_default. Must be between 212992 and 134217728.
    net_core_wmem_max int
    The sysctl setting net.core.wmem_max. Must be between 212992 and 134217728.
    net_ipv4_ip_local_port_range_max int
    The sysctl setting net.ipv4.ip_local_port_range max value. Must be between 32768 and 65535.
    net_ipv4_ip_local_port_range_min int
    The sysctl setting net.ipv4.ip_local_port_range min value. Must be between 1024 and 60999.
    net_ipv4_neigh_default_gc_thresh1 int
    The sysctl setting net.ipv4.neigh.default.gc_thresh1. Must be between 128 and 80000.
    net_ipv4_neigh_default_gc_thresh2 int
    The sysctl setting net.ipv4.neigh.default.gc_thresh2. Must be between 512 and 90000.
    net_ipv4_neigh_default_gc_thresh3 int
    The sysctl setting net.ipv4.neigh.default.gc_thresh3. Must be between 1024 and 100000.
    net_ipv4_tcp_fin_timeout int
    The sysctl setting net.ipv4.tcp_fin_timeout. Must be between 5 and 120.
    net_ipv4_tcp_keepalive_intvl int
    The sysctl setting net.ipv4.tcp_keepalive_intvl. Must be between 10 and 90.
    net_ipv4_tcp_keepalive_probes int
    The sysctl setting net.ipv4.tcp_keepalive_probes. Must be between 1 and 15.
    net_ipv4_tcp_keepalive_time int
    The sysctl setting net.ipv4.tcp_keepalive_time. Must be between 30 and 432000.
    net_ipv4_tcp_max_syn_backlog int
    The sysctl setting net.ipv4.tcp_max_syn_backlog. Must be between 128 and 3240000.
    net_ipv4_tcp_max_tw_buckets int
    The sysctl setting net.ipv4.tcp_max_tw_buckets. Must be between 8000 and 1440000.
    net_ipv4_tcp_tw_reuse bool
    The sysctl setting net.ipv4.tcp_tw_reuse.
    net_netfilter_nf_conntrack_buckets int
    The sysctl setting net.netfilter.nf_conntrack_buckets. Must be between 65536 and 524288.
    net_netfilter_nf_conntrack_max int
    The sysctl setting net.netfilter.nf_conntrack_max. Must be between 131072 and 2097152.
    vm_max_map_count int
    The sysctl setting vm.max_map_count. Must be between 65530 and 262144.
    vm_swappiness int
    The sysctl setting vm.swappiness. Must be between 0 and 100.
    vm_vfs_cache_pressure int
    The sysctl setting vm.vfs_cache_pressure. Must be between 0 and 100.
    fsAioMaxNr Number
    The sysctl setting fs.aio-max-nr. Must be between 65536 and 6553500.
    fsFileMax Number
    The sysctl setting fs.file-max. Must be between 8192 and 12000500.
    fsInotifyMaxUserWatches Number
    The sysctl setting fs.inotify.max_user_watches. Must be between 781250 and 2097152.
    fsNrOpen Number
    The sysctl setting fs.nr_open. Must be between 8192 and 20000500.
    kernelThreadsMax Number
    The sysctl setting kernel.threads-max. Must be between 20 and 513785.
    netCoreNetdevMaxBacklog Number
    The sysctl setting net.core.netdev_max_backlog. Must be between 1000 and 3240000.
    netCoreOptmemMax Number
    The sysctl setting net.core.optmem_max. Must be between 20480 and 4194304.
    netCoreRmemDefault Number
    The sysctl setting net.core.rmem_default. Must be between 212992 and 134217728.
    netCoreRmemMax Number
    The sysctl setting net.core.rmem_max. Must be between 212992 and 134217728.
    netCoreSomaxconn Number
    The sysctl setting net.core.somaxconn. Must be between 4096 and 3240000.
    netCoreWmemDefault Number
    The sysctl setting net.core.wmem_default. Must be between 212992 and 134217728.
    netCoreWmemMax Number
    The sysctl setting net.core.wmem_max. Must be between 212992 and 134217728.
    netIpv4IpLocalPortRangeMax Number
    The sysctl setting net.ipv4.ip_local_port_range max value. Must be between 32768 and 65535.
    netIpv4IpLocalPortRangeMin Number
    The sysctl setting net.ipv4.ip_local_port_range min value. Must be between 1024 and 60999.
    netIpv4NeighDefaultGcThresh1 Number
    The sysctl setting net.ipv4.neigh.default.gc_thresh1. Must be between 128 and 80000.
    netIpv4NeighDefaultGcThresh2 Number
    The sysctl setting net.ipv4.neigh.default.gc_thresh2. Must be between 512 and 90000.
    netIpv4NeighDefaultGcThresh3 Number
    The sysctl setting net.ipv4.neigh.default.gc_thresh3. Must be between 1024 and 100000.
    netIpv4TcpFinTimeout Number
    The sysctl setting net.ipv4.tcp_fin_timeout. Must be between 5 and 120.
    netIpv4TcpKeepaliveIntvl Number
    The sysctl setting net.ipv4.tcp_keepalive_intvl. Must be between 10 and 90.
    netIpv4TcpKeepaliveProbes Number
    The sysctl setting net.ipv4.tcp_keepalive_probes. Must be between 1 and 15.
    netIpv4TcpKeepaliveTime Number
    The sysctl setting net.ipv4.tcp_keepalive_time. Must be between 30 and 432000.
    netIpv4TcpMaxSynBacklog Number
    The sysctl setting net.ipv4.tcp_max_syn_backlog. Must be between 128 and 3240000.
    netIpv4TcpMaxTwBuckets Number
    The sysctl setting net.ipv4.tcp_max_tw_buckets. Must be between 8000 and 1440000.
    netIpv4TcpTwReuse Boolean
    The sysctl setting net.ipv4.tcp_tw_reuse.
    netNetfilterNfConntrackBuckets Number
    The sysctl setting net.netfilter.nf_conntrack_buckets. Must be between 65536 and 524288.
    netNetfilterNfConntrackMax Number
    The sysctl setting net.netfilter.nf_conntrack_max. Must be between 131072 and 2097152.
    vmMaxMapCount Number
    The sysctl setting vm.max_map_count. Must be between 65530 and 262144.
    vmSwappiness Number
    The sysctl setting vm.swappiness. Must be between 0 and 100.
    vmVfsCachePressure Number
    The sysctl setting vm.vfs_cache_pressure. Must be between 0 and 100.

    KubernetesClusterDefaultNodePoolNodeNetworkProfile, KubernetesClusterDefaultNodePoolNodeNetworkProfileArgs

    AllowedHostPorts List<KubernetesClusterDefaultNodePoolNodeNetworkProfileAllowedHostPort>
    One or more allowed_host_ports blocks as defined below.
    ApplicationSecurityGroupIds List<string>
    A list of Application Security Group IDs which should be associated with this Node Pool.
    NodePublicIpTags Dictionary<string, string>

    Specifies a mapping of tags to the instance-level public IPs. Changing this forces a new resource to be created.

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodePublicIPTagsPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    AllowedHostPorts []KubernetesClusterDefaultNodePoolNodeNetworkProfileAllowedHostPort
    One or more allowed_host_ports blocks as defined below.
    ApplicationSecurityGroupIds []string
    A list of Application Security Group IDs which should be associated with this Node Pool.
    NodePublicIpTags map[string]string

    Specifies a mapping of tags to the instance-level public IPs. Changing this forces a new resource to be created.

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodePublicIPTagsPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    allowedHostPorts List<KubernetesClusterDefaultNodePoolNodeNetworkProfileAllowedHostPort>
    One or more allowed_host_ports blocks as defined below.
    applicationSecurityGroupIds List<String>
    A list of Application Security Group IDs which should be associated with this Node Pool.
    nodePublicIpTags Map<String,String>

    Specifies a mapping of tags to the instance-level public IPs. Changing this forces a new resource to be created.

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodePublicIPTagsPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    allowedHostPorts KubernetesClusterDefaultNodePoolNodeNetworkProfileAllowedHostPort[]
    One or more allowed_host_ports blocks as defined below.
    applicationSecurityGroupIds string[]
    A list of Application Security Group IDs which should be associated with this Node Pool.
    nodePublicIpTags {[key: string]: string}

    Specifies a mapping of tags to the instance-level public IPs. Changing this forces a new resource to be created.

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodePublicIPTagsPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    allowed_host_ports Sequence[KubernetesClusterDefaultNodePoolNodeNetworkProfileAllowedHostPort]
    One or more allowed_host_ports blocks as defined below.
    application_security_group_ids Sequence[str]
    A list of Application Security Group IDs which should be associated with this Node Pool.
    node_public_ip_tags Mapping[str, str]

    Specifies a mapping of tags to the instance-level public IPs. Changing this forces a new resource to be created.

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodePublicIPTagsPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    allowedHostPorts List<Property Map>
    One or more allowed_host_ports blocks as defined below.
    applicationSecurityGroupIds List<String>
    A list of Application Security Group IDs which should be associated with this Node Pool.
    nodePublicIpTags Map<String>

    Specifies a mapping of tags to the instance-level public IPs. Changing this forces a new resource to be created.

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodePublicIPTagsPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    KubernetesClusterDefaultNodePoolNodeNetworkProfileAllowedHostPort, KubernetesClusterDefaultNodePoolNodeNetworkProfileAllowedHostPortArgs

    PortEnd int
    Specifies the end of the port range.
    PortStart int
    Specifies the start of the port range.
    Protocol string
    Specifies the protocol of the port range. Possible values are TCP and UDP.
    PortEnd int
    Specifies the end of the port range.
    PortStart int
    Specifies the start of the port range.
    Protocol string
    Specifies the protocol of the port range. Possible values are TCP and UDP.
    portEnd Integer
    Specifies the end of the port range.
    portStart Integer
    Specifies the start of the port range.
    protocol String
    Specifies the protocol of the port range. Possible values are TCP and UDP.
    portEnd number
    Specifies the end of the port range.
    portStart number
    Specifies the start of the port range.
    protocol string
    Specifies the protocol of the port range. Possible values are TCP and UDP.
    port_end int
    Specifies the end of the port range.
    port_start int
    Specifies the start of the port range.
    protocol str
    Specifies the protocol of the port range. Possible values are TCP and UDP.
    portEnd Number
    Specifies the end of the port range.
    portStart Number
    Specifies the start of the port range.
    protocol String
    Specifies the protocol of the port range. Possible values are TCP and UDP.

    KubernetesClusterDefaultNodePoolUpgradeSettings, KubernetesClusterDefaultNodePoolUpgradeSettingsArgs

    MaxSurge string

    The maximum number or percentage of nodes which will be added to the Node Pool size during an upgrade.

    Note: If a percentage is provided, the number of surge nodes is calculated from the node_count value on the current cluster. Node surge can allow a cluster to have more nodes than max_count during an upgrade. Ensure that your cluster has enough IP space during an upgrade.

    MaxSurge string

    The maximum number or percentage of nodes which will be added to the Node Pool size during an upgrade.

    Note: If a percentage is provided, the number of surge nodes is calculated from the node_count value on the current cluster. Node surge can allow a cluster to have more nodes than max_count during an upgrade. Ensure that your cluster has enough IP space during an upgrade.

    maxSurge String

    The maximum number or percentage of nodes which will be added to the Node Pool size during an upgrade.

    Note: If a percentage is provided, the number of surge nodes is calculated from the node_count value on the current cluster. Node surge can allow a cluster to have more nodes than max_count during an upgrade. Ensure that your cluster has enough IP space during an upgrade.

    maxSurge string

    The maximum number or percentage of nodes which will be added to the Node Pool size during an upgrade.

    Note: If a percentage is provided, the number of surge nodes is calculated from the node_count value on the current cluster. Node surge can allow a cluster to have more nodes than max_count during an upgrade. Ensure that your cluster has enough IP space during an upgrade.

    max_surge str

    The maximum number or percentage of nodes which will be added to the Node Pool size during an upgrade.

    Note: If a percentage is provided, the number of surge nodes is calculated from the node_count value on the current cluster. Node surge can allow a cluster to have more nodes than max_count during an upgrade. Ensure that your cluster has enough IP space during an upgrade.

    maxSurge String

    The maximum number or percentage of nodes which will be added to the Node Pool size during an upgrade.

    Note: If a percentage is provided, the number of surge nodes is calculated from the node_count value on the current cluster. Node surge can allow a cluster to have more nodes than max_count during an upgrade. Ensure that your cluster has enough IP space during an upgrade.

    KubernetesClusterHttpProxyConfig, KubernetesClusterHttpProxyConfigArgs

    HttpProxy string
    The proxy address to be used when communicating over HTTP.
    HttpsProxy string
    The proxy address to be used when communicating over HTTPS.
    NoProxies List<string>
    TrustedCa string
    The base64 encoded alternative CA certificate content in PEM format.
    HttpProxy string
    The proxy address to be used when communicating over HTTP.
    HttpsProxy string
    The proxy address to be used when communicating over HTTPS.
    NoProxies []string
    TrustedCa string
    The base64 encoded alternative CA certificate content in PEM format.
    httpProxy String
    The proxy address to be used when communicating over HTTP.
    httpsProxy String
    The proxy address to be used when communicating over HTTPS.
    noProxies List<String>
    trustedCa String
    The base64 encoded alternative CA certificate content in PEM format.
    httpProxy string
    The proxy address to be used when communicating over HTTP.
    httpsProxy string
    The proxy address to be used when communicating over HTTPS.
    noProxies string[]
    trustedCa string
    The base64 encoded alternative CA certificate content in PEM format.
    http_proxy str
    The proxy address to be used when communicating over HTTP.
    https_proxy str
    The proxy address to be used when communicating over HTTPS.
    no_proxies Sequence[str]
    trusted_ca str
    The base64 encoded alternative CA certificate content in PEM format.
    httpProxy String
    The proxy address to be used when communicating over HTTP.
    httpsProxy String
    The proxy address to be used when communicating over HTTPS.
    noProxies List<String>
    trustedCa String
    The base64 encoded alternative CA certificate content in PEM format.

    KubernetesClusterIdentity, KubernetesClusterIdentityArgs

    Type string
    Specifies the type of Managed Service Identity that should be configured on this Kubernetes Cluster. Possible values are SystemAssigned or UserAssigned.
    IdentityIds List<string>

    Specifies a list of User Assigned Managed Identity IDs to be assigned to this Kubernetes Cluster.

    Note: This is required when type is set to UserAssigned. Currently only one User Assigned Identity is supported.

    PrincipalId string
    The Principal ID associated with this Managed Service Identity.
    TenantId string
    The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used.
    Type string
    Specifies the type of Managed Service Identity that should be configured on this Kubernetes Cluster. Possible values are SystemAssigned or UserAssigned.
    IdentityIds []string

    Specifies a list of User Assigned Managed Identity IDs to be assigned to this Kubernetes Cluster.

    Note: This is required when type is set to UserAssigned. Currently only one User Assigned Identity is supported.

    PrincipalId string
    The Principal ID associated with this Managed Service Identity.
    TenantId string
    The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used.
    type String
    Specifies the type of Managed Service Identity that should be configured on this Kubernetes Cluster. Possible values are SystemAssigned or UserAssigned.
    identityIds List<String>

    Specifies a list of User Assigned Managed Identity IDs to be assigned to this Kubernetes Cluster.

    Note: This is required when type is set to UserAssigned. Currently only one User Assigned Identity is supported.

    principalId String
    The Principal ID associated with this Managed Service Identity.
    tenantId String
    The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used.
    type string
    Specifies the type of Managed Service Identity that should be configured on this Kubernetes Cluster. Possible values are SystemAssigned or UserAssigned.
    identityIds string[]

    Specifies a list of User Assigned Managed Identity IDs to be assigned to this Kubernetes Cluster.

    Note: This is required when type is set to UserAssigned. Currently only one User Assigned Identity is supported.

    principalId string
    The Principal ID associated with this Managed Service Identity.
    tenantId string
    The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used.
    type str
    Specifies the type of Managed Service Identity that should be configured on this Kubernetes Cluster. Possible values are SystemAssigned or UserAssigned.
    identity_ids Sequence[str]

    Specifies a list of User Assigned Managed Identity IDs to be assigned to this Kubernetes Cluster.

    Note: This is required when type is set to UserAssigned. Currently only one User Assigned Identity is supported.

    principal_id str
    The Principal ID associated with this Managed Service Identity.
    tenant_id str
    The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used.
    type String
    Specifies the type of Managed Service Identity that should be configured on this Kubernetes Cluster. Possible values are SystemAssigned or UserAssigned.
    identityIds List<String>

    Specifies a list of User Assigned Managed Identity IDs to be assigned to this Kubernetes Cluster.

    Note: This is required when type is set to UserAssigned. Currently only one User Assigned Identity is supported.

    principalId String
    The Principal ID associated with this Managed Service Identity.
    tenantId String
    The Tenant ID used for Azure Active Directory Application. If this isn't specified the Tenant ID of the current Subscription is used.

    KubernetesClusterIngressApplicationGateway, KubernetesClusterIngressApplicationGatewayArgs

    EffectiveGatewayId string
    The ID of the Application Gateway associated with the ingress controller deployed to this Kubernetes Cluster.
    GatewayId string
    The ID of the Application Gateway to integrate with the ingress controller of this Kubernetes Cluster. See this page for further details.
    GatewayName string
    The name of the Application Gateway to be used or created in the Nodepool Resource Group, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.
    IngressApplicationGatewayIdentities List<KubernetesClusterIngressApplicationGatewayIngressApplicationGatewayIdentity>
    An ingress_application_gateway_identity block is exported. The exported attributes are defined below.
    SubnetCidr string
    The subnet CIDR to be used to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.
    SubnetId string

    The ID of the subnet on which to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.

    Note: Exactly one of gateway_id, subnet_id or subnet_cidr must be specified.

    Note: If specifying ingress_application_gateway in conjunction with only_critical_addons_enabled, the AGIC pod will fail to start. A separate azure.containerservice.KubernetesClusterNodePool is required to run the AGIC pod successfully. This is because AGIC is classed as a "non-critical addon".

    EffectiveGatewayId string
    The ID of the Application Gateway associated with the ingress controller deployed to this Kubernetes Cluster.
    GatewayId string
    The ID of the Application Gateway to integrate with the ingress controller of this Kubernetes Cluster. See this page for further details.
    GatewayName string
    The name of the Application Gateway to be used or created in the Nodepool Resource Group, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.
    IngressApplicationGatewayIdentities []KubernetesClusterIngressApplicationGatewayIngressApplicationGatewayIdentity
    An ingress_application_gateway_identity block is exported. The exported attributes are defined below.
    SubnetCidr string
    The subnet CIDR to be used to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.
    SubnetId string

    The ID of the subnet on which to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.

    Note: Exactly one of gateway_id, subnet_id or subnet_cidr must be specified.

    Note: If specifying ingress_application_gateway in conjunction with only_critical_addons_enabled, the AGIC pod will fail to start. A separate azure.containerservice.KubernetesClusterNodePool is required to run the AGIC pod successfully. This is because AGIC is classed as a "non-critical addon".

    effectiveGatewayId String
    The ID of the Application Gateway associated with the ingress controller deployed to this Kubernetes Cluster.
    gatewayId String
    The ID of the Application Gateway to integrate with the ingress controller of this Kubernetes Cluster. See this page for further details.
    gatewayName String
    The name of the Application Gateway to be used or created in the Nodepool Resource Group, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.
    ingressApplicationGatewayIdentities List<KubernetesClusterIngressApplicationGatewayIngressApplicationGatewayIdentity>
    An ingress_application_gateway_identity block is exported. The exported attributes are defined below.
    subnetCidr String
    The subnet CIDR to be used to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.
    subnetId String

    The ID of the subnet on which to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.

    Note: Exactly one of gateway_id, subnet_id or subnet_cidr must be specified.

    Note: If specifying ingress_application_gateway in conjunction with only_critical_addons_enabled, the AGIC pod will fail to start. A separate azure.containerservice.KubernetesClusterNodePool is required to run the AGIC pod successfully. This is because AGIC is classed as a "non-critical addon".

    effectiveGatewayId string
    The ID of the Application Gateway associated with the ingress controller deployed to this Kubernetes Cluster.
    gatewayId string
    The ID of the Application Gateway to integrate with the ingress controller of this Kubernetes Cluster. See this page for further details.
    gatewayName string
    The name of the Application Gateway to be used or created in the Nodepool Resource Group, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.
    ingressApplicationGatewayIdentities KubernetesClusterIngressApplicationGatewayIngressApplicationGatewayIdentity[]
    An ingress_application_gateway_identity block is exported. The exported attributes are defined below.
    subnetCidr string
    The subnet CIDR to be used to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.
    subnetId string

    The ID of the subnet on which to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.

    Note: Exactly one of gateway_id, subnet_id or subnet_cidr must be specified.

    Note: If specifying ingress_application_gateway in conjunction with only_critical_addons_enabled, the AGIC pod will fail to start. A separate azure.containerservice.KubernetesClusterNodePool is required to run the AGIC pod successfully. This is because AGIC is classed as a "non-critical addon".

    effective_gateway_id str
    The ID of the Application Gateway associated with the ingress controller deployed to this Kubernetes Cluster.
    gateway_id str
    The ID of the Application Gateway to integrate with the ingress controller of this Kubernetes Cluster. See this page for further details.
    gateway_name str
    The name of the Application Gateway to be used or created in the Nodepool Resource Group, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.
    ingress_application_gateway_identities Sequence[KubernetesClusterIngressApplicationGatewayIngressApplicationGatewayIdentity]
    An ingress_application_gateway_identity block is exported. The exported attributes are defined below.
    subnet_cidr str
    The subnet CIDR to be used to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.
    subnet_id str

    The ID of the subnet on which to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.

    Note: Exactly one of gateway_id, subnet_id or subnet_cidr must be specified.

    Note: If specifying ingress_application_gateway in conjunction with only_critical_addons_enabled, the AGIC pod will fail to start. A separate azure.containerservice.KubernetesClusterNodePool is required to run the AGIC pod successfully. This is because AGIC is classed as a "non-critical addon".

    effectiveGatewayId String
    The ID of the Application Gateway associated with the ingress controller deployed to this Kubernetes Cluster.
    gatewayId String
    The ID of the Application Gateway to integrate with the ingress controller of this Kubernetes Cluster. See this page for further details.
    gatewayName String
    The name of the Application Gateway to be used or created in the Nodepool Resource Group, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.
    ingressApplicationGatewayIdentities List<Property Map>
    An ingress_application_gateway_identity block is exported. The exported attributes are defined below.
    subnetCidr String
    The subnet CIDR to be used to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.
    subnetId String

    The ID of the subnet on which to create an Application Gateway, which in turn will be integrated with the ingress controller of this Kubernetes Cluster. See this page for further details.

    Note: Exactly one of gateway_id, subnet_id or subnet_cidr must be specified.

    Note: If specifying ingress_application_gateway in conjunction with only_critical_addons_enabled, the AGIC pod will fail to start. A separate azure.containerservice.KubernetesClusterNodePool is required to run the AGIC pod successfully. This is because AGIC is classed as a "non-critical addon".

    KubernetesClusterIngressApplicationGatewayIngressApplicationGatewayIdentity, KubernetesClusterIngressApplicationGatewayIngressApplicationGatewayIdentityArgs

    ClientId string
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    ObjectId string
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    UserAssignedIdentityId string

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    ClientId string
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    ObjectId string
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    UserAssignedIdentityId string

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    clientId String
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    objectId String
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    userAssignedIdentityId String

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    clientId string
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    objectId string
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    userAssignedIdentityId string

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    client_id str
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    object_id str
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    user_assigned_identity_id str

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    clientId String
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    objectId String
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    userAssignedIdentityId String

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    KubernetesClusterKeyManagementService, KubernetesClusterKeyManagementServiceArgs

    KeyVaultKeyId string
    Identifier of Azure Key Vault key. See key identifier format for more details.
    KeyVaultNetworkAccess string
    Network access of the key vault Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. Defaults to Public.
    KeyVaultKeyId string
    Identifier of Azure Key Vault key. See key identifier format for more details.
    KeyVaultNetworkAccess string
    Network access of the key vault Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. Defaults to Public.
    keyVaultKeyId String
    Identifier of Azure Key Vault key. See key identifier format for more details.
    keyVaultNetworkAccess String
    Network access of the key vault Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. Defaults to Public.
    keyVaultKeyId string
    Identifier of Azure Key Vault key. See key identifier format for more details.
    keyVaultNetworkAccess string
    Network access of the key vault Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. Defaults to Public.
    key_vault_key_id str
    Identifier of Azure Key Vault key. See key identifier format for more details.
    key_vault_network_access str
    Network access of the key vault Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. Defaults to Public.
    keyVaultKeyId String
    Identifier of Azure Key Vault key. See key identifier format for more details.
    keyVaultNetworkAccess String
    Network access of the key vault Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. Defaults to Public.

    KubernetesClusterKeyVaultSecretsProvider, KubernetesClusterKeyVaultSecretsProviderArgs

    SecretIdentities List<KubernetesClusterKeyVaultSecretsProviderSecretIdentity>
    An secret_identity block is exported. The exported attributes are defined below.
    SecretRotationEnabled bool
    Should the secret store CSI driver on the AKS cluster be enabled?
    SecretRotationInterval string

    The interval to poll for secret rotation. This attribute is only set when secret_rotation is true. Defaults to 2m.

    Note: To enablekey_vault_secrets_provider either secret_rotation_enabled or secret_rotation_interval must be specified.

    SecretIdentities []KubernetesClusterKeyVaultSecretsProviderSecretIdentity
    An secret_identity block is exported. The exported attributes are defined below.
    SecretRotationEnabled bool
    Should the secret store CSI driver on the AKS cluster be enabled?
    SecretRotationInterval string

    The interval to poll for secret rotation. This attribute is only set when secret_rotation is true. Defaults to 2m.

    Note: To enablekey_vault_secrets_provider either secret_rotation_enabled or secret_rotation_interval must be specified.

    secretIdentities List<KubernetesClusterKeyVaultSecretsProviderSecretIdentity>
    An secret_identity block is exported. The exported attributes are defined below.
    secretRotationEnabled Boolean
    Should the secret store CSI driver on the AKS cluster be enabled?
    secretRotationInterval String

    The interval to poll for secret rotation. This attribute is only set when secret_rotation is true. Defaults to 2m.

    Note: To enablekey_vault_secrets_provider either secret_rotation_enabled or secret_rotation_interval must be specified.

    secretIdentities KubernetesClusterKeyVaultSecretsProviderSecretIdentity[]
    An secret_identity block is exported. The exported attributes are defined below.
    secretRotationEnabled boolean
    Should the secret store CSI driver on the AKS cluster be enabled?
    secretRotationInterval string

    The interval to poll for secret rotation. This attribute is only set when secret_rotation is true. Defaults to 2m.

    Note: To enablekey_vault_secrets_provider either secret_rotation_enabled or secret_rotation_interval must be specified.

    secret_identities Sequence[KubernetesClusterKeyVaultSecretsProviderSecretIdentity]
    An secret_identity block is exported. The exported attributes are defined below.
    secret_rotation_enabled bool
    Should the secret store CSI driver on the AKS cluster be enabled?
    secret_rotation_interval str

    The interval to poll for secret rotation. This attribute is only set when secret_rotation is true. Defaults to 2m.

    Note: To enablekey_vault_secrets_provider either secret_rotation_enabled or secret_rotation_interval must be specified.

    secretIdentities List<Property Map>
    An secret_identity block is exported. The exported attributes are defined below.
    secretRotationEnabled Boolean
    Should the secret store CSI driver on the AKS cluster be enabled?
    secretRotationInterval String

    The interval to poll for secret rotation. This attribute is only set when secret_rotation is true. Defaults to 2m.

    Note: To enablekey_vault_secrets_provider either secret_rotation_enabled or secret_rotation_interval must be specified.

    KubernetesClusterKeyVaultSecretsProviderSecretIdentity, KubernetesClusterKeyVaultSecretsProviderSecretIdentityArgs

    ClientId string
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    ObjectId string
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    UserAssignedIdentityId string

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    ClientId string
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    ObjectId string
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    UserAssignedIdentityId string

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    clientId String
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    objectId String
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    userAssignedIdentityId String

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    clientId string
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    objectId string
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    userAssignedIdentityId string

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    client_id str
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    object_id str
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    user_assigned_identity_id str

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    clientId String
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    objectId String
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    userAssignedIdentityId String

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    KubernetesClusterKubeAdminConfig, KubernetesClusterKubeAdminConfigArgs

    ClientCertificate string
    Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster.
    ClientKey string
    Base64 encoded private key used by clients to authenticate to the Kubernetes cluster.
    ClusterCaCertificate string
    Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster.
    Host string
    The Kubernetes cluster server host.
    Password string
    A password or token used to authenticate to the Kubernetes cluster.
    Username string
    A username used to authenticate to the Kubernetes cluster.
    ClientCertificate string
    Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster.
    ClientKey string
    Base64 encoded private key used by clients to authenticate to the Kubernetes cluster.
    ClusterCaCertificate string
    Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster.
    Host string
    The Kubernetes cluster server host.
    Password string
    A password or token used to authenticate to the Kubernetes cluster.
    Username string
    A username used to authenticate to the Kubernetes cluster.
    clientCertificate String
    Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster.
    clientKey String
    Base64 encoded private key used by clients to authenticate to the Kubernetes cluster.
    clusterCaCertificate String
    Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster.
    host String
    The Kubernetes cluster server host.
    password String
    A password or token used to authenticate to the Kubernetes cluster.
    username String
    A username used to authenticate to the Kubernetes cluster.
    clientCertificate string
    Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster.
    clientKey string
    Base64 encoded private key used by clients to authenticate to the Kubernetes cluster.
    clusterCaCertificate string
    Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster.
    host string
    The Kubernetes cluster server host.
    password string
    A password or token used to authenticate to the Kubernetes cluster.
    username string
    A username used to authenticate to the Kubernetes cluster.
    client_certificate str
    Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster.
    client_key str
    Base64 encoded private key used by clients to authenticate to the Kubernetes cluster.
    cluster_ca_certificate str
    Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster.
    host str
    The Kubernetes cluster server host.
    password str
    A password or token used to authenticate to the Kubernetes cluster.
    username str
    A username used to authenticate to the Kubernetes cluster.
    clientCertificate String
    Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster.
    clientKey String
    Base64 encoded private key used by clients to authenticate to the Kubernetes cluster.
    clusterCaCertificate String
    Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster.
    host String
    The Kubernetes cluster server host.
    password String
    A password or token used to authenticate to the Kubernetes cluster.
    username String
    A username used to authenticate to the Kubernetes cluster.

    KubernetesClusterKubeConfig, KubernetesClusterKubeConfigArgs

    ClientCertificate string
    Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster.
    ClientKey string
    Base64 encoded private key used by clients to authenticate to the Kubernetes cluster.
    ClusterCaCertificate string
    Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster.
    Host string
    The Kubernetes cluster server host.
    Password string
    A password or token used to authenticate to the Kubernetes cluster.
    Username string
    A username used to authenticate to the Kubernetes cluster.
    ClientCertificate string
    Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster.
    ClientKey string
    Base64 encoded private key used by clients to authenticate to the Kubernetes cluster.
    ClusterCaCertificate string
    Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster.
    Host string
    The Kubernetes cluster server host.
    Password string
    A password or token used to authenticate to the Kubernetes cluster.
    Username string
    A username used to authenticate to the Kubernetes cluster.
    clientCertificate String
    Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster.
    clientKey String
    Base64 encoded private key used by clients to authenticate to the Kubernetes cluster.
    clusterCaCertificate String
    Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster.
    host String
    The Kubernetes cluster server host.
    password String
    A password or token used to authenticate to the Kubernetes cluster.
    username String
    A username used to authenticate to the Kubernetes cluster.
    clientCertificate string
    Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster.
    clientKey string
    Base64 encoded private key used by clients to authenticate to the Kubernetes cluster.
    clusterCaCertificate string
    Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster.
    host string
    The Kubernetes cluster server host.
    password string
    A password or token used to authenticate to the Kubernetes cluster.
    username string
    A username used to authenticate to the Kubernetes cluster.
    client_certificate str
    Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster.
    client_key str
    Base64 encoded private key used by clients to authenticate to the Kubernetes cluster.
    cluster_ca_certificate str
    Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster.
    host str
    The Kubernetes cluster server host.
    password str
    A password or token used to authenticate to the Kubernetes cluster.
    username str
    A username used to authenticate to the Kubernetes cluster.
    clientCertificate String
    Base64 encoded public certificate used by clients to authenticate to the Kubernetes cluster.
    clientKey String
    Base64 encoded private key used by clients to authenticate to the Kubernetes cluster.
    clusterCaCertificate String
    Base64 encoded public CA certificate used as the root of trust for the Kubernetes cluster.
    host String
    The Kubernetes cluster server host.
    password String
    A password or token used to authenticate to the Kubernetes cluster.
    username String
    A username used to authenticate to the Kubernetes cluster.

    KubernetesClusterKubeletIdentity, KubernetesClusterKubeletIdentityArgs

    ClientId string
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    ObjectId string
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    UserAssignedIdentityId string

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    ClientId string
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    ObjectId string
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    UserAssignedIdentityId string

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    clientId String
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    objectId String
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    userAssignedIdentityId String

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    clientId string
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    objectId string
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    userAssignedIdentityId string

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    client_id str
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    object_id str
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    user_assigned_identity_id str

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    clientId String
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    objectId String
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    userAssignedIdentityId String

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    KubernetesClusterLinuxProfile, KubernetesClusterLinuxProfileArgs

    AdminUsername string
    The Admin Username for the Cluster. Changing this forces a new resource to be created.
    SshKey KubernetesClusterLinuxProfileSshKey
    An ssh_key block as defined below. Only one is currently allowed. Changing this will update the key on all node pools. More information can be found in the documentation.
    AdminUsername string
    The Admin Username for the Cluster. Changing this forces a new resource to be created.
    SshKey KubernetesClusterLinuxProfileSshKey
    An ssh_key block as defined below. Only one is currently allowed. Changing this will update the key on all node pools. More information can be found in the documentation.
    adminUsername String
    The Admin Username for the Cluster. Changing this forces a new resource to be created.
    sshKey KubernetesClusterLinuxProfileSshKey
    An ssh_key block as defined below. Only one is currently allowed. Changing this will update the key on all node pools. More information can be found in the documentation.
    adminUsername string
    The Admin Username for the Cluster. Changing this forces a new resource to be created.
    sshKey KubernetesClusterLinuxProfileSshKey
    An ssh_key block as defined below. Only one is currently allowed. Changing this will update the key on all node pools. More information can be found in the documentation.
    admin_username str
    The Admin Username for the Cluster. Changing this forces a new resource to be created.
    ssh_key KubernetesClusterLinuxProfileSshKey
    An ssh_key block as defined below. Only one is currently allowed. Changing this will update the key on all node pools. More information can be found in the documentation.
    adminUsername String
    The Admin Username for the Cluster. Changing this forces a new resource to be created.
    sshKey Property Map
    An ssh_key block as defined below. Only one is currently allowed. Changing this will update the key on all node pools. More information can be found in the documentation.

    KubernetesClusterLinuxProfileSshKey, KubernetesClusterLinuxProfileSshKeyArgs

    KeyData string
    The Public SSH Key used to access the cluster.
    KeyData string
    The Public SSH Key used to access the cluster.
    keyData String
    The Public SSH Key used to access the cluster.
    keyData string
    The Public SSH Key used to access the cluster.
    key_data str
    The Public SSH Key used to access the cluster.
    keyData String
    The Public SSH Key used to access the cluster.

    KubernetesClusterMaintenanceWindow, KubernetesClusterMaintenanceWindowArgs

    Alloweds List<KubernetesClusterMaintenanceWindowAllowed>
    One or more allowed blocks as defined below.
    NotAlloweds List<KubernetesClusterMaintenanceWindowNotAllowed>
    One or more not_allowed block as defined below.
    Alloweds []KubernetesClusterMaintenanceWindowAllowed
    One or more allowed blocks as defined below.
    NotAlloweds []KubernetesClusterMaintenanceWindowNotAllowed
    One or more not_allowed block as defined below.
    alloweds List<KubernetesClusterMaintenanceWindowAllowed>
    One or more allowed blocks as defined below.
    notAlloweds List<KubernetesClusterMaintenanceWindowNotAllowed>
    One or more not_allowed block as defined below.
    alloweds KubernetesClusterMaintenanceWindowAllowed[]
    One or more allowed blocks as defined below.
    notAlloweds KubernetesClusterMaintenanceWindowNotAllowed[]
    One or more not_allowed block as defined below.
    alloweds Sequence[KubernetesClusterMaintenanceWindowAllowed]
    One or more allowed blocks as defined below.
    not_alloweds Sequence[KubernetesClusterMaintenanceWindowNotAllowed]
    One or more not_allowed block as defined below.
    alloweds List<Property Map>
    One or more allowed blocks as defined below.
    notAlloweds List<Property Map>
    One or more not_allowed block as defined below.

    KubernetesClusterMaintenanceWindowAllowed, KubernetesClusterMaintenanceWindowAllowedArgs

    Day string
    A day in a week. Possible values are Sunday, Monday, Tuesday, Wednesday, Thursday, Friday and Saturday.
    Hours List<int>
    An array of hour slots in a day. For example, specifying 1 will allow maintenance from 1:00am to 2:00am. Specifying 1, 2 will allow maintenance from 1:00am to 3:00m. Possible values are between 0 and 23.
    Day string
    A day in a week. Possible values are Sunday, Monday, Tuesday, Wednesday, Thursday, Friday and Saturday.
    Hours []int
    An array of hour slots in a day. For example, specifying 1 will allow maintenance from 1:00am to 2:00am. Specifying 1, 2 will allow maintenance from 1:00am to 3:00m. Possible values are between 0 and 23.
    day String
    A day in a week. Possible values are Sunday, Monday, Tuesday, Wednesday, Thursday, Friday and Saturday.
    hours List<Integer>
    An array of hour slots in a day. For example, specifying 1 will allow maintenance from 1:00am to 2:00am. Specifying 1, 2 will allow maintenance from 1:00am to 3:00m. Possible values are between 0 and 23.
    day string
    A day in a week. Possible values are Sunday, Monday, Tuesday, Wednesday, Thursday, Friday and Saturday.
    hours number[]
    An array of hour slots in a day. For example, specifying 1 will allow maintenance from 1:00am to 2:00am. Specifying 1, 2 will allow maintenance from 1:00am to 3:00m. Possible values are between 0 and 23.
    day str
    A day in a week. Possible values are Sunday, Monday, Tuesday, Wednesday, Thursday, Friday and Saturday.
    hours Sequence[int]
    An array of hour slots in a day. For example, specifying 1 will allow maintenance from 1:00am to 2:00am. Specifying 1, 2 will allow maintenance from 1:00am to 3:00m. Possible values are between 0 and 23.
    day String
    A day in a week. Possible values are Sunday, Monday, Tuesday, Wednesday, Thursday, Friday and Saturday.
    hours List<Number>
    An array of hour slots in a day. For example, specifying 1 will allow maintenance from 1:00am to 2:00am. Specifying 1, 2 will allow maintenance from 1:00am to 3:00m. Possible values are between 0 and 23.

    KubernetesClusterMaintenanceWindowAutoUpgrade, KubernetesClusterMaintenanceWindowAutoUpgradeArgs

    Duration int
    The duration of the window for maintenance to run in hours.
    Frequency string
    Frequency of maintenance. Possible options are Weekly, AbsoluteMonthly and RelativeMonthly.
    Interval int
    The interval for maintenance runs. Depending on the frequency this interval is week or month based.
    DayOfMonth int
    The day of the month for the maintenance run. Required in combination with RelativeMonthly frequency. Value between 0 and 31 (inclusive).
    DayOfWeek string
    The day of the week for the maintenance run. Required in combination with weekly frequency. Possible values are Friday, Monday, Saturday, Sunday, Thursday, Tuesday and Wednesday.
    NotAlloweds List<KubernetesClusterMaintenanceWindowAutoUpgradeNotAllowed>
    One or more not_allowed block as defined below.
    StartDate string
    The date on which the maintenance window begins to take effect.
    StartTime string
    The time for maintenance to begin, based on the timezone determined by utc_offset. Format is HH:mm.
    UtcOffset string
    Used to determine the timezone for cluster maintenance.
    WeekIndex string
    Specifies on which instance of the allowed days specified in day_of_week the maintenance occurs. Options are First, Second, Third, Fourth, and Last. Required in combination with relative monthly frequency.
    Duration int
    The duration of the window for maintenance to run in hours.
    Frequency string
    Frequency of maintenance. Possible options are Weekly, AbsoluteMonthly and RelativeMonthly.
    Interval int
    The interval for maintenance runs. Depending on the frequency this interval is week or month based.
    DayOfMonth int
    The day of the month for the maintenance run. Required in combination with RelativeMonthly frequency. Value between 0 and 31 (inclusive).
    DayOfWeek string
    The day of the week for the maintenance run. Required in combination with weekly frequency. Possible values are Friday, Monday, Saturday, Sunday, Thursday, Tuesday and Wednesday.
    NotAlloweds []KubernetesClusterMaintenanceWindowAutoUpgradeNotAllowed
    One or more not_allowed block as defined below.
    StartDate string
    The date on which the maintenance window begins to take effect.
    StartTime string
    The time for maintenance to begin, based on the timezone determined by utc_offset. Format is HH:mm.
    UtcOffset string
    Used to determine the timezone for cluster maintenance.
    WeekIndex string
    Specifies on which instance of the allowed days specified in day_of_week the maintenance occurs. Options are First, Second, Third, Fourth, and Last. Required in combination with relative monthly frequency.
    duration Integer
    The duration of the window for maintenance to run in hours.
    frequency String
    Frequency of maintenance. Possible options are Weekly, AbsoluteMonthly and RelativeMonthly.
    interval Integer
    The interval for maintenance runs. Depending on the frequency this interval is week or month based.
    dayOfMonth Integer
    The day of the month for the maintenance run. Required in combination with RelativeMonthly frequency. Value between 0 and 31 (inclusive).
    dayOfWeek String
    The day of the week for the maintenance run. Required in combination with weekly frequency. Possible values are Friday, Monday, Saturday, Sunday, Thursday, Tuesday and Wednesday.
    notAlloweds List<KubernetesClusterMaintenanceWindowAutoUpgradeNotAllowed>
    One or more not_allowed block as defined below.
    startDate String
    The date on which the maintenance window begins to take effect.
    startTime String
    The time for maintenance to begin, based on the timezone determined by utc_offset. Format is HH:mm.
    utcOffset String
    Used to determine the timezone for cluster maintenance.
    weekIndex String
    Specifies on which instance of the allowed days specified in day_of_week the maintenance occurs. Options are First, Second, Third, Fourth, and Last. Required in combination with relative monthly frequency.
    duration number
    The duration of the window for maintenance to run in hours.
    frequency string
    Frequency of maintenance. Possible options are Weekly, AbsoluteMonthly and RelativeMonthly.
    interval number
    The interval for maintenance runs. Depending on the frequency this interval is week or month based.
    dayOfMonth number
    The day of the month for the maintenance run. Required in combination with RelativeMonthly frequency. Value between 0 and 31 (inclusive).
    dayOfWeek string
    The day of the week for the maintenance run. Required in combination with weekly frequency. Possible values are Friday, Monday, Saturday, Sunday, Thursday, Tuesday and Wednesday.
    notAlloweds KubernetesClusterMaintenanceWindowAutoUpgradeNotAllowed[]
    One or more not_allowed block as defined below.
    startDate string
    The date on which the maintenance window begins to take effect.
    startTime string
    The time for maintenance to begin, based on the timezone determined by utc_offset. Format is HH:mm.
    utcOffset string
    Used to determine the timezone for cluster maintenance.
    weekIndex string
    Specifies on which instance of the allowed days specified in day_of_week the maintenance occurs. Options are First, Second, Third, Fourth, and Last. Required in combination with relative monthly frequency.
    duration int
    The duration of the window for maintenance to run in hours.
    frequency str
    Frequency of maintenance. Possible options are Weekly, AbsoluteMonthly and RelativeMonthly.
    interval int
    The interval for maintenance runs. Depending on the frequency this interval is week or month based.
    day_of_month int
    The day of the month for the maintenance run. Required in combination with RelativeMonthly frequency. Value between 0 and 31 (inclusive).
    day_of_week str
    The day of the week for the maintenance run. Required in combination with weekly frequency. Possible values are Friday, Monday, Saturday, Sunday, Thursday, Tuesday and Wednesday.
    not_alloweds Sequence[KubernetesClusterMaintenanceWindowAutoUpgradeNotAllowed]
    One or more not_allowed block as defined below.
    start_date str
    The date on which the maintenance window begins to take effect.
    start_time str
    The time for maintenance to begin, based on the timezone determined by utc_offset. Format is HH:mm.
    utc_offset str
    Used to determine the timezone for cluster maintenance.
    week_index str
    Specifies on which instance of the allowed days specified in day_of_week the maintenance occurs. Options are First, Second, Third, Fourth, and Last. Required in combination with relative monthly frequency.
    duration Number
    The duration of the window for maintenance to run in hours.
    frequency String
    Frequency of maintenance. Possible options are Weekly, AbsoluteMonthly and RelativeMonthly.
    interval Number
    The interval for maintenance runs. Depending on the frequency this interval is week or month based.
    dayOfMonth Number
    The day of the month for the maintenance run. Required in combination with RelativeMonthly frequency. Value between 0 and 31 (inclusive).
    dayOfWeek String
    The day of the week for the maintenance run. Required in combination with weekly frequency. Possible values are Friday, Monday, Saturday, Sunday, Thursday, Tuesday and Wednesday.
    notAlloweds List<Property Map>
    One or more not_allowed block as defined below.
    startDate String
    The date on which the maintenance window begins to take effect.
    startTime String
    The time for maintenance to begin, based on the timezone determined by utc_offset. Format is HH:mm.
    utcOffset String
    Used to determine the timezone for cluster maintenance.
    weekIndex String
    Specifies on which instance of the allowed days specified in day_of_week the maintenance occurs. Options are First, Second, Third, Fourth, and Last. Required in combination with relative monthly frequency.

    KubernetesClusterMaintenanceWindowAutoUpgradeNotAllowed, KubernetesClusterMaintenanceWindowAutoUpgradeNotAllowedArgs

    End string
    The end of a time span, formatted as an RFC3339 string.
    Start string
    The start of a time span, formatted as an RFC3339 string.
    End string
    The end of a time span, formatted as an RFC3339 string.
    Start string
    The start of a time span, formatted as an RFC3339 string.
    end String
    The end of a time span, formatted as an RFC3339 string.
    start String
    The start of a time span, formatted as an RFC3339 string.
    end string
    The end of a time span, formatted as an RFC3339 string.
    start string
    The start of a time span, formatted as an RFC3339 string.
    end str
    The end of a time span, formatted as an RFC3339 string.
    start str
    The start of a time span, formatted as an RFC3339 string.
    end String
    The end of a time span, formatted as an RFC3339 string.
    start String
    The start of a time span, formatted as an RFC3339 string.

    KubernetesClusterMaintenanceWindowNodeOs, KubernetesClusterMaintenanceWindowNodeOsArgs

    Duration int
    The duration of the window for maintenance to run in hours.
    Frequency string
    Frequency of maintenance. Possible options are Daily, Weekly, AbsoluteMonthly and RelativeMonthly.
    Interval int
    The interval for maintenance runs. Depending on the frequency this interval is week or month based.
    DayOfMonth int
    The day of the month for the maintenance run. Required in combination with RelativeMonthly frequency. Value between 0 and 31 (inclusive).
    DayOfWeek string
    The day of the week for the maintenance run. Required in combination with weekly frequency. Possible values are Friday, Monday, Saturday, Sunday, Thursday, Tuesday and Wednesday.
    NotAlloweds List<KubernetesClusterMaintenanceWindowNodeOsNotAllowed>
    One or more not_allowed block as defined below.
    StartDate string
    The date on which the maintenance window begins to take effect.
    StartTime string
    The time for maintenance to begin, based on the timezone determined by utc_offset. Format is HH:mm.
    UtcOffset string
    Used to determine the timezone for cluster maintenance.
    WeekIndex string
    The week in the month used for the maintenance run. Options are First, Second, Third, Fourth, and Last.
    Duration int
    The duration of the window for maintenance to run in hours.
    Frequency string
    Frequency of maintenance. Possible options are Daily, Weekly, AbsoluteMonthly and RelativeMonthly.
    Interval int
    The interval for maintenance runs. Depending on the frequency this interval is week or month based.
    DayOfMonth int
    The day of the month for the maintenance run. Required in combination with RelativeMonthly frequency. Value between 0 and 31 (inclusive).
    DayOfWeek string
    The day of the week for the maintenance run. Required in combination with weekly frequency. Possible values are Friday, Monday, Saturday, Sunday, Thursday, Tuesday and Wednesday.
    NotAlloweds []KubernetesClusterMaintenanceWindowNodeOsNotAllowed
    One or more not_allowed block as defined below.
    StartDate string
    The date on which the maintenance window begins to take effect.
    StartTime string
    The time for maintenance to begin, based on the timezone determined by utc_offset. Format is HH:mm.
    UtcOffset string
    Used to determine the timezone for cluster maintenance.
    WeekIndex string
    The week in the month used for the maintenance run. Options are First, Second, Third, Fourth, and Last.
    duration Integer
    The duration of the window for maintenance to run in hours.
    frequency String
    Frequency of maintenance. Possible options are Daily, Weekly, AbsoluteMonthly and RelativeMonthly.
    interval Integer
    The interval for maintenance runs. Depending on the frequency this interval is week or month based.
    dayOfMonth Integer
    The day of the month for the maintenance run. Required in combination with RelativeMonthly frequency. Value between 0 and 31 (inclusive).
    dayOfWeek String
    The day of the week for the maintenance run. Required in combination with weekly frequency. Possible values are Friday, Monday, Saturday, Sunday, Thursday, Tuesday and Wednesday.
    notAlloweds List<KubernetesClusterMaintenanceWindowNodeOsNotAllowed>
    One or more not_allowed block as defined below.
    startDate String
    The date on which the maintenance window begins to take effect.
    startTime String
    The time for maintenance to begin, based on the timezone determined by utc_offset. Format is HH:mm.
    utcOffset String
    Used to determine the timezone for cluster maintenance.
    weekIndex String
    The week in the month used for the maintenance run. Options are First, Second, Third, Fourth, and Last.
    duration number
    The duration of the window for maintenance to run in hours.
    frequency string
    Frequency of maintenance. Possible options are Daily, Weekly, AbsoluteMonthly and RelativeMonthly.
    interval number
    The interval for maintenance runs. Depending on the frequency this interval is week or month based.
    dayOfMonth number
    The day of the month for the maintenance run. Required in combination with RelativeMonthly frequency. Value between 0 and 31 (inclusive).
    dayOfWeek string
    The day of the week for the maintenance run. Required in combination with weekly frequency. Possible values are Friday, Monday, Saturday, Sunday, Thursday, Tuesday and Wednesday.
    notAlloweds KubernetesClusterMaintenanceWindowNodeOsNotAllowed[]
    One or more not_allowed block as defined below.
    startDate string
    The date on which the maintenance window begins to take effect.
    startTime string
    The time for maintenance to begin, based on the timezone determined by utc_offset. Format is HH:mm.
    utcOffset string
    Used to determine the timezone for cluster maintenance.
    weekIndex string
    The week in the month used for the maintenance run. Options are First, Second, Third, Fourth, and Last.
    duration int
    The duration of the window for maintenance to run in hours.
    frequency str
    Frequency of maintenance. Possible options are Daily, Weekly, AbsoluteMonthly and RelativeMonthly.
    interval int
    The interval for maintenance runs. Depending on the frequency this interval is week or month based.
    day_of_month int
    The day of the month for the maintenance run. Required in combination with RelativeMonthly frequency. Value between 0 and 31 (inclusive).
    day_of_week str
    The day of the week for the maintenance run. Required in combination with weekly frequency. Possible values are Friday, Monday, Saturday, Sunday, Thursday, Tuesday and Wednesday.
    not_alloweds Sequence[KubernetesClusterMaintenanceWindowNodeOsNotAllowed]
    One or more not_allowed block as defined below.
    start_date str
    The date on which the maintenance window begins to take effect.
    start_time str
    The time for maintenance to begin, based on the timezone determined by utc_offset. Format is HH:mm.
    utc_offset str
    Used to determine the timezone for cluster maintenance.
    week_index str
    The week in the month used for the maintenance run. Options are First, Second, Third, Fourth, and Last.
    duration Number
    The duration of the window for maintenance to run in hours.
    frequency String
    Frequency of maintenance. Possible options are Daily, Weekly, AbsoluteMonthly and RelativeMonthly.
    interval Number
    The interval for maintenance runs. Depending on the frequency this interval is week or month based.
    dayOfMonth Number
    The day of the month for the maintenance run. Required in combination with RelativeMonthly frequency. Value between 0 and 31 (inclusive).
    dayOfWeek String
    The day of the week for the maintenance run. Required in combination with weekly frequency. Possible values are Friday, Monday, Saturday, Sunday, Thursday, Tuesday and Wednesday.
    notAlloweds List<Property Map>
    One or more not_allowed block as defined below.
    startDate String
    The date on which the maintenance window begins to take effect.
    startTime String
    The time for maintenance to begin, based on the timezone determined by utc_offset. Format is HH:mm.
    utcOffset String
    Used to determine the timezone for cluster maintenance.
    weekIndex String
    The week in the month used for the maintenance run. Options are First, Second, Third, Fourth, and Last.

    KubernetesClusterMaintenanceWindowNodeOsNotAllowed, KubernetesClusterMaintenanceWindowNodeOsNotAllowedArgs

    End string
    The end of a time span, formatted as an RFC3339 string.
    Start string
    The start of a time span, formatted as an RFC3339 string.
    End string
    The end of a time span, formatted as an RFC3339 string.
    Start string
    The start of a time span, formatted as an RFC3339 string.
    end String
    The end of a time span, formatted as an RFC3339 string.
    start String
    The start of a time span, formatted as an RFC3339 string.
    end string
    The end of a time span, formatted as an RFC3339 string.
    start string
    The start of a time span, formatted as an RFC3339 string.
    end str
    The end of a time span, formatted as an RFC3339 string.
    start str
    The start of a time span, formatted as an RFC3339 string.
    end String
    The end of a time span, formatted as an RFC3339 string.
    start String
    The start of a time span, formatted as an RFC3339 string.

    KubernetesClusterMaintenanceWindowNotAllowed, KubernetesClusterMaintenanceWindowNotAllowedArgs

    End string
    The end of a time span, formatted as an RFC3339 string.
    Start string
    The start of a time span, formatted as an RFC3339 string.
    End string
    The end of a time span, formatted as an RFC3339 string.
    Start string
    The start of a time span, formatted as an RFC3339 string.
    end String
    The end of a time span, formatted as an RFC3339 string.
    start String
    The start of a time span, formatted as an RFC3339 string.
    end string
    The end of a time span, formatted as an RFC3339 string.
    start string
    The start of a time span, formatted as an RFC3339 string.
    end str
    The end of a time span, formatted as an RFC3339 string.
    start str
    The start of a time span, formatted as an RFC3339 string.
    end String
    The end of a time span, formatted as an RFC3339 string.
    start String
    The start of a time span, formatted as an RFC3339 string.

    KubernetesClusterMicrosoftDefender, KubernetesClusterMicrosoftDefenderArgs

    LogAnalyticsWorkspaceId string
    Specifies the ID of the Log Analytics Workspace where the audit logs collected by Microsoft Defender should be sent to.
    LogAnalyticsWorkspaceId string
    Specifies the ID of the Log Analytics Workspace where the audit logs collected by Microsoft Defender should be sent to.
    logAnalyticsWorkspaceId String
    Specifies the ID of the Log Analytics Workspace where the audit logs collected by Microsoft Defender should be sent to.
    logAnalyticsWorkspaceId string
    Specifies the ID of the Log Analytics Workspace where the audit logs collected by Microsoft Defender should be sent to.
    log_analytics_workspace_id str
    Specifies the ID of the Log Analytics Workspace where the audit logs collected by Microsoft Defender should be sent to.
    logAnalyticsWorkspaceId String
    Specifies the ID of the Log Analytics Workspace where the audit logs collected by Microsoft Defender should be sent to.

    KubernetesClusterMonitorMetrics, KubernetesClusterMonitorMetricsArgs

    AnnotationsAllowed string
    Specifies a comma-separated list of Kubernetes annotation keys that will be used in the resource's labels metric.
    LabelsAllowed string

    Specifies a Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric.

    Note: Both properties annotations_allowed and labels_allowed are required if you are enabling Managed Prometheus with an existing Azure Monitor Workspace.

    AnnotationsAllowed string
    Specifies a comma-separated list of Kubernetes annotation keys that will be used in the resource's labels metric.
    LabelsAllowed string

    Specifies a Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric.

    Note: Both properties annotations_allowed and labels_allowed are required if you are enabling Managed Prometheus with an existing Azure Monitor Workspace.

    annotationsAllowed String
    Specifies a comma-separated list of Kubernetes annotation keys that will be used in the resource's labels metric.
    labelsAllowed String

    Specifies a Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric.

    Note: Both properties annotations_allowed and labels_allowed are required if you are enabling Managed Prometheus with an existing Azure Monitor Workspace.

    annotationsAllowed string
    Specifies a comma-separated list of Kubernetes annotation keys that will be used in the resource's labels metric.
    labelsAllowed string

    Specifies a Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric.

    Note: Both properties annotations_allowed and labels_allowed are required if you are enabling Managed Prometheus with an existing Azure Monitor Workspace.

    annotations_allowed str
    Specifies a comma-separated list of Kubernetes annotation keys that will be used in the resource's labels metric.
    labels_allowed str

    Specifies a Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric.

    Note: Both properties annotations_allowed and labels_allowed are required if you are enabling Managed Prometheus with an existing Azure Monitor Workspace.

    annotationsAllowed String
    Specifies a comma-separated list of Kubernetes annotation keys that will be used in the resource's labels metric.
    labelsAllowed String

    Specifies a Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric.

    Note: Both properties annotations_allowed and labels_allowed are required if you are enabling Managed Prometheus with an existing Azure Monitor Workspace.

    KubernetesClusterNetworkProfile, KubernetesClusterNetworkProfileArgs

    NetworkPlugin string

    Network plugin to use for networking. Currently supported values are azure, kubenet and none. Changing this forces a new resource to be created.

    Note: When network_plugin is set to azure - the pod_cidr field must not be set.

    DnsServiceIp string
    IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). Changing this forces a new resource to be created.
    DockerBridgeCidr string

    IP address (in CIDR notation) used as the Docker bridge IP address on nodes. Changing this forces a new resource to be created.

    Note: docker_bridge_cidr has been deprecated as the API no longer supports it and will be removed in version 4.0 of the provider.

    Deprecated:docker_bridge_cidr has been deprecated as the API no longer supports it and will be removed in version 4.0 of the provider.

    EbpfDataPlane string

    Specifies the eBPF data plane used for building the Kubernetes network. Possible value is cilium. Disabling this forces a new resource to be created.

    Note: When ebpf_data_plane is set to cilium, the network_plugin field can only be set to azure.

    Note: When ebpf_data_plane is set to cilium, one of either network_plugin_mode = "overlay" or pod_subnet_id must be specified.

    Note: This requires that the Preview Feature Microsoft.ContainerService/CiliumDataplanePreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    IpVersions List<string>

    Specifies a list of IP versions the Kubernetes Cluster will use to assign IP addresses to its nodes and pods. Possible values are IPv4 and/or IPv6. IPv4 must always be specified. Changing this forces a new resource to be created.

    ->Note: To configure dual-stack networking ip_versions should be set to ["IPv4", "IPv6"].

    ->Note: Dual-stack networking requires that the Preview Feature Microsoft.ContainerService/AKS-EnableDualStack is enabled and the Resource Provider is re-registered, see the documentation for more information.

    LoadBalancerProfile KubernetesClusterNetworkProfileLoadBalancerProfile
    A load_balancer_profile block as defined below. This can only be specified when load_balancer_sku is set to standard. Changing this forces a new resource to be created.
    LoadBalancerSku string
    Specifies the SKU of the Load Balancer used for this Kubernetes Cluster. Possible values are basic and standard. Defaults to standard. Changing this forces a new resource to be created.
    NatGatewayProfile KubernetesClusterNetworkProfileNatGatewayProfile
    A nat_gateway_profile block as defined below. This can only be specified when load_balancer_sku is set to standard and outbound_type is set to managedNATGateway or userAssignedNATGateway. Changing this forces a new resource to be created.
    NetworkMode string

    Network mode to be used with Azure CNI. Possible values are bridge and transparent. Changing this forces a new resource to be created.

    Note: network_mode can only be set to bridge for existing Kubernetes Clusters and cannot be used to provision new Clusters - this will be removed by Azure in the future.

    Note: This property can only be set when network_plugin is set to azure.

    NetworkPluginMode string

    Specifies the network plugin mode used for building the Kubernetes network. Possible value is overlay.

    Note: When network_plugin_mode is set to overlay, the network_plugin field can only be set to azure. When upgrading from Azure CNI without overlay, pod_subnet_id must be specified.

    NetworkPolicy string

    Sets up network policy to be used with Azure CNI. Network policy allows us to control the traffic flow between pods. Currently supported values are calico, azure and cilium.

    Note: When network_policy is set to azure, the network_plugin field can only be set to azure.

    Note: When network_policy is set to cilium, the ebpf_data_plane field must be set to cilium.

    OutboundType string
    The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are loadBalancer, userDefinedRouting, managedNATGateway and userAssignedNATGateway. Defaults to loadBalancer. More information on supported migration paths for outbound_type can be found in this documentation.
    PodCidr string
    The CIDR to use for pod IP addresses. This field can only be set when network_plugin is set to kubenet. Changing this forces a new resource to be created.
    PodCidrs List<string>
    A list of CIDRs to use for pod IP addresses. For single-stack networking a single IPv4 CIDR is expected. For dual-stack networking an IPv4 and IPv6 CIDR are expected. Changing this forces a new resource to be created.
    ServiceCidr string
    The Network Range used by the Kubernetes service. Changing this forces a new resource to be created.
    ServiceCidrs List<string>

    A list of CIDRs to use for Kubernetes services. For single-stack networking a single IPv4 CIDR is expected. For dual-stack networking an IPv4 and IPv6 CIDR are expected. Changing this forces a new resource to be created.

    Note: This range should not be used by any network element on or connected to this VNet. Service address CIDR must be smaller than /12. docker_bridge_cidr, dns_service_ip and service_cidr should all be empty or all should be set.

    NetworkPlugin string

    Network plugin to use for networking. Currently supported values are azure, kubenet and none. Changing this forces a new resource to be created.

    Note: When network_plugin is set to azure - the pod_cidr field must not be set.

    DnsServiceIp string
    IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). Changing this forces a new resource to be created.
    DockerBridgeCidr string

    IP address (in CIDR notation) used as the Docker bridge IP address on nodes. Changing this forces a new resource to be created.

    Note: docker_bridge_cidr has been deprecated as the API no longer supports it and will be removed in version 4.0 of the provider.

    Deprecated:docker_bridge_cidr has been deprecated as the API no longer supports it and will be removed in version 4.0 of the provider.

    EbpfDataPlane string

    Specifies the eBPF data plane used for building the Kubernetes network. Possible value is cilium. Disabling this forces a new resource to be created.

    Note: When ebpf_data_plane is set to cilium, the network_plugin field can only be set to azure.

    Note: When ebpf_data_plane is set to cilium, one of either network_plugin_mode = "overlay" or pod_subnet_id must be specified.

    Note: This requires that the Preview Feature Microsoft.ContainerService/CiliumDataplanePreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    IpVersions []string

    Specifies a list of IP versions the Kubernetes Cluster will use to assign IP addresses to its nodes and pods. Possible values are IPv4 and/or IPv6. IPv4 must always be specified. Changing this forces a new resource to be created.

    ->Note: To configure dual-stack networking ip_versions should be set to ["IPv4", "IPv6"].

    ->Note: Dual-stack networking requires that the Preview Feature Microsoft.ContainerService/AKS-EnableDualStack is enabled and the Resource Provider is re-registered, see the documentation for more information.

    LoadBalancerProfile KubernetesClusterNetworkProfileLoadBalancerProfile
    A load_balancer_profile block as defined below. This can only be specified when load_balancer_sku is set to standard. Changing this forces a new resource to be created.
    LoadBalancerSku string
    Specifies the SKU of the Load Balancer used for this Kubernetes Cluster. Possible values are basic and standard. Defaults to standard. Changing this forces a new resource to be created.
    NatGatewayProfile KubernetesClusterNetworkProfileNatGatewayProfile
    A nat_gateway_profile block as defined below. This can only be specified when load_balancer_sku is set to standard and outbound_type is set to managedNATGateway or userAssignedNATGateway. Changing this forces a new resource to be created.
    NetworkMode string

    Network mode to be used with Azure CNI. Possible values are bridge and transparent. Changing this forces a new resource to be created.

    Note: network_mode can only be set to bridge for existing Kubernetes Clusters and cannot be used to provision new Clusters - this will be removed by Azure in the future.

    Note: This property can only be set when network_plugin is set to azure.

    NetworkPluginMode string

    Specifies the network plugin mode used for building the Kubernetes network. Possible value is overlay.

    Note: When network_plugin_mode is set to overlay, the network_plugin field can only be set to azure. When upgrading from Azure CNI without overlay, pod_subnet_id must be specified.

    NetworkPolicy string

    Sets up network policy to be used with Azure CNI. Network policy allows us to control the traffic flow between pods. Currently supported values are calico, azure and cilium.

    Note: When network_policy is set to azure, the network_plugin field can only be set to azure.

    Note: When network_policy is set to cilium, the ebpf_data_plane field must be set to cilium.

    OutboundType string
    The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are loadBalancer, userDefinedRouting, managedNATGateway and userAssignedNATGateway. Defaults to loadBalancer. More information on supported migration paths for outbound_type can be found in this documentation.
    PodCidr string
    The CIDR to use for pod IP addresses. This field can only be set when network_plugin is set to kubenet. Changing this forces a new resource to be created.
    PodCidrs []string
    A list of CIDRs to use for pod IP addresses. For single-stack networking a single IPv4 CIDR is expected. For dual-stack networking an IPv4 and IPv6 CIDR are expected. Changing this forces a new resource to be created.
    ServiceCidr string
    The Network Range used by the Kubernetes service. Changing this forces a new resource to be created.
    ServiceCidrs []string

    A list of CIDRs to use for Kubernetes services. For single-stack networking a single IPv4 CIDR is expected. For dual-stack networking an IPv4 and IPv6 CIDR are expected. Changing this forces a new resource to be created.

    Note: This range should not be used by any network element on or connected to this VNet. Service address CIDR must be smaller than /12. docker_bridge_cidr, dns_service_ip and service_cidr should all be empty or all should be set.

    networkPlugin String

    Network plugin to use for networking. Currently supported values are azure, kubenet and none. Changing this forces a new resource to be created.

    Note: When network_plugin is set to azure - the pod_cidr field must not be set.

    dnsServiceIp String
    IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). Changing this forces a new resource to be created.
    dockerBridgeCidr String

    IP address (in CIDR notation) used as the Docker bridge IP address on nodes. Changing this forces a new resource to be created.

    Note: docker_bridge_cidr has been deprecated as the API no longer supports it and will be removed in version 4.0 of the provider.

    Deprecated:docker_bridge_cidr has been deprecated as the API no longer supports it and will be removed in version 4.0 of the provider.

    ebpfDataPlane String

    Specifies the eBPF data plane used for building the Kubernetes network. Possible value is cilium. Disabling this forces a new resource to be created.

    Note: When ebpf_data_plane is set to cilium, the network_plugin field can only be set to azure.

    Note: When ebpf_data_plane is set to cilium, one of either network_plugin_mode = "overlay" or pod_subnet_id must be specified.

    Note: This requires that the Preview Feature Microsoft.ContainerService/CiliumDataplanePreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    ipVersions List<String>

    Specifies a list of IP versions the Kubernetes Cluster will use to assign IP addresses to its nodes and pods. Possible values are IPv4 and/or IPv6. IPv4 must always be specified. Changing this forces a new resource to be created.

    ->Note: To configure dual-stack networking ip_versions should be set to ["IPv4", "IPv6"].

    ->Note: Dual-stack networking requires that the Preview Feature Microsoft.ContainerService/AKS-EnableDualStack is enabled and the Resource Provider is re-registered, see the documentation for more information.

    loadBalancerProfile KubernetesClusterNetworkProfileLoadBalancerProfile
    A load_balancer_profile block as defined below. This can only be specified when load_balancer_sku is set to standard. Changing this forces a new resource to be created.
    loadBalancerSku String
    Specifies the SKU of the Load Balancer used for this Kubernetes Cluster. Possible values are basic and standard. Defaults to standard. Changing this forces a new resource to be created.
    natGatewayProfile KubernetesClusterNetworkProfileNatGatewayProfile
    A nat_gateway_profile block as defined below. This can only be specified when load_balancer_sku is set to standard and outbound_type is set to managedNATGateway or userAssignedNATGateway. Changing this forces a new resource to be created.
    networkMode String

    Network mode to be used with Azure CNI. Possible values are bridge and transparent. Changing this forces a new resource to be created.

    Note: network_mode can only be set to bridge for existing Kubernetes Clusters and cannot be used to provision new Clusters - this will be removed by Azure in the future.

    Note: This property can only be set when network_plugin is set to azure.

    networkPluginMode String

    Specifies the network plugin mode used for building the Kubernetes network. Possible value is overlay.

    Note: When network_plugin_mode is set to overlay, the network_plugin field can only be set to azure. When upgrading from Azure CNI without overlay, pod_subnet_id must be specified.

    networkPolicy String

    Sets up network policy to be used with Azure CNI. Network policy allows us to control the traffic flow between pods. Currently supported values are calico, azure and cilium.

    Note: When network_policy is set to azure, the network_plugin field can only be set to azure.

    Note: When network_policy is set to cilium, the ebpf_data_plane field must be set to cilium.

    outboundType String
    The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are loadBalancer, userDefinedRouting, managedNATGateway and userAssignedNATGateway. Defaults to loadBalancer. More information on supported migration paths for outbound_type can be found in this documentation.
    podCidr String
    The CIDR to use for pod IP addresses. This field can only be set when network_plugin is set to kubenet. Changing this forces a new resource to be created.
    podCidrs List<String>
    A list of CIDRs to use for pod IP addresses. For single-stack networking a single IPv4 CIDR is expected. For dual-stack networking an IPv4 and IPv6 CIDR are expected. Changing this forces a new resource to be created.
    serviceCidr String
    The Network Range used by the Kubernetes service. Changing this forces a new resource to be created.
    serviceCidrs List<String>

    A list of CIDRs to use for Kubernetes services. For single-stack networking a single IPv4 CIDR is expected. For dual-stack networking an IPv4 and IPv6 CIDR are expected. Changing this forces a new resource to be created.

    Note: This range should not be used by any network element on or connected to this VNet. Service address CIDR must be smaller than /12. docker_bridge_cidr, dns_service_ip and service_cidr should all be empty or all should be set.

    networkPlugin string

    Network plugin to use for networking. Currently supported values are azure, kubenet and none. Changing this forces a new resource to be created.

    Note: When network_plugin is set to azure - the pod_cidr field must not be set.

    dnsServiceIp string
    IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). Changing this forces a new resource to be created.
    dockerBridgeCidr string

    IP address (in CIDR notation) used as the Docker bridge IP address on nodes. Changing this forces a new resource to be created.

    Note: docker_bridge_cidr has been deprecated as the API no longer supports it and will be removed in version 4.0 of the provider.

    Deprecated:docker_bridge_cidr has been deprecated as the API no longer supports it and will be removed in version 4.0 of the provider.

    ebpfDataPlane string

    Specifies the eBPF data plane used for building the Kubernetes network. Possible value is cilium. Disabling this forces a new resource to be created.

    Note: When ebpf_data_plane is set to cilium, the network_plugin field can only be set to azure.

    Note: When ebpf_data_plane is set to cilium, one of either network_plugin_mode = "overlay" or pod_subnet_id must be specified.

    Note: This requires that the Preview Feature Microsoft.ContainerService/CiliumDataplanePreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    ipVersions string[]

    Specifies a list of IP versions the Kubernetes Cluster will use to assign IP addresses to its nodes and pods. Possible values are IPv4 and/or IPv6. IPv4 must always be specified. Changing this forces a new resource to be created.

    ->Note: To configure dual-stack networking ip_versions should be set to ["IPv4", "IPv6"].

    ->Note: Dual-stack networking requires that the Preview Feature Microsoft.ContainerService/AKS-EnableDualStack is enabled and the Resource Provider is re-registered, see the documentation for more information.

    loadBalancerProfile KubernetesClusterNetworkProfileLoadBalancerProfile
    A load_balancer_profile block as defined below. This can only be specified when load_balancer_sku is set to standard. Changing this forces a new resource to be created.
    loadBalancerSku string
    Specifies the SKU of the Load Balancer used for this Kubernetes Cluster. Possible values are basic and standard. Defaults to standard. Changing this forces a new resource to be created.
    natGatewayProfile KubernetesClusterNetworkProfileNatGatewayProfile
    A nat_gateway_profile block as defined below. This can only be specified when load_balancer_sku is set to standard and outbound_type is set to managedNATGateway or userAssignedNATGateway. Changing this forces a new resource to be created.
    networkMode string

    Network mode to be used with Azure CNI. Possible values are bridge and transparent. Changing this forces a new resource to be created.

    Note: network_mode can only be set to bridge for existing Kubernetes Clusters and cannot be used to provision new Clusters - this will be removed by Azure in the future.

    Note: This property can only be set when network_plugin is set to azure.

    networkPluginMode string

    Specifies the network plugin mode used for building the Kubernetes network. Possible value is overlay.

    Note: When network_plugin_mode is set to overlay, the network_plugin field can only be set to azure. When upgrading from Azure CNI without overlay, pod_subnet_id must be specified.

    networkPolicy string

    Sets up network policy to be used with Azure CNI. Network policy allows us to control the traffic flow between pods. Currently supported values are calico, azure and cilium.

    Note: When network_policy is set to azure, the network_plugin field can only be set to azure.

    Note: When network_policy is set to cilium, the ebpf_data_plane field must be set to cilium.

    outboundType string
    The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are loadBalancer, userDefinedRouting, managedNATGateway and userAssignedNATGateway. Defaults to loadBalancer. More information on supported migration paths for outbound_type can be found in this documentation.
    podCidr string
    The CIDR to use for pod IP addresses. This field can only be set when network_plugin is set to kubenet. Changing this forces a new resource to be created.
    podCidrs string[]
    A list of CIDRs to use for pod IP addresses. For single-stack networking a single IPv4 CIDR is expected. For dual-stack networking an IPv4 and IPv6 CIDR are expected. Changing this forces a new resource to be created.
    serviceCidr string
    The Network Range used by the Kubernetes service. Changing this forces a new resource to be created.
    serviceCidrs string[]

    A list of CIDRs to use for Kubernetes services. For single-stack networking a single IPv4 CIDR is expected. For dual-stack networking an IPv4 and IPv6 CIDR are expected. Changing this forces a new resource to be created.

    Note: This range should not be used by any network element on or connected to this VNet. Service address CIDR must be smaller than /12. docker_bridge_cidr, dns_service_ip and service_cidr should all be empty or all should be set.

    network_plugin str

    Network plugin to use for networking. Currently supported values are azure, kubenet and none. Changing this forces a new resource to be created.

    Note: When network_plugin is set to azure - the pod_cidr field must not be set.

    dns_service_ip str
    IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). Changing this forces a new resource to be created.
    docker_bridge_cidr str

    IP address (in CIDR notation) used as the Docker bridge IP address on nodes. Changing this forces a new resource to be created.

    Note: docker_bridge_cidr has been deprecated as the API no longer supports it and will be removed in version 4.0 of the provider.

    Deprecated:docker_bridge_cidr has been deprecated as the API no longer supports it and will be removed in version 4.0 of the provider.

    ebpf_data_plane str

    Specifies the eBPF data plane used for building the Kubernetes network. Possible value is cilium. Disabling this forces a new resource to be created.

    Note: When ebpf_data_plane is set to cilium, the network_plugin field can only be set to azure.

    Note: When ebpf_data_plane is set to cilium, one of either network_plugin_mode = "overlay" or pod_subnet_id must be specified.

    Note: This requires that the Preview Feature Microsoft.ContainerService/CiliumDataplanePreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    ip_versions Sequence[str]

    Specifies a list of IP versions the Kubernetes Cluster will use to assign IP addresses to its nodes and pods. Possible values are IPv4 and/or IPv6. IPv4 must always be specified. Changing this forces a new resource to be created.

    ->Note: To configure dual-stack networking ip_versions should be set to ["IPv4", "IPv6"].

    ->Note: Dual-stack networking requires that the Preview Feature Microsoft.ContainerService/AKS-EnableDualStack is enabled and the Resource Provider is re-registered, see the documentation for more information.

    load_balancer_profile KubernetesClusterNetworkProfileLoadBalancerProfile
    A load_balancer_profile block as defined below. This can only be specified when load_balancer_sku is set to standard. Changing this forces a new resource to be created.
    load_balancer_sku str
    Specifies the SKU of the Load Balancer used for this Kubernetes Cluster. Possible values are basic and standard. Defaults to standard. Changing this forces a new resource to be created.
    nat_gateway_profile KubernetesClusterNetworkProfileNatGatewayProfile
    A nat_gateway_profile block as defined below. This can only be specified when load_balancer_sku is set to standard and outbound_type is set to managedNATGateway or userAssignedNATGateway. Changing this forces a new resource to be created.
    network_mode str

    Network mode to be used with Azure CNI. Possible values are bridge and transparent. Changing this forces a new resource to be created.

    Note: network_mode can only be set to bridge for existing Kubernetes Clusters and cannot be used to provision new Clusters - this will be removed by Azure in the future.

    Note: This property can only be set when network_plugin is set to azure.

    network_plugin_mode str

    Specifies the network plugin mode used for building the Kubernetes network. Possible value is overlay.

    Note: When network_plugin_mode is set to overlay, the network_plugin field can only be set to azure. When upgrading from Azure CNI without overlay, pod_subnet_id must be specified.

    network_policy str

    Sets up network policy to be used with Azure CNI. Network policy allows us to control the traffic flow between pods. Currently supported values are calico, azure and cilium.

    Note: When network_policy is set to azure, the network_plugin field can only be set to azure.

    Note: When network_policy is set to cilium, the ebpf_data_plane field must be set to cilium.

    outbound_type str
    The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are loadBalancer, userDefinedRouting, managedNATGateway and userAssignedNATGateway. Defaults to loadBalancer. More information on supported migration paths for outbound_type can be found in this documentation.
    pod_cidr str
    The CIDR to use for pod IP addresses. This field can only be set when network_plugin is set to kubenet. Changing this forces a new resource to be created.
    pod_cidrs Sequence[str]
    A list of CIDRs to use for pod IP addresses. For single-stack networking a single IPv4 CIDR is expected. For dual-stack networking an IPv4 and IPv6 CIDR are expected. Changing this forces a new resource to be created.
    service_cidr str
    The Network Range used by the Kubernetes service. Changing this forces a new resource to be created.
    service_cidrs Sequence[str]

    A list of CIDRs to use for Kubernetes services. For single-stack networking a single IPv4 CIDR is expected. For dual-stack networking an IPv4 and IPv6 CIDR are expected. Changing this forces a new resource to be created.

    Note: This range should not be used by any network element on or connected to this VNet. Service address CIDR must be smaller than /12. docker_bridge_cidr, dns_service_ip and service_cidr should all be empty or all should be set.

    networkPlugin String

    Network plugin to use for networking. Currently supported values are azure, kubenet and none. Changing this forces a new resource to be created.

    Note: When network_plugin is set to azure - the pod_cidr field must not be set.

    dnsServiceIp String
    IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). Changing this forces a new resource to be created.
    dockerBridgeCidr String

    IP address (in CIDR notation) used as the Docker bridge IP address on nodes. Changing this forces a new resource to be created.

    Note: docker_bridge_cidr has been deprecated as the API no longer supports it and will be removed in version 4.0 of the provider.

    Deprecated:docker_bridge_cidr has been deprecated as the API no longer supports it and will be removed in version 4.0 of the provider.

    ebpfDataPlane String

    Specifies the eBPF data plane used for building the Kubernetes network. Possible value is cilium. Disabling this forces a new resource to be created.

    Note: When ebpf_data_plane is set to cilium, the network_plugin field can only be set to azure.

    Note: When ebpf_data_plane is set to cilium, one of either network_plugin_mode = "overlay" or pod_subnet_id must be specified.

    Note: This requires that the Preview Feature Microsoft.ContainerService/CiliumDataplanePreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    ipVersions List<String>

    Specifies a list of IP versions the Kubernetes Cluster will use to assign IP addresses to its nodes and pods. Possible values are IPv4 and/or IPv6. IPv4 must always be specified. Changing this forces a new resource to be created.

    ->Note: To configure dual-stack networking ip_versions should be set to ["IPv4", "IPv6"].

    ->Note: Dual-stack networking requires that the Preview Feature Microsoft.ContainerService/AKS-EnableDualStack is enabled and the Resource Provider is re-registered, see the documentation for more information.

    loadBalancerProfile Property Map
    A load_balancer_profile block as defined below. This can only be specified when load_balancer_sku is set to standard. Changing this forces a new resource to be created.
    loadBalancerSku String
    Specifies the SKU of the Load Balancer used for this Kubernetes Cluster. Possible values are basic and standard. Defaults to standard. Changing this forces a new resource to be created.
    natGatewayProfile Property Map
    A nat_gateway_profile block as defined below. This can only be specified when load_balancer_sku is set to standard and outbound_type is set to managedNATGateway or userAssignedNATGateway. Changing this forces a new resource to be created.
    networkMode String

    Network mode to be used with Azure CNI. Possible values are bridge and transparent. Changing this forces a new resource to be created.

    Note: network_mode can only be set to bridge for existing Kubernetes Clusters and cannot be used to provision new Clusters - this will be removed by Azure in the future.

    Note: This property can only be set when network_plugin is set to azure.

    networkPluginMode String

    Specifies the network plugin mode used for building the Kubernetes network. Possible value is overlay.

    Note: When network_plugin_mode is set to overlay, the network_plugin field can only be set to azure. When upgrading from Azure CNI without overlay, pod_subnet_id must be specified.

    networkPolicy String

    Sets up network policy to be used with Azure CNI. Network policy allows us to control the traffic flow between pods. Currently supported values are calico, azure and cilium.

    Note: When network_policy is set to azure, the network_plugin field can only be set to azure.

    Note: When network_policy is set to cilium, the ebpf_data_plane field must be set to cilium.

    outboundType String
    The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are loadBalancer, userDefinedRouting, managedNATGateway and userAssignedNATGateway. Defaults to loadBalancer. More information on supported migration paths for outbound_type can be found in this documentation.
    podCidr String
    The CIDR to use for pod IP addresses. This field can only be set when network_plugin is set to kubenet. Changing this forces a new resource to be created.
    podCidrs List<String>
    A list of CIDRs to use for pod IP addresses. For single-stack networking a single IPv4 CIDR is expected. For dual-stack networking an IPv4 and IPv6 CIDR are expected. Changing this forces a new resource to be created.
    serviceCidr String
    The Network Range used by the Kubernetes service. Changing this forces a new resource to be created.
    serviceCidrs List<String>

    A list of CIDRs to use for Kubernetes services. For single-stack networking a single IPv4 CIDR is expected. For dual-stack networking an IPv4 and IPv6 CIDR are expected. Changing this forces a new resource to be created.

    Note: This range should not be used by any network element on or connected to this VNet. Service address CIDR must be smaller than /12. docker_bridge_cidr, dns_service_ip and service_cidr should all be empty or all should be set.

    KubernetesClusterNetworkProfileLoadBalancerProfile, KubernetesClusterNetworkProfileLoadBalancerProfileArgs

    EffectiveOutboundIps List<string>
    The outcome (resource IDs) of the specified arguments.
    IdleTimeoutInMinutes int
    Desired outbound flow idle timeout in minutes for the cluster load balancer. Must be between 4 and 100 inclusive. Defaults to 30.
    ManagedOutboundIpCount int
    Count of desired managed outbound IPs for the cluster load balancer. Must be between 1 and 100 inclusive.
    ManagedOutboundIpv6Count int

    The desired number of IPv6 outbound IPs created and managed by Azure for the cluster load balancer. Must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack.

    Note: managed_outbound_ipv6_count requires dual-stack networking. To enable dual-stack networking the Preview Feature Microsoft.ContainerService/AKS-EnableDualStack needs to be enabled and the Resource Provider re-registered, see the documentation for more information.

    OutboundIpAddressIds List<string>

    The ID of the Public IP Addresses which should be used for outbound communication for the cluster load balancer.

    Note: Set outbound_ip_address_ids to an empty slice [] in order to unlink it from the cluster. Unlinking a outbound_ip_address_ids will revert the load balancing for the cluster back to a managed one.

    OutboundIpPrefixIds List<string>

    The ID of the outbound Public IP Address Prefixes which should be used for the cluster load balancer.

    Note: Set outbound_ip_prefix_ids to an empty slice [] in order to unlink it from the cluster. Unlinking a outbound_ip_prefix_ids will revert the load balancing for the cluster back to a managed one.

    OutboundPortsAllocated int
    Number of desired SNAT port for each VM in the clusters load balancer. Must be between 0 and 64000 inclusive. Defaults to 0.
    EffectiveOutboundIps []string
    The outcome (resource IDs) of the specified arguments.
    IdleTimeoutInMinutes int
    Desired outbound flow idle timeout in minutes for the cluster load balancer. Must be between 4 and 100 inclusive. Defaults to 30.
    ManagedOutboundIpCount int
    Count of desired managed outbound IPs for the cluster load balancer. Must be between 1 and 100 inclusive.
    ManagedOutboundIpv6Count int

    The desired number of IPv6 outbound IPs created and managed by Azure for the cluster load balancer. Must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack.

    Note: managed_outbound_ipv6_count requires dual-stack networking. To enable dual-stack networking the Preview Feature Microsoft.ContainerService/AKS-EnableDualStack needs to be enabled and the Resource Provider re-registered, see the documentation for more information.

    OutboundIpAddressIds []string

    The ID of the Public IP Addresses which should be used for outbound communication for the cluster load balancer.

    Note: Set outbound_ip_address_ids to an empty slice [] in order to unlink it from the cluster. Unlinking a outbound_ip_address_ids will revert the load balancing for the cluster back to a managed one.

    OutboundIpPrefixIds []string

    The ID of the outbound Public IP Address Prefixes which should be used for the cluster load balancer.

    Note: Set outbound_ip_prefix_ids to an empty slice [] in order to unlink it from the cluster. Unlinking a outbound_ip_prefix_ids will revert the load balancing for the cluster back to a managed one.

    OutboundPortsAllocated int
    Number of desired SNAT port for each VM in the clusters load balancer. Must be between 0 and 64000 inclusive. Defaults to 0.
    effectiveOutboundIps List<String>
    The outcome (resource IDs) of the specified arguments.
    idleTimeoutInMinutes Integer
    Desired outbound flow idle timeout in minutes for the cluster load balancer. Must be between 4 and 100 inclusive. Defaults to 30.
    managedOutboundIpCount Integer
    Count of desired managed outbound IPs for the cluster load balancer. Must be between 1 and 100 inclusive.
    managedOutboundIpv6Count Integer

    The desired number of IPv6 outbound IPs created and managed by Azure for the cluster load balancer. Must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack.

    Note: managed_outbound_ipv6_count requires dual-stack networking. To enable dual-stack networking the Preview Feature Microsoft.ContainerService/AKS-EnableDualStack needs to be enabled and the Resource Provider re-registered, see the documentation for more information.

    outboundIpAddressIds List<String>

    The ID of the Public IP Addresses which should be used for outbound communication for the cluster load balancer.

    Note: Set outbound_ip_address_ids to an empty slice [] in order to unlink it from the cluster. Unlinking a outbound_ip_address_ids will revert the load balancing for the cluster back to a managed one.

    outboundIpPrefixIds List<String>

    The ID of the outbound Public IP Address Prefixes which should be used for the cluster load balancer.

    Note: Set outbound_ip_prefix_ids to an empty slice [] in order to unlink it from the cluster. Unlinking a outbound_ip_prefix_ids will revert the load balancing for the cluster back to a managed one.

    outboundPortsAllocated Integer
    Number of desired SNAT port for each VM in the clusters load balancer. Must be between 0 and 64000 inclusive. Defaults to 0.
    effectiveOutboundIps string[]
    The outcome (resource IDs) of the specified arguments.
    idleTimeoutInMinutes number
    Desired outbound flow idle timeout in minutes for the cluster load balancer. Must be between 4 and 100 inclusive. Defaults to 30.
    managedOutboundIpCount number
    Count of desired managed outbound IPs for the cluster load balancer. Must be between 1 and 100 inclusive.
    managedOutboundIpv6Count number

    The desired number of IPv6 outbound IPs created and managed by Azure for the cluster load balancer. Must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack.

    Note: managed_outbound_ipv6_count requires dual-stack networking. To enable dual-stack networking the Preview Feature Microsoft.ContainerService/AKS-EnableDualStack needs to be enabled and the Resource Provider re-registered, see the documentation for more information.

    outboundIpAddressIds string[]

    The ID of the Public IP Addresses which should be used for outbound communication for the cluster load balancer.

    Note: Set outbound_ip_address_ids to an empty slice [] in order to unlink it from the cluster. Unlinking a outbound_ip_address_ids will revert the load balancing for the cluster back to a managed one.

    outboundIpPrefixIds string[]

    The ID of the outbound Public IP Address Prefixes which should be used for the cluster load balancer.

    Note: Set outbound_ip_prefix_ids to an empty slice [] in order to unlink it from the cluster. Unlinking a outbound_ip_prefix_ids will revert the load balancing for the cluster back to a managed one.

    outboundPortsAllocated number
    Number of desired SNAT port for each VM in the clusters load balancer. Must be between 0 and 64000 inclusive. Defaults to 0.
    effective_outbound_ips Sequence[str]
    The outcome (resource IDs) of the specified arguments.
    idle_timeout_in_minutes int
    Desired outbound flow idle timeout in minutes for the cluster load balancer. Must be between 4 and 100 inclusive. Defaults to 30.
    managed_outbound_ip_count int
    Count of desired managed outbound IPs for the cluster load balancer. Must be between 1 and 100 inclusive.
    managed_outbound_ipv6_count int

    The desired number of IPv6 outbound IPs created and managed by Azure for the cluster load balancer. Must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack.

    Note: managed_outbound_ipv6_count requires dual-stack networking. To enable dual-stack networking the Preview Feature Microsoft.ContainerService/AKS-EnableDualStack needs to be enabled and the Resource Provider re-registered, see the documentation for more information.

    outbound_ip_address_ids Sequence[str]

    The ID of the Public IP Addresses which should be used for outbound communication for the cluster load balancer.

    Note: Set outbound_ip_address_ids to an empty slice [] in order to unlink it from the cluster. Unlinking a outbound_ip_address_ids will revert the load balancing for the cluster back to a managed one.

    outbound_ip_prefix_ids Sequence[str]

    The ID of the outbound Public IP Address Prefixes which should be used for the cluster load balancer.

    Note: Set outbound_ip_prefix_ids to an empty slice [] in order to unlink it from the cluster. Unlinking a outbound_ip_prefix_ids will revert the load balancing for the cluster back to a managed one.

    outbound_ports_allocated int
    Number of desired SNAT port for each VM in the clusters load balancer. Must be between 0 and 64000 inclusive. Defaults to 0.
    effectiveOutboundIps List<String>
    The outcome (resource IDs) of the specified arguments.
    idleTimeoutInMinutes Number
    Desired outbound flow idle timeout in minutes for the cluster load balancer. Must be between 4 and 100 inclusive. Defaults to 30.
    managedOutboundIpCount Number
    Count of desired managed outbound IPs for the cluster load balancer. Must be between 1 and 100 inclusive.
    managedOutboundIpv6Count Number

    The desired number of IPv6 outbound IPs created and managed by Azure for the cluster load balancer. Must be in the range of 1 to 100 (inclusive). The default value is 0 for single-stack and 1 for dual-stack.

    Note: managed_outbound_ipv6_count requires dual-stack networking. To enable dual-stack networking the Preview Feature Microsoft.ContainerService/AKS-EnableDualStack needs to be enabled and the Resource Provider re-registered, see the documentation for more information.

    outboundIpAddressIds List<String>

    The ID of the Public IP Addresses which should be used for outbound communication for the cluster load balancer.

    Note: Set outbound_ip_address_ids to an empty slice [] in order to unlink it from the cluster. Unlinking a outbound_ip_address_ids will revert the load balancing for the cluster back to a managed one.

    outboundIpPrefixIds List<String>

    The ID of the outbound Public IP Address Prefixes which should be used for the cluster load balancer.

    Note: Set outbound_ip_prefix_ids to an empty slice [] in order to unlink it from the cluster. Unlinking a outbound_ip_prefix_ids will revert the load balancing for the cluster back to a managed one.

    outboundPortsAllocated Number
    Number of desired SNAT port for each VM in the clusters load balancer. Must be between 0 and 64000 inclusive. Defaults to 0.

    KubernetesClusterNetworkProfileNatGatewayProfile, KubernetesClusterNetworkProfileNatGatewayProfileArgs

    EffectiveOutboundIps List<string>
    The outcome (resource IDs) of the specified arguments.
    IdleTimeoutInMinutes int
    Desired outbound flow idle timeout in minutes for the cluster load balancer. Must be between 4 and 120 inclusive. Defaults to 4.
    ManagedOutboundIpCount int
    Count of desired managed outbound IPs for the cluster load balancer. Must be between 1 and 100 inclusive.
    EffectiveOutboundIps []string
    The outcome (resource IDs) of the specified arguments.
    IdleTimeoutInMinutes int
    Desired outbound flow idle timeout in minutes for the cluster load balancer. Must be between 4 and 120 inclusive. Defaults to 4.
    ManagedOutboundIpCount int
    Count of desired managed outbound IPs for the cluster load balancer. Must be between 1 and 100 inclusive.
    effectiveOutboundIps List<String>
    The outcome (resource IDs) of the specified arguments.
    idleTimeoutInMinutes Integer
    Desired outbound flow idle timeout in minutes for the cluster load balancer. Must be between 4 and 120 inclusive. Defaults to 4.
    managedOutboundIpCount Integer
    Count of desired managed outbound IPs for the cluster load balancer. Must be between 1 and 100 inclusive.
    effectiveOutboundIps string[]
    The outcome (resource IDs) of the specified arguments.
    idleTimeoutInMinutes number
    Desired outbound flow idle timeout in minutes for the cluster load balancer. Must be between 4 and 120 inclusive. Defaults to 4.
    managedOutboundIpCount number
    Count of desired managed outbound IPs for the cluster load balancer. Must be between 1 and 100 inclusive.
    effective_outbound_ips Sequence[str]
    The outcome (resource IDs) of the specified arguments.
    idle_timeout_in_minutes int
    Desired outbound flow idle timeout in minutes for the cluster load balancer. Must be between 4 and 120 inclusive. Defaults to 4.
    managed_outbound_ip_count int
    Count of desired managed outbound IPs for the cluster load balancer. Must be between 1 and 100 inclusive.
    effectiveOutboundIps List<String>
    The outcome (resource IDs) of the specified arguments.
    idleTimeoutInMinutes Number
    Desired outbound flow idle timeout in minutes for the cluster load balancer. Must be between 4 and 120 inclusive. Defaults to 4.
    managedOutboundIpCount Number
    Count of desired managed outbound IPs for the cluster load balancer. Must be between 1 and 100 inclusive.

    KubernetesClusterOmsAgent, KubernetesClusterOmsAgentArgs

    LogAnalyticsWorkspaceId string
    The ID of the Log Analytics Workspace which the OMS Agent should send data to.
    MsiAuthForMonitoringEnabled bool
    Is managed identity authentication for monitoring enabled?
    OmsAgentIdentities List<KubernetesClusterOmsAgentOmsAgentIdentity>
    An oms_agent_identity block is exported. The exported attributes are defined below.
    LogAnalyticsWorkspaceId string
    The ID of the Log Analytics Workspace which the OMS Agent should send data to.
    MsiAuthForMonitoringEnabled bool
    Is managed identity authentication for monitoring enabled?
    OmsAgentIdentities []KubernetesClusterOmsAgentOmsAgentIdentity
    An oms_agent_identity block is exported. The exported attributes are defined below.
    logAnalyticsWorkspaceId String
    The ID of the Log Analytics Workspace which the OMS Agent should send data to.
    msiAuthForMonitoringEnabled Boolean
    Is managed identity authentication for monitoring enabled?
    omsAgentIdentities List<KubernetesClusterOmsAgentOmsAgentIdentity>
    An oms_agent_identity block is exported. The exported attributes are defined below.
    logAnalyticsWorkspaceId string
    The ID of the Log Analytics Workspace which the OMS Agent should send data to.
    msiAuthForMonitoringEnabled boolean
    Is managed identity authentication for monitoring enabled?
    omsAgentIdentities KubernetesClusterOmsAgentOmsAgentIdentity[]
    An oms_agent_identity block is exported. The exported attributes are defined below.
    log_analytics_workspace_id str
    The ID of the Log Analytics Workspace which the OMS Agent should send data to.
    msi_auth_for_monitoring_enabled bool
    Is managed identity authentication for monitoring enabled?
    oms_agent_identities Sequence[KubernetesClusterOmsAgentOmsAgentIdentity]
    An oms_agent_identity block is exported. The exported attributes are defined below.
    logAnalyticsWorkspaceId String
    The ID of the Log Analytics Workspace which the OMS Agent should send data to.
    msiAuthForMonitoringEnabled Boolean
    Is managed identity authentication for monitoring enabled?
    omsAgentIdentities List<Property Map>
    An oms_agent_identity block is exported. The exported attributes are defined below.

    KubernetesClusterOmsAgentOmsAgentIdentity, KubernetesClusterOmsAgentOmsAgentIdentityArgs

    ClientId string
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    ObjectId string
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    UserAssignedIdentityId string

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    ClientId string
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    ObjectId string
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    UserAssignedIdentityId string

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    clientId String
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    objectId String
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    userAssignedIdentityId String

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    clientId string
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    objectId string
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    userAssignedIdentityId string

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    client_id str
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    object_id str
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    user_assigned_identity_id str

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    clientId String
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    objectId String
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    userAssignedIdentityId String

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    KubernetesClusterServiceMeshProfile, KubernetesClusterServiceMeshProfileArgs

    Mode string
    The mode of the service mesh. Possible value is Istio.
    ExternalIngressGatewayEnabled bool

    Is Istio External Ingress Gateway enabled?

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    NOTE: Currently only one Internal Ingress Gateway and one External Ingress Gateway are allowed per cluster

    InternalIngressGatewayEnabled bool
    Is Istio Internal Ingress Gateway enabled?
    Mode string
    The mode of the service mesh. Possible value is Istio.
    ExternalIngressGatewayEnabled bool

    Is Istio External Ingress Gateway enabled?

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    NOTE: Currently only one Internal Ingress Gateway and one External Ingress Gateway are allowed per cluster

    InternalIngressGatewayEnabled bool
    Is Istio Internal Ingress Gateway enabled?
    mode String
    The mode of the service mesh. Possible value is Istio.
    externalIngressGatewayEnabled Boolean

    Is Istio External Ingress Gateway enabled?

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    NOTE: Currently only one Internal Ingress Gateway and one External Ingress Gateway are allowed per cluster

    internalIngressGatewayEnabled Boolean
    Is Istio Internal Ingress Gateway enabled?
    mode string
    The mode of the service mesh. Possible value is Istio.
    externalIngressGatewayEnabled boolean

    Is Istio External Ingress Gateway enabled?

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    NOTE: Currently only one Internal Ingress Gateway and one External Ingress Gateway are allowed per cluster

    internalIngressGatewayEnabled boolean
    Is Istio Internal Ingress Gateway enabled?
    mode str
    The mode of the service mesh. Possible value is Istio.
    external_ingress_gateway_enabled bool

    Is Istio External Ingress Gateway enabled?

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    NOTE: Currently only one Internal Ingress Gateway and one External Ingress Gateway are allowed per cluster

    internal_ingress_gateway_enabled bool
    Is Istio Internal Ingress Gateway enabled?
    mode String
    The mode of the service mesh. Possible value is Istio.
    externalIngressGatewayEnabled Boolean

    Is Istio External Ingress Gateway enabled?

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    NOTE: Currently only one Internal Ingress Gateway and one External Ingress Gateway are allowed per cluster

    internalIngressGatewayEnabled Boolean
    Is Istio Internal Ingress Gateway enabled?

    KubernetesClusterServicePrincipal, KubernetesClusterServicePrincipalArgs

    ClientId string
    The Client ID for the Service Principal.
    ClientSecret string
    The Client Secret for the Service Principal.
    ClientId string
    The Client ID for the Service Principal.
    ClientSecret string
    The Client Secret for the Service Principal.
    clientId String
    The Client ID for the Service Principal.
    clientSecret String
    The Client Secret for the Service Principal.
    clientId string
    The Client ID for the Service Principal.
    clientSecret string
    The Client Secret for the Service Principal.
    client_id str
    The Client ID for the Service Principal.
    client_secret str
    The Client Secret for the Service Principal.
    clientId String
    The Client ID for the Service Principal.
    clientSecret String
    The Client Secret for the Service Principal.

    KubernetesClusterStorageProfile, KubernetesClusterStorageProfileArgs

    BlobDriverEnabled bool
    Is the Blob CSI driver enabled? Defaults to false.
    DiskDriverEnabled bool
    Is the Disk CSI driver enabled? Defaults to true.
    DiskDriverVersion string

    Disk CSI Driver version to be used. Possible values are v1 and v2. Defaults to v1.

    Note: Azure Disk CSI driver v2 is currently in Public Preview on an opt-in basis. To use it, the feature EnableAzureDiskCSIDriverV2 for namespace Microsoft.ContainerService must be requested.

    FileDriverEnabled bool
    Is the File CSI driver enabled? Defaults to true.
    SnapshotControllerEnabled bool
    Is the Snapshot Controller enabled? Defaults to true.
    BlobDriverEnabled bool
    Is the Blob CSI driver enabled? Defaults to false.
    DiskDriverEnabled bool
    Is the Disk CSI driver enabled? Defaults to true.
    DiskDriverVersion string

    Disk CSI Driver version to be used. Possible values are v1 and v2. Defaults to v1.

    Note: Azure Disk CSI driver v2 is currently in Public Preview on an opt-in basis. To use it, the feature EnableAzureDiskCSIDriverV2 for namespace Microsoft.ContainerService must be requested.

    FileDriverEnabled bool
    Is the File CSI driver enabled? Defaults to true.
    SnapshotControllerEnabled bool
    Is the Snapshot Controller enabled? Defaults to true.
    blobDriverEnabled Boolean
    Is the Blob CSI driver enabled? Defaults to false.
    diskDriverEnabled Boolean
    Is the Disk CSI driver enabled? Defaults to true.
    diskDriverVersion String

    Disk CSI Driver version to be used. Possible values are v1 and v2. Defaults to v1.

    Note: Azure Disk CSI driver v2 is currently in Public Preview on an opt-in basis. To use it, the feature EnableAzureDiskCSIDriverV2 for namespace Microsoft.ContainerService must be requested.

    fileDriverEnabled Boolean
    Is the File CSI driver enabled? Defaults to true.
    snapshotControllerEnabled Boolean
    Is the Snapshot Controller enabled? Defaults to true.
    blobDriverEnabled boolean
    Is the Blob CSI driver enabled? Defaults to false.
    diskDriverEnabled boolean
    Is the Disk CSI driver enabled? Defaults to true.
    diskDriverVersion string

    Disk CSI Driver version to be used. Possible values are v1 and v2. Defaults to v1.

    Note: Azure Disk CSI driver v2 is currently in Public Preview on an opt-in basis. To use it, the feature EnableAzureDiskCSIDriverV2 for namespace Microsoft.ContainerService must be requested.

    fileDriverEnabled boolean
    Is the File CSI driver enabled? Defaults to true.
    snapshotControllerEnabled boolean
    Is the Snapshot Controller enabled? Defaults to true.
    blob_driver_enabled bool
    Is the Blob CSI driver enabled? Defaults to false.
    disk_driver_enabled bool
    Is the Disk CSI driver enabled? Defaults to true.
    disk_driver_version str

    Disk CSI Driver version to be used. Possible values are v1 and v2. Defaults to v1.

    Note: Azure Disk CSI driver v2 is currently in Public Preview on an opt-in basis. To use it, the feature EnableAzureDiskCSIDriverV2 for namespace Microsoft.ContainerService must be requested.

    file_driver_enabled bool
    Is the File CSI driver enabled? Defaults to true.
    snapshot_controller_enabled bool
    Is the Snapshot Controller enabled? Defaults to true.
    blobDriverEnabled Boolean
    Is the Blob CSI driver enabled? Defaults to false.
    diskDriverEnabled Boolean
    Is the Disk CSI driver enabled? Defaults to true.
    diskDriverVersion String

    Disk CSI Driver version to be used. Possible values are v1 and v2. Defaults to v1.

    Note: Azure Disk CSI driver v2 is currently in Public Preview on an opt-in basis. To use it, the feature EnableAzureDiskCSIDriverV2 for namespace Microsoft.ContainerService must be requested.

    fileDriverEnabled Boolean
    Is the File CSI driver enabled? Defaults to true.
    snapshotControllerEnabled Boolean
    Is the Snapshot Controller enabled? Defaults to true.

    KubernetesClusterWebAppRouting, KubernetesClusterWebAppRoutingArgs

    DnsZoneId string
    Specifies the ID of the DNS Zone in which DNS entries are created for applications deployed to the cluster when Web App Routing is enabled. For Bring-Your-Own DNS zones this property should be set to an empty string "".
    WebAppRoutingIdentities List<KubernetesClusterWebAppRoutingWebAppRoutingIdentity>
    A web_app_routing_identity block is exported. The exported attributes are defined below.
    DnsZoneId string
    Specifies the ID of the DNS Zone in which DNS entries are created for applications deployed to the cluster when Web App Routing is enabled. For Bring-Your-Own DNS zones this property should be set to an empty string "".
    WebAppRoutingIdentities []KubernetesClusterWebAppRoutingWebAppRoutingIdentity
    A web_app_routing_identity block is exported. The exported attributes are defined below.
    dnsZoneId String
    Specifies the ID of the DNS Zone in which DNS entries are created for applications deployed to the cluster when Web App Routing is enabled. For Bring-Your-Own DNS zones this property should be set to an empty string "".
    webAppRoutingIdentities List<KubernetesClusterWebAppRoutingWebAppRoutingIdentity>
    A web_app_routing_identity block is exported. The exported attributes are defined below.
    dnsZoneId string
    Specifies the ID of the DNS Zone in which DNS entries are created for applications deployed to the cluster when Web App Routing is enabled. For Bring-Your-Own DNS zones this property should be set to an empty string "".
    webAppRoutingIdentities KubernetesClusterWebAppRoutingWebAppRoutingIdentity[]
    A web_app_routing_identity block is exported. The exported attributes are defined below.
    dns_zone_id str
    Specifies the ID of the DNS Zone in which DNS entries are created for applications deployed to the cluster when Web App Routing is enabled. For Bring-Your-Own DNS zones this property should be set to an empty string "".
    web_app_routing_identities Sequence[KubernetesClusterWebAppRoutingWebAppRoutingIdentity]
    A web_app_routing_identity block is exported. The exported attributes are defined below.
    dnsZoneId String
    Specifies the ID of the DNS Zone in which DNS entries are created for applications deployed to the cluster when Web App Routing is enabled. For Bring-Your-Own DNS zones this property should be set to an empty string "".
    webAppRoutingIdentities List<Property Map>
    A web_app_routing_identity block is exported. The exported attributes are defined below.

    KubernetesClusterWebAppRoutingWebAppRoutingIdentity, KubernetesClusterWebAppRoutingWebAppRoutingIdentityArgs

    ClientId string
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    ObjectId string
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    UserAssignedIdentityId string

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    ClientId string
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    ObjectId string
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    UserAssignedIdentityId string

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    clientId String
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    objectId String
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    userAssignedIdentityId String

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    clientId string
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    objectId string
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    userAssignedIdentityId string

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    client_id str
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    object_id str
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    user_assigned_identity_id str

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    clientId String
    The Client ID of the user-defined Managed Identity to be assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    objectId String
    The Object ID of the user-defined Managed Identity assigned to the Kubelets.If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.
    userAssignedIdentityId String

    The ID of the User Assigned Identity assigned to the Kubelets. If not specified a Managed Identity is created automatically. Changing this forces a new resource to be created.

    Note: When kubelet_identity is enabled - The type field in the identity block must be set to UserAssigned and identity_ids must be set.

    KubernetesClusterWindowsProfile, KubernetesClusterWindowsProfileArgs

    AdminUsername string
    The Admin Username for Windows VMs. Changing this forces a new resource to be created.
    AdminPassword string
    The Admin Password for Windows VMs. Length must be between 14 and 123 characters.
    Gmsa KubernetesClusterWindowsProfileGmsa
    A gmsa block as defined below.
    License string
    Specifies the type of on-premise license which should be used for Node Pool Windows Virtual Machine. At this time the only possible value is Windows_Server.
    AdminUsername string
    The Admin Username for Windows VMs. Changing this forces a new resource to be created.
    AdminPassword string
    The Admin Password for Windows VMs. Length must be between 14 and 123 characters.
    Gmsa KubernetesClusterWindowsProfileGmsa
    A gmsa block as defined below.
    License string
    Specifies the type of on-premise license which should be used for Node Pool Windows Virtual Machine. At this time the only possible value is Windows_Server.
    adminUsername String
    The Admin Username for Windows VMs. Changing this forces a new resource to be created.
    adminPassword String
    The Admin Password for Windows VMs. Length must be between 14 and 123 characters.
    gmsa KubernetesClusterWindowsProfileGmsa
    A gmsa block as defined below.
    license String
    Specifies the type of on-premise license which should be used for Node Pool Windows Virtual Machine. At this time the only possible value is Windows_Server.
    adminUsername string
    The Admin Username for Windows VMs. Changing this forces a new resource to be created.
    adminPassword string
    The Admin Password for Windows VMs. Length must be between 14 and 123 characters.
    gmsa KubernetesClusterWindowsProfileGmsa
    A gmsa block as defined below.
    license string
    Specifies the type of on-premise license which should be used for Node Pool Windows Virtual Machine. At this time the only possible value is Windows_Server.
    admin_username str
    The Admin Username for Windows VMs. Changing this forces a new resource to be created.
    admin_password str
    The Admin Password for Windows VMs. Length must be between 14 and 123 characters.
    gmsa KubernetesClusterWindowsProfileGmsa
    A gmsa block as defined below.
    license str
    Specifies the type of on-premise license which should be used for Node Pool Windows Virtual Machine. At this time the only possible value is Windows_Server.
    adminUsername String
    The Admin Username for Windows VMs. Changing this forces a new resource to be created.
    adminPassword String
    The Admin Password for Windows VMs. Length must be between 14 and 123 characters.
    gmsa Property Map
    A gmsa block as defined below.
    license String
    Specifies the type of on-premise license which should be used for Node Pool Windows Virtual Machine. At this time the only possible value is Windows_Server.

    KubernetesClusterWindowsProfileGmsa, KubernetesClusterWindowsProfileGmsaArgs

    DnsServer string
    Specifies the DNS server for Windows gMSA. Set this to an empty string if you have configured the DNS server in the VNet which was used to create the managed cluster.
    RootDomain string

    Specifies the root domain name for Windows gMSA. Set this to an empty string if you have configured the DNS server in the VNet which was used to create the managed cluster.

    Note: The properties dns_server and root_domain must both either be set or unset, i.e. empty.

    DnsServer string
    Specifies the DNS server for Windows gMSA. Set this to an empty string if you have configured the DNS server in the VNet which was used to create the managed cluster.
    RootDomain string

    Specifies the root domain name for Windows gMSA. Set this to an empty string if you have configured the DNS server in the VNet which was used to create the managed cluster.

    Note: The properties dns_server and root_domain must both either be set or unset, i.e. empty.

    dnsServer String
    Specifies the DNS server for Windows gMSA. Set this to an empty string if you have configured the DNS server in the VNet which was used to create the managed cluster.
    rootDomain String

    Specifies the root domain name for Windows gMSA. Set this to an empty string if you have configured the DNS server in the VNet which was used to create the managed cluster.

    Note: The properties dns_server and root_domain must both either be set or unset, i.e. empty.

    dnsServer string
    Specifies the DNS server for Windows gMSA. Set this to an empty string if you have configured the DNS server in the VNet which was used to create the managed cluster.
    rootDomain string

    Specifies the root domain name for Windows gMSA. Set this to an empty string if you have configured the DNS server in the VNet which was used to create the managed cluster.

    Note: The properties dns_server and root_domain must both either be set or unset, i.e. empty.

    dns_server str
    Specifies the DNS server for Windows gMSA. Set this to an empty string if you have configured the DNS server in the VNet which was used to create the managed cluster.
    root_domain str

    Specifies the root domain name for Windows gMSA. Set this to an empty string if you have configured the DNS server in the VNet which was used to create the managed cluster.

    Note: The properties dns_server and root_domain must both either be set or unset, i.e. empty.

    dnsServer String
    Specifies the DNS server for Windows gMSA. Set this to an empty string if you have configured the DNS server in the VNet which was used to create the managed cluster.
    rootDomain String

    Specifies the root domain name for Windows gMSA. Set this to an empty string if you have configured the DNS server in the VNet which was used to create the managed cluster.

    Note: The properties dns_server and root_domain must both either be set or unset, i.e. empty.

    KubernetesClusterWorkloadAutoscalerProfile, KubernetesClusterWorkloadAutoscalerProfileArgs

    KedaEnabled bool
    Specifies whether KEDA Autoscaler can be used for workloads.
    VerticalPodAutoscalerControlledValues string
    Which resources values should be controlled.
    VerticalPodAutoscalerEnabled bool

    Specifies whether Vertical Pod Autoscaler should be enabled.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AKS-VPAPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    VerticalPodAutoscalerUpdateMode string
    How the autoscaler applies changes to pod resources.
    KedaEnabled bool
    Specifies whether KEDA Autoscaler can be used for workloads.
    VerticalPodAutoscalerControlledValues string
    Which resources values should be controlled.
    VerticalPodAutoscalerEnabled bool

    Specifies whether Vertical Pod Autoscaler should be enabled.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AKS-VPAPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    VerticalPodAutoscalerUpdateMode string
    How the autoscaler applies changes to pod resources.
    kedaEnabled Boolean
    Specifies whether KEDA Autoscaler can be used for workloads.
    verticalPodAutoscalerControlledValues String
    Which resources values should be controlled.
    verticalPodAutoscalerEnabled Boolean

    Specifies whether Vertical Pod Autoscaler should be enabled.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AKS-VPAPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    verticalPodAutoscalerUpdateMode String
    How the autoscaler applies changes to pod resources.
    kedaEnabled boolean
    Specifies whether KEDA Autoscaler can be used for workloads.
    verticalPodAutoscalerControlledValues string
    Which resources values should be controlled.
    verticalPodAutoscalerEnabled boolean

    Specifies whether Vertical Pod Autoscaler should be enabled.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AKS-VPAPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    verticalPodAutoscalerUpdateMode string
    How the autoscaler applies changes to pod resources.
    keda_enabled bool
    Specifies whether KEDA Autoscaler can be used for workloads.
    vertical_pod_autoscaler_controlled_values str
    Which resources values should be controlled.
    vertical_pod_autoscaler_enabled bool

    Specifies whether Vertical Pod Autoscaler should be enabled.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AKS-VPAPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    vertical_pod_autoscaler_update_mode str
    How the autoscaler applies changes to pod resources.
    kedaEnabled Boolean
    Specifies whether KEDA Autoscaler can be used for workloads.
    verticalPodAutoscalerControlledValues String
    Which resources values should be controlled.
    verticalPodAutoscalerEnabled Boolean

    Specifies whether Vertical Pod Autoscaler should be enabled.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AKS-VPAPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    verticalPodAutoscalerUpdateMode String
    How the autoscaler applies changes to pod resources.

    Import

    Managed Kubernetes Clusters can be imported using the resource id, e.g.

    $ pulumi import azure:containerservice/kubernetesCluster:KubernetesCluster cluster1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.ContainerService/managedClusters/cluster1
    

    Package Details

    Repository
    Azure Classic pulumi/pulumi-azure
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the azurerm Terraform Provider.
    azure logo

    We recommend using Azure Native.

    Azure Classic v5.70.0 published on Wednesday, Mar 27, 2024 by Pulumi