1. Packages
  2. Azure Classic
  3. API Docs
  4. containerservice
  5. KubernetesCluster

We recommend using Azure Native.

Azure Classic v5.77.1 published on Monday, May 13, 2024 by Pulumi

azure.containerservice.KubernetesCluster

Explore with Pulumi AI

azure logo

We recommend using Azure Native.

Azure Classic v5.77.1 published on Monday, May 13, 2024 by Pulumi

    Manages a Managed Kubernetes Cluster (also known as AKS / Azure Kubernetes Service)

    Example Usage

    This example provisions a basic Managed Kubernetes Cluster.

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    
    const example = new azure.core.ResourceGroup("example", {
        name: "example-resources",
        location: "West Europe",
    });
    const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", {
        name: "example-aks1",
        location: example.location,
        resourceGroupName: example.name,
        dnsPrefix: "exampleaks1",
        defaultNodePool: {
            name: "default",
            nodeCount: 1,
            vmSize: "Standard_D2_v2",
        },
        identity: {
            type: "SystemAssigned",
        },
        tags: {
            Environment: "Production",
        },
    });
    export const clientCertificate = exampleKubernetesCluster.kubeConfigs.apply(kubeConfigs => kubeConfigs[0].clientCertificate);
    export const kubeConfig = exampleKubernetesCluster.kubeConfigRaw;
    
    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example-resources",
        location="West Europe")
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="example-aks1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="exampleaks1",
        default_node_pool=azure.containerservice.KubernetesClusterDefaultNodePoolArgs(
            name="default",
            node_count=1,
            vm_size="Standard_D2_v2",
        ),
        identity=azure.containerservice.KubernetesClusterIdentityArgs(
            type="SystemAssigned",
        ),
        tags={
            "Environment": "Production",
        })
    pulumi.export("clientCertificate", example_kubernetes_cluster.kube_configs[0].client_certificate)
    pulumi.export("kubeConfig", example_kubernetes_cluster.kube_config_raw)
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example-resources"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleKubernetesCluster, err := containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:              pulumi.String("example-aks1"),
    			Location:          example.Location,
    			ResourceGroupName: example.Name,
    			DnsPrefix:         pulumi.String("exampleaks1"),
    			DefaultNodePool: &containerservice.KubernetesClusterDefaultNodePoolArgs{
    				Name:      pulumi.String("default"),
    				NodeCount: pulumi.Int(1),
    				VmSize:    pulumi.String("Standard_D2_v2"),
    			},
    			Identity: &containerservice.KubernetesClusterIdentityArgs{
    				Type: pulumi.String("SystemAssigned"),
    			},
    			Tags: pulumi.StringMap{
    				"Environment": pulumi.String("Production"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		ctx.Export("clientCertificate", exampleKubernetesCluster.KubeConfigs.ApplyT(func(kubeConfigs []containerservice.KubernetesClusterKubeConfig) (*string, error) {
    			return &kubeConfigs[0].ClientCertificate, nil
    		}).(pulumi.StringPtrOutput))
    		ctx.Export("kubeConfig", exampleKubernetesCluster.KubeConfigRaw)
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example-resources",
            Location = "West Europe",
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "example-aks1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "exampleaks1",
            DefaultNodePool = new Azure.ContainerService.Inputs.KubernetesClusterDefaultNodePoolArgs
            {
                Name = "default",
                NodeCount = 1,
                VmSize = "Standard_D2_v2",
            },
            Identity = new Azure.ContainerService.Inputs.KubernetesClusterIdentityArgs
            {
                Type = "SystemAssigned",
            },
            Tags = 
            {
                { "Environment", "Production" },
            },
        });
    
        return new Dictionary<string, object?>
        {
            ["clientCertificate"] = exampleKubernetesCluster.KubeConfigs.Apply(kubeConfigs => kubeConfigs[0].ClientCertificate),
            ["kubeConfig"] = exampleKubernetesCluster.KubeConfigRaw,
        };
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import com.pulumi.azure.containerservice.inputs.KubernetesClusterDefaultNodePoolArgs;
    import com.pulumi.azure.containerservice.inputs.KubernetesClusterIdentityArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example-resources")
                .location("West Europe")
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("example-aks1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("exampleaks1")
                .defaultNodePool(KubernetesClusterDefaultNodePoolArgs.builder()
                    .name("default")
                    .nodeCount(1)
                    .vmSize("Standard_D2_v2")
                    .build())
                .identity(KubernetesClusterIdentityArgs.builder()
                    .type("SystemAssigned")
                    .build())
                .tags(Map.of("Environment", "Production"))
                .build());
    
            ctx.export("clientCertificate", exampleKubernetesCluster.kubeConfigs().applyValue(kubeConfigs -> kubeConfigs[0].clientCertificate()));
            ctx.export("kubeConfig", exampleKubernetesCluster.kubeConfigRaw());
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example-resources
          location: West Europe
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: example-aks1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: exampleaks1
          defaultNodePool:
            name: default
            nodeCount: 1
            vmSize: Standard_D2_v2
          identity:
            type: SystemAssigned
          tags:
            Environment: Production
    outputs:
      clientCertificate: ${exampleKubernetesCluster.kubeConfigs[0].clientCertificate}
      kubeConfig: ${exampleKubernetesCluster.kubeConfigRaw}
    

    Create KubernetesCluster Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new KubernetesCluster(name: string, args: KubernetesClusterArgs, opts?: CustomResourceOptions);
    @overload
    def KubernetesCluster(resource_name: str,
                          args: KubernetesClusterArgs,
                          opts: Optional[ResourceOptions] = None)
    
    @overload
    def KubernetesCluster(resource_name: str,
                          opts: Optional[ResourceOptions] = None,
                          default_node_pool: Optional[KubernetesClusterDefaultNodePoolArgs] = None,
                          resource_group_name: Optional[str] = None,
                          aci_connector_linux: Optional[KubernetesClusterAciConnectorLinuxArgs] = None,
                          api_server_access_profile: Optional[KubernetesClusterApiServerAccessProfileArgs] = None,
                          api_server_authorized_ip_ranges: Optional[Sequence[str]] = None,
                          auto_scaler_profile: Optional[KubernetesClusterAutoScalerProfileArgs] = None,
                          automatic_channel_upgrade: Optional[str] = None,
                          azure_active_directory_role_based_access_control: Optional[KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs] = None,
                          azure_policy_enabled: Optional[bool] = None,
                          confidential_computing: Optional[KubernetesClusterConfidentialComputingArgs] = None,
                          custom_ca_trust_certificates_base64s: Optional[Sequence[str]] = None,
                          disk_encryption_set_id: Optional[str] = None,
                          dns_prefix: Optional[str] = None,
                          dns_prefix_private_cluster: Optional[str] = None,
                          edge_zone: Optional[str] = None,
                          enable_pod_security_policy: Optional[bool] = None,
                          http_application_routing_enabled: Optional[bool] = None,
                          http_proxy_config: Optional[KubernetesClusterHttpProxyConfigArgs] = None,
                          identity: Optional[KubernetesClusterIdentityArgs] = None,
                          image_cleaner_enabled: Optional[bool] = None,
                          image_cleaner_interval_hours: Optional[int] = None,
                          ingress_application_gateway: Optional[KubernetesClusterIngressApplicationGatewayArgs] = None,
                          key_management_service: Optional[KubernetesClusterKeyManagementServiceArgs] = None,
                          key_vault_secrets_provider: Optional[KubernetesClusterKeyVaultSecretsProviderArgs] = None,
                          kubelet_identity: Optional[KubernetesClusterKubeletIdentityArgs] = None,
                          kubernetes_version: Optional[str] = None,
                          linux_profile: Optional[KubernetesClusterLinuxProfileArgs] = None,
                          local_account_disabled: Optional[bool] = None,
                          location: Optional[str] = None,
                          maintenance_window: Optional[KubernetesClusterMaintenanceWindowArgs] = None,
                          maintenance_window_auto_upgrade: Optional[KubernetesClusterMaintenanceWindowAutoUpgradeArgs] = None,
                          maintenance_window_node_os: Optional[KubernetesClusterMaintenanceWindowNodeOsArgs] = None,
                          microsoft_defender: Optional[KubernetesClusterMicrosoftDefenderArgs] = None,
                          monitor_metrics: Optional[KubernetesClusterMonitorMetricsArgs] = None,
                          name: Optional[str] = None,
                          network_profile: Optional[KubernetesClusterNetworkProfileArgs] = None,
                          node_os_channel_upgrade: Optional[str] = None,
                          node_resource_group: Optional[str] = None,
                          oidc_issuer_enabled: Optional[bool] = None,
                          oms_agent: Optional[KubernetesClusterOmsAgentArgs] = None,
                          open_service_mesh_enabled: Optional[bool] = None,
                          private_cluster_enabled: Optional[bool] = None,
                          private_cluster_public_fqdn_enabled: Optional[bool] = None,
                          private_dns_zone_id: Optional[str] = None,
                          public_network_access_enabled: Optional[bool] = None,
                          role_based_access_control_enabled: Optional[bool] = None,
                          run_command_enabled: Optional[bool] = None,
                          service_mesh_profile: Optional[KubernetesClusterServiceMeshProfileArgs] = None,
                          service_principal: Optional[KubernetesClusterServicePrincipalArgs] = None,
                          sku_tier: Optional[str] = None,
                          storage_profile: Optional[KubernetesClusterStorageProfileArgs] = None,
                          support_plan: Optional[str] = None,
                          tags: Optional[Mapping[str, str]] = None,
                          web_app_routing: Optional[KubernetesClusterWebAppRoutingArgs] = None,
                          windows_profile: Optional[KubernetesClusterWindowsProfileArgs] = None,
                          workload_autoscaler_profile: Optional[KubernetesClusterWorkloadAutoscalerProfileArgs] = None,
                          workload_identity_enabled: Optional[bool] = None)
    func NewKubernetesCluster(ctx *Context, name string, args KubernetesClusterArgs, opts ...ResourceOption) (*KubernetesCluster, error)
    public KubernetesCluster(string name, KubernetesClusterArgs args, CustomResourceOptions? opts = null)
    public KubernetesCluster(String name, KubernetesClusterArgs args)
    public KubernetesCluster(String name, KubernetesClusterArgs args, CustomResourceOptions options)
    
    type: azure:containerservice:KubernetesCluster
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args KubernetesClusterArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args KubernetesClusterArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args KubernetesClusterArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args KubernetesClusterArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args KubernetesClusterArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Example

    The following reference example uses placeholder values for all input properties.

    var kubernetesClusterResource = new Azure.ContainerService.KubernetesCluster("kubernetesClusterResource", new()
    {
        DefaultNodePool = new Azure.ContainerService.Inputs.KubernetesClusterDefaultNodePoolArgs
        {
            Name = "string",
            VmSize = "string",
            NodeNetworkProfile = new Azure.ContainerService.Inputs.KubernetesClusterDefaultNodePoolNodeNetworkProfileArgs
            {
                AllowedHostPorts = new[]
                {
                    new Azure.ContainerService.Inputs.KubernetesClusterDefaultNodePoolNodeNetworkProfileAllowedHostPortArgs
                    {
                        PortEnd = 0,
                        PortStart = 0,
                        Protocol = "string",
                    },
                },
                ApplicationSecurityGroupIds = new[]
                {
                    "string",
                },
                NodePublicIpTags = 
                {
                    { "string", "string" },
                },
            },
            WorkloadRuntime = "string",
            EnableNodePublicIp = false,
            GpuInstance = "string",
            HostGroupId = "string",
            KubeletConfig = new Azure.ContainerService.Inputs.KubernetesClusterDefaultNodePoolKubeletConfigArgs
            {
                AllowedUnsafeSysctls = new[]
                {
                    "string",
                },
                ContainerLogMaxLine = 0,
                ContainerLogMaxSizeMb = 0,
                CpuCfsQuotaEnabled = false,
                CpuCfsQuotaPeriod = "string",
                CpuManagerPolicy = "string",
                ImageGcHighThreshold = 0,
                ImageGcLowThreshold = 0,
                PodMaxPid = 0,
                TopologyManagerPolicy = "string",
            },
            KubeletDiskType = "string",
            LinuxOsConfig = new Azure.ContainerService.Inputs.KubernetesClusterDefaultNodePoolLinuxOsConfigArgs
            {
                SwapFileSizeMb = 0,
                SysctlConfig = new Azure.ContainerService.Inputs.KubernetesClusterDefaultNodePoolLinuxOsConfigSysctlConfigArgs
                {
                    FsAioMaxNr = 0,
                    FsFileMax = 0,
                    FsInotifyMaxUserWatches = 0,
                    FsNrOpen = 0,
                    KernelThreadsMax = 0,
                    NetCoreNetdevMaxBacklog = 0,
                    NetCoreOptmemMax = 0,
                    NetCoreRmemDefault = 0,
                    NetCoreRmemMax = 0,
                    NetCoreSomaxconn = 0,
                    NetCoreWmemDefault = 0,
                    NetCoreWmemMax = 0,
                    NetIpv4IpLocalPortRangeMax = 0,
                    NetIpv4IpLocalPortRangeMin = 0,
                    NetIpv4NeighDefaultGcThresh1 = 0,
                    NetIpv4NeighDefaultGcThresh2 = 0,
                    NetIpv4NeighDefaultGcThresh3 = 0,
                    NetIpv4TcpFinTimeout = 0,
                    NetIpv4TcpKeepaliveIntvl = 0,
                    NetIpv4TcpKeepaliveProbes = 0,
                    NetIpv4TcpKeepaliveTime = 0,
                    NetIpv4TcpMaxSynBacklog = 0,
                    NetIpv4TcpMaxTwBuckets = 0,
                    NetIpv4TcpTwReuse = false,
                    NetNetfilterNfConntrackBuckets = 0,
                    NetNetfilterNfConntrackMax = 0,
                    VmMaxMapCount = 0,
                    VmSwappiness = 0,
                    VmVfsCachePressure = 0,
                },
                TransparentHugePageDefrag = "string",
                TransparentHugePageEnabled = "string",
            },
            MaxCount = 0,
            MaxPods = 0,
            MessageOfTheDay = "string",
            MinCount = 0,
            EnableAutoScaling = false,
            NodeCount = 0,
            NodeLabels = 
            {
                { "string", "string" },
            },
            CapacityReservationGroupId = "string",
            NodePublicIpPrefixId = "string",
            FipsEnabled = false,
            EnableHostEncryption = false,
            OsDiskSizeGb = 0,
            OrchestratorVersion = "string",
            OsDiskType = "string",
            OsSku = "string",
            PodSubnetId = "string",
            ProximityPlacementGroupId = "string",
            ScaleDownMode = "string",
            SnapshotId = "string",
            Tags = 
            {
                { "string", "string" },
            },
            TemporaryNameForRotation = "string",
            Type = "string",
            UltraSsdEnabled = false,
            UpgradeSettings = new Azure.ContainerService.Inputs.KubernetesClusterDefaultNodePoolUpgradeSettingsArgs
            {
                MaxSurge = "string",
            },
            CustomCaTrustEnabled = false,
            VnetSubnetId = "string",
            OnlyCriticalAddonsEnabled = false,
            Zones = new[]
            {
                "string",
            },
        },
        ResourceGroupName = "string",
        AciConnectorLinux = new Azure.ContainerService.Inputs.KubernetesClusterAciConnectorLinuxArgs
        {
            SubnetName = "string",
            ConnectorIdentities = new[]
            {
                new Azure.ContainerService.Inputs.KubernetesClusterAciConnectorLinuxConnectorIdentityArgs
                {
                    ClientId = "string",
                    ObjectId = "string",
                    UserAssignedIdentityId = "string",
                },
            },
        },
        ApiServerAccessProfile = new Azure.ContainerService.Inputs.KubernetesClusterApiServerAccessProfileArgs
        {
            AuthorizedIpRanges = new[]
            {
                "string",
            },
            SubnetId = "string",
            VnetIntegrationEnabled = false,
        },
        AutoScalerProfile = new Azure.ContainerService.Inputs.KubernetesClusterAutoScalerProfileArgs
        {
            BalanceSimilarNodeGroups = false,
            EmptyBulkDeleteMax = "string",
            Expander = "string",
            MaxGracefulTerminationSec = "string",
            MaxNodeProvisioningTime = "string",
            MaxUnreadyNodes = 0,
            MaxUnreadyPercentage = 0,
            NewPodScaleUpDelay = "string",
            ScaleDownDelayAfterAdd = "string",
            ScaleDownDelayAfterDelete = "string",
            ScaleDownDelayAfterFailure = "string",
            ScaleDownUnneeded = "string",
            ScaleDownUnready = "string",
            ScaleDownUtilizationThreshold = "string",
            ScanInterval = "string",
            SkipNodesWithLocalStorage = false,
            SkipNodesWithSystemPods = false,
        },
        AutomaticChannelUpgrade = "string",
        AzureActiveDirectoryRoleBasedAccessControl = new Azure.ContainerService.Inputs.KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs
        {
            AdminGroupObjectIds = new[]
            {
                "string",
            },
            AzureRbacEnabled = false,
            TenantId = "string",
        },
        AzurePolicyEnabled = false,
        ConfidentialComputing = new Azure.ContainerService.Inputs.KubernetesClusterConfidentialComputingArgs
        {
            SgxQuoteHelperEnabled = false,
        },
        CustomCaTrustCertificatesBase64s = new[]
        {
            "string",
        },
        DiskEncryptionSetId = "string",
        DnsPrefix = "string",
        DnsPrefixPrivateCluster = "string",
        EdgeZone = "string",
        HttpApplicationRoutingEnabled = false,
        HttpProxyConfig = new Azure.ContainerService.Inputs.KubernetesClusterHttpProxyConfigArgs
        {
            HttpProxy = "string",
            HttpsProxy = "string",
            NoProxies = new[]
            {
                "string",
            },
            TrustedCa = "string",
        },
        Identity = new Azure.ContainerService.Inputs.KubernetesClusterIdentityArgs
        {
            Type = "string",
            IdentityIds = new[]
            {
                "string",
            },
            PrincipalId = "string",
            TenantId = "string",
        },
        ImageCleanerEnabled = false,
        ImageCleanerIntervalHours = 0,
        IngressApplicationGateway = new Azure.ContainerService.Inputs.KubernetesClusterIngressApplicationGatewayArgs
        {
            EffectiveGatewayId = "string",
            GatewayId = "string",
            GatewayName = "string",
            IngressApplicationGatewayIdentities = new[]
            {
                new Azure.ContainerService.Inputs.KubernetesClusterIngressApplicationGatewayIngressApplicationGatewayIdentityArgs
                {
                    ClientId = "string",
                    ObjectId = "string",
                    UserAssignedIdentityId = "string",
                },
            },
            SubnetCidr = "string",
            SubnetId = "string",
        },
        KeyManagementService = new Azure.ContainerService.Inputs.KubernetesClusterKeyManagementServiceArgs
        {
            KeyVaultKeyId = "string",
            KeyVaultNetworkAccess = "string",
        },
        KeyVaultSecretsProvider = new Azure.ContainerService.Inputs.KubernetesClusterKeyVaultSecretsProviderArgs
        {
            SecretIdentities = new[]
            {
                new Azure.ContainerService.Inputs.KubernetesClusterKeyVaultSecretsProviderSecretIdentityArgs
                {
                    ClientId = "string",
                    ObjectId = "string",
                    UserAssignedIdentityId = "string",
                },
            },
            SecretRotationEnabled = false,
            SecretRotationInterval = "string",
        },
        KubeletIdentity = new Azure.ContainerService.Inputs.KubernetesClusterKubeletIdentityArgs
        {
            ClientId = "string",
            ObjectId = "string",
            UserAssignedIdentityId = "string",
        },
        KubernetesVersion = "string",
        LinuxProfile = new Azure.ContainerService.Inputs.KubernetesClusterLinuxProfileArgs
        {
            AdminUsername = "string",
            SshKey = new Azure.ContainerService.Inputs.KubernetesClusterLinuxProfileSshKeyArgs
            {
                KeyData = "string",
            },
        },
        LocalAccountDisabled = false,
        Location = "string",
        MaintenanceWindow = new Azure.ContainerService.Inputs.KubernetesClusterMaintenanceWindowArgs
        {
            Alloweds = new[]
            {
                new Azure.ContainerService.Inputs.KubernetesClusterMaintenanceWindowAllowedArgs
                {
                    Day = "string",
                    Hours = new[]
                    {
                        0,
                    },
                },
            },
            NotAlloweds = new[]
            {
                new Azure.ContainerService.Inputs.KubernetesClusterMaintenanceWindowNotAllowedArgs
                {
                    End = "string",
                    Start = "string",
                },
            },
        },
        MaintenanceWindowAutoUpgrade = new Azure.ContainerService.Inputs.KubernetesClusterMaintenanceWindowAutoUpgradeArgs
        {
            Duration = 0,
            Frequency = "string",
            Interval = 0,
            DayOfMonth = 0,
            DayOfWeek = "string",
            NotAlloweds = new[]
            {
                new Azure.ContainerService.Inputs.KubernetesClusterMaintenanceWindowAutoUpgradeNotAllowedArgs
                {
                    End = "string",
                    Start = "string",
                },
            },
            StartDate = "string",
            StartTime = "string",
            UtcOffset = "string",
            WeekIndex = "string",
        },
        MaintenanceWindowNodeOs = new Azure.ContainerService.Inputs.KubernetesClusterMaintenanceWindowNodeOsArgs
        {
            Duration = 0,
            Frequency = "string",
            Interval = 0,
            DayOfMonth = 0,
            DayOfWeek = "string",
            NotAlloweds = new[]
            {
                new Azure.ContainerService.Inputs.KubernetesClusterMaintenanceWindowNodeOsNotAllowedArgs
                {
                    End = "string",
                    Start = "string",
                },
            },
            StartDate = "string",
            StartTime = "string",
            UtcOffset = "string",
            WeekIndex = "string",
        },
        MicrosoftDefender = new Azure.ContainerService.Inputs.KubernetesClusterMicrosoftDefenderArgs
        {
            LogAnalyticsWorkspaceId = "string",
        },
        MonitorMetrics = new Azure.ContainerService.Inputs.KubernetesClusterMonitorMetricsArgs
        {
            AnnotationsAllowed = "string",
            LabelsAllowed = "string",
        },
        Name = "string",
        NetworkProfile = new Azure.ContainerService.Inputs.KubernetesClusterNetworkProfileArgs
        {
            NetworkPlugin = "string",
            LoadBalancerProfile = new Azure.ContainerService.Inputs.KubernetesClusterNetworkProfileLoadBalancerProfileArgs
            {
                EffectiveOutboundIps = new[]
                {
                    "string",
                },
                IdleTimeoutInMinutes = 0,
                ManagedOutboundIpCount = 0,
                ManagedOutboundIpv6Count = 0,
                OutboundIpAddressIds = new[]
                {
                    "string",
                },
                OutboundIpPrefixIds = new[]
                {
                    "string",
                },
                OutboundPortsAllocated = 0,
            },
            LoadBalancerSku = "string",
            NetworkPluginMode = "string",
            DnsServiceIp = "string",
            NetworkPolicy = "string",
            NatGatewayProfile = new Azure.ContainerService.Inputs.KubernetesClusterNetworkProfileNatGatewayProfileArgs
            {
                EffectiveOutboundIps = new[]
                {
                    "string",
                },
                IdleTimeoutInMinutes = 0,
                ManagedOutboundIpCount = 0,
            },
            NetworkMode = "string",
            OutboundIpAddressIds = new[]
            {
                "string",
            },
            IpVersions = new[]
            {
                "string",
            },
            EbpfDataPlane = "string",
            OutboundIpPrefixIds = new[]
            {
                "string",
            },
            OutboundType = "string",
            PodCidr = "string",
            PodCidrs = new[]
            {
                "string",
            },
            ServiceCidr = "string",
            ServiceCidrs = new[]
            {
                "string",
            },
        },
        NodeOsChannelUpgrade = "string",
        NodeResourceGroup = "string",
        OidcIssuerEnabled = false,
        OmsAgent = new Azure.ContainerService.Inputs.KubernetesClusterOmsAgentArgs
        {
            LogAnalyticsWorkspaceId = "string",
            MsiAuthForMonitoringEnabled = false,
            OmsAgentIdentities = new[]
            {
                new Azure.ContainerService.Inputs.KubernetesClusterOmsAgentOmsAgentIdentityArgs
                {
                    ClientId = "string",
                    ObjectId = "string",
                    UserAssignedIdentityId = "string",
                },
            },
        },
        OpenServiceMeshEnabled = false,
        PrivateClusterEnabled = false,
        PrivateClusterPublicFqdnEnabled = false,
        PrivateDnsZoneId = "string",
        RoleBasedAccessControlEnabled = false,
        RunCommandEnabled = false,
        ServiceMeshProfile = new Azure.ContainerService.Inputs.KubernetesClusterServiceMeshProfileArgs
        {
            Mode = "string",
            ExternalIngressGatewayEnabled = false,
            InternalIngressGatewayEnabled = false,
        },
        ServicePrincipal = new Azure.ContainerService.Inputs.KubernetesClusterServicePrincipalArgs
        {
            ClientId = "string",
            ClientSecret = "string",
        },
        SkuTier = "string",
        StorageProfile = new Azure.ContainerService.Inputs.KubernetesClusterStorageProfileArgs
        {
            BlobDriverEnabled = false,
            DiskDriverEnabled = false,
            DiskDriverVersion = "string",
            FileDriverEnabled = false,
            SnapshotControllerEnabled = false,
        },
        SupportPlan = "string",
        Tags = 
        {
            { "string", "string" },
        },
        WebAppRouting = new Azure.ContainerService.Inputs.KubernetesClusterWebAppRoutingArgs
        {
            DnsZoneId = "string",
            WebAppRoutingIdentities = new[]
            {
                new Azure.ContainerService.Inputs.KubernetesClusterWebAppRoutingWebAppRoutingIdentityArgs
                {
                    ClientId = "string",
                    ObjectId = "string",
                    UserAssignedIdentityId = "string",
                },
            },
        },
        WindowsProfile = new Azure.ContainerService.Inputs.KubernetesClusterWindowsProfileArgs
        {
            AdminUsername = "string",
            AdminPassword = "string",
            Gmsa = new Azure.ContainerService.Inputs.KubernetesClusterWindowsProfileGmsaArgs
            {
                DnsServer = "string",
                RootDomain = "string",
            },
            License = "string",
        },
        WorkloadAutoscalerProfile = new Azure.ContainerService.Inputs.KubernetesClusterWorkloadAutoscalerProfileArgs
        {
            KedaEnabled = false,
            VerticalPodAutoscalerControlledValues = "string",
            VerticalPodAutoscalerEnabled = false,
            VerticalPodAutoscalerUpdateMode = "string",
        },
        WorkloadIdentityEnabled = false,
    });
    
    example, err := containerservice.NewKubernetesCluster(ctx, "kubernetesClusterResource", &containerservice.KubernetesClusterArgs{
    	DefaultNodePool: &containerservice.KubernetesClusterDefaultNodePoolArgs{
    		Name:   pulumi.String("string"),
    		VmSize: pulumi.String("string"),
    		NodeNetworkProfile: &containerservice.KubernetesClusterDefaultNodePoolNodeNetworkProfileArgs{
    			AllowedHostPorts: containerservice.KubernetesClusterDefaultNodePoolNodeNetworkProfileAllowedHostPortArray{
    				&containerservice.KubernetesClusterDefaultNodePoolNodeNetworkProfileAllowedHostPortArgs{
    					PortEnd:   pulumi.Int(0),
    					PortStart: pulumi.Int(0),
    					Protocol:  pulumi.String("string"),
    				},
    			},
    			ApplicationSecurityGroupIds: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			NodePublicIpTags: pulumi.StringMap{
    				"string": pulumi.String("string"),
    			},
    		},
    		WorkloadRuntime:    pulumi.String("string"),
    		EnableNodePublicIp: pulumi.Bool(false),
    		GpuInstance:        pulumi.String("string"),
    		HostGroupId:        pulumi.String("string"),
    		KubeletConfig: &containerservice.KubernetesClusterDefaultNodePoolKubeletConfigArgs{
    			AllowedUnsafeSysctls: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			ContainerLogMaxLine:   pulumi.Int(0),
    			ContainerLogMaxSizeMb: pulumi.Int(0),
    			CpuCfsQuotaEnabled:    pulumi.Bool(false),
    			CpuCfsQuotaPeriod:     pulumi.String("string"),
    			CpuManagerPolicy:      pulumi.String("string"),
    			ImageGcHighThreshold:  pulumi.Int(0),
    			ImageGcLowThreshold:   pulumi.Int(0),
    			PodMaxPid:             pulumi.Int(0),
    			TopologyManagerPolicy: pulumi.String("string"),
    		},
    		KubeletDiskType: pulumi.String("string"),
    		LinuxOsConfig: &containerservice.KubernetesClusterDefaultNodePoolLinuxOsConfigArgs{
    			SwapFileSizeMb: pulumi.Int(0),
    			SysctlConfig: &containerservice.KubernetesClusterDefaultNodePoolLinuxOsConfigSysctlConfigArgs{
    				FsAioMaxNr:                     pulumi.Int(0),
    				FsFileMax:                      pulumi.Int(0),
    				FsInotifyMaxUserWatches:        pulumi.Int(0),
    				FsNrOpen:                       pulumi.Int(0),
    				KernelThreadsMax:               pulumi.Int(0),
    				NetCoreNetdevMaxBacklog:        pulumi.Int(0),
    				NetCoreOptmemMax:               pulumi.Int(0),
    				NetCoreRmemDefault:             pulumi.Int(0),
    				NetCoreRmemMax:                 pulumi.Int(0),
    				NetCoreSomaxconn:               pulumi.Int(0),
    				NetCoreWmemDefault:             pulumi.Int(0),
    				NetCoreWmemMax:                 pulumi.Int(0),
    				NetIpv4IpLocalPortRangeMax:     pulumi.Int(0),
    				NetIpv4IpLocalPortRangeMin:     pulumi.Int(0),
    				NetIpv4NeighDefaultGcThresh1:   pulumi.Int(0),
    				NetIpv4NeighDefaultGcThresh2:   pulumi.Int(0),
    				NetIpv4NeighDefaultGcThresh3:   pulumi.Int(0),
    				NetIpv4TcpFinTimeout:           pulumi.Int(0),
    				NetIpv4TcpKeepaliveIntvl:       pulumi.Int(0),
    				NetIpv4TcpKeepaliveProbes:      pulumi.Int(0),
    				NetIpv4TcpKeepaliveTime:        pulumi.Int(0),
    				NetIpv4TcpMaxSynBacklog:        pulumi.Int(0),
    				NetIpv4TcpMaxTwBuckets:         pulumi.Int(0),
    				NetIpv4TcpTwReuse:              pulumi.Bool(false),
    				NetNetfilterNfConntrackBuckets: pulumi.Int(0),
    				NetNetfilterNfConntrackMax:     pulumi.Int(0),
    				VmMaxMapCount:                  pulumi.Int(0),
    				VmSwappiness:                   pulumi.Int(0),
    				VmVfsCachePressure:             pulumi.Int(0),
    			},
    			TransparentHugePageDefrag:  pulumi.String("string"),
    			TransparentHugePageEnabled: pulumi.String("string"),
    		},
    		MaxCount:          pulumi.Int(0),
    		MaxPods:           pulumi.Int(0),
    		MessageOfTheDay:   pulumi.String("string"),
    		MinCount:          pulumi.Int(0),
    		EnableAutoScaling: pulumi.Bool(false),
    		NodeCount:         pulumi.Int(0),
    		NodeLabels: pulumi.StringMap{
    			"string": pulumi.String("string"),
    		},
    		CapacityReservationGroupId: pulumi.String("string"),
    		NodePublicIpPrefixId:       pulumi.String("string"),
    		FipsEnabled:                pulumi.Bool(false),
    		EnableHostEncryption:       pulumi.Bool(false),
    		OsDiskSizeGb:               pulumi.Int(0),
    		OrchestratorVersion:        pulumi.String("string"),
    		OsDiskType:                 pulumi.String("string"),
    		OsSku:                      pulumi.String("string"),
    		PodSubnetId:                pulumi.String("string"),
    		ProximityPlacementGroupId:  pulumi.String("string"),
    		ScaleDownMode:              pulumi.String("string"),
    		SnapshotId:                 pulumi.String("string"),
    		Tags: pulumi.StringMap{
    			"string": pulumi.String("string"),
    		},
    		TemporaryNameForRotation: pulumi.String("string"),
    		Type:                     pulumi.String("string"),
    		UltraSsdEnabled:          pulumi.Bool(false),
    		UpgradeSettings: &containerservice.KubernetesClusterDefaultNodePoolUpgradeSettingsArgs{
    			MaxSurge: pulumi.String("string"),
    		},
    		CustomCaTrustEnabled:      pulumi.Bool(false),
    		VnetSubnetId:              pulumi.String("string"),
    		OnlyCriticalAddonsEnabled: pulumi.Bool(false),
    		Zones: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    	},
    	ResourceGroupName: pulumi.String("string"),
    	AciConnectorLinux: &containerservice.KubernetesClusterAciConnectorLinuxArgs{
    		SubnetName: pulumi.String("string"),
    		ConnectorIdentities: containerservice.KubernetesClusterAciConnectorLinuxConnectorIdentityArray{
    			&containerservice.KubernetesClusterAciConnectorLinuxConnectorIdentityArgs{
    				ClientId:               pulumi.String("string"),
    				ObjectId:               pulumi.String("string"),
    				UserAssignedIdentityId: pulumi.String("string"),
    			},
    		},
    	},
    	ApiServerAccessProfile: &containerservice.KubernetesClusterApiServerAccessProfileArgs{
    		AuthorizedIpRanges: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		SubnetId:               pulumi.String("string"),
    		VnetIntegrationEnabled: pulumi.Bool(false),
    	},
    	AutoScalerProfile: &containerservice.KubernetesClusterAutoScalerProfileArgs{
    		BalanceSimilarNodeGroups:      pulumi.Bool(false),
    		EmptyBulkDeleteMax:            pulumi.String("string"),
    		Expander:                      pulumi.String("string"),
    		MaxGracefulTerminationSec:     pulumi.String("string"),
    		MaxNodeProvisioningTime:       pulumi.String("string"),
    		MaxUnreadyNodes:               pulumi.Int(0),
    		MaxUnreadyPercentage:          pulumi.Float64(0),
    		NewPodScaleUpDelay:            pulumi.String("string"),
    		ScaleDownDelayAfterAdd:        pulumi.String("string"),
    		ScaleDownDelayAfterDelete:     pulumi.String("string"),
    		ScaleDownDelayAfterFailure:    pulumi.String("string"),
    		ScaleDownUnneeded:             pulumi.String("string"),
    		ScaleDownUnready:              pulumi.String("string"),
    		ScaleDownUtilizationThreshold: pulumi.String("string"),
    		ScanInterval:                  pulumi.String("string"),
    		SkipNodesWithLocalStorage:     pulumi.Bool(false),
    		SkipNodesWithSystemPods:       pulumi.Bool(false),
    	},
    	AutomaticChannelUpgrade: pulumi.String("string"),
    	AzureActiveDirectoryRoleBasedAccessControl: &containerservice.KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs{
    		AdminGroupObjectIds: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		AzureRbacEnabled: pulumi.Bool(false),
    		TenantId:         pulumi.String("string"),
    	},
    	AzurePolicyEnabled: pulumi.Bool(false),
    	ConfidentialComputing: &containerservice.KubernetesClusterConfidentialComputingArgs{
    		SgxQuoteHelperEnabled: pulumi.Bool(false),
    	},
    	CustomCaTrustCertificatesBase64s: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	DiskEncryptionSetId:           pulumi.String("string"),
    	DnsPrefix:                     pulumi.String("string"),
    	DnsPrefixPrivateCluster:       pulumi.String("string"),
    	EdgeZone:                      pulumi.String("string"),
    	HttpApplicationRoutingEnabled: pulumi.Bool(false),
    	HttpProxyConfig: &containerservice.KubernetesClusterHttpProxyConfigArgs{
    		HttpProxy:  pulumi.String("string"),
    		HttpsProxy: pulumi.String("string"),
    		NoProxies: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		TrustedCa: pulumi.String("string"),
    	},
    	Identity: &containerservice.KubernetesClusterIdentityArgs{
    		Type: pulumi.String("string"),
    		IdentityIds: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		PrincipalId: pulumi.String("string"),
    		TenantId:    pulumi.String("string"),
    	},
    	ImageCleanerEnabled:       pulumi.Bool(false),
    	ImageCleanerIntervalHours: pulumi.Int(0),
    	IngressApplicationGateway: &containerservice.KubernetesClusterIngressApplicationGatewayArgs{
    		EffectiveGatewayId: pulumi.String("string"),
    		GatewayId:          pulumi.String("string"),
    		GatewayName:        pulumi.String("string"),
    		IngressApplicationGatewayIdentities: containerservice.KubernetesClusterIngressApplicationGatewayIngressApplicationGatewayIdentityArray{
    			&containerservice.KubernetesClusterIngressApplicationGatewayIngressApplicationGatewayIdentityArgs{
    				ClientId:               pulumi.String("string"),
    				ObjectId:               pulumi.String("string"),
    				UserAssignedIdentityId: pulumi.String("string"),
    			},
    		},
    		SubnetCidr: pulumi.String("string"),
    		SubnetId:   pulumi.String("string"),
    	},
    	KeyManagementService: &containerservice.KubernetesClusterKeyManagementServiceArgs{
    		KeyVaultKeyId:         pulumi.String("string"),
    		KeyVaultNetworkAccess: pulumi.String("string"),
    	},
    	KeyVaultSecretsProvider: &containerservice.KubernetesClusterKeyVaultSecretsProviderArgs{
    		SecretIdentities: containerservice.KubernetesClusterKeyVaultSecretsProviderSecretIdentityArray{
    			&containerservice.KubernetesClusterKeyVaultSecretsProviderSecretIdentityArgs{
    				ClientId:               pulumi.String("string"),
    				ObjectId:               pulumi.String("string"),
    				UserAssignedIdentityId: pulumi.String("string"),
    			},
    		},
    		SecretRotationEnabled:  pulumi.Bool(false),
    		SecretRotationInterval: pulumi.String("string"),
    	},
    	KubeletIdentity: &containerservice.KubernetesClusterKubeletIdentityArgs{
    		ClientId:               pulumi.String("string"),
    		ObjectId:               pulumi.String("string"),
    		UserAssignedIdentityId: pulumi.String("string"),
    	},
    	KubernetesVersion: pulumi.String("string"),
    	LinuxProfile: &containerservice.KubernetesClusterLinuxProfileArgs{
    		AdminUsername: pulumi.String("string"),
    		SshKey: &containerservice.KubernetesClusterLinuxProfileSshKeyArgs{
    			KeyData: pulumi.String("string"),
    		},
    	},
    	LocalAccountDisabled: pulumi.Bool(false),
    	Location:             pulumi.String("string"),
    	MaintenanceWindow: &containerservice.KubernetesClusterMaintenanceWindowArgs{
    		Alloweds: containerservice.KubernetesClusterMaintenanceWindowAllowedArray{
    			&containerservice.KubernetesClusterMaintenanceWindowAllowedArgs{
    				Day: pulumi.String("string"),
    				Hours: pulumi.IntArray{
    					pulumi.Int(0),
    				},
    			},
    		},
    		NotAlloweds: containerservice.KubernetesClusterMaintenanceWindowNotAllowedArray{
    			&containerservice.KubernetesClusterMaintenanceWindowNotAllowedArgs{
    				End:   pulumi.String("string"),
    				Start: pulumi.String("string"),
    			},
    		},
    	},
    	MaintenanceWindowAutoUpgrade: &containerservice.KubernetesClusterMaintenanceWindowAutoUpgradeArgs{
    		Duration:   pulumi.Int(0),
    		Frequency:  pulumi.String("string"),
    		Interval:   pulumi.Int(0),
    		DayOfMonth: pulumi.Int(0),
    		DayOfWeek:  pulumi.String("string"),
    		NotAlloweds: containerservice.KubernetesClusterMaintenanceWindowAutoUpgradeNotAllowedArray{
    			&containerservice.KubernetesClusterMaintenanceWindowAutoUpgradeNotAllowedArgs{
    				End:   pulumi.String("string"),
    				Start: pulumi.String("string"),
    			},
    		},
    		StartDate: pulumi.String("string"),
    		StartTime: pulumi.String("string"),
    		UtcOffset: pulumi.String("string"),
    		WeekIndex: pulumi.String("string"),
    	},
    	MaintenanceWindowNodeOs: &containerservice.KubernetesClusterMaintenanceWindowNodeOsArgs{
    		Duration:   pulumi.Int(0),
    		Frequency:  pulumi.String("string"),
    		Interval:   pulumi.Int(0),
    		DayOfMonth: pulumi.Int(0),
    		DayOfWeek:  pulumi.String("string"),
    		NotAlloweds: containerservice.KubernetesClusterMaintenanceWindowNodeOsNotAllowedArray{
    			&containerservice.KubernetesClusterMaintenanceWindowNodeOsNotAllowedArgs{
    				End:   pulumi.String("string"),
    				Start: pulumi.String("string"),
    			},
    		},
    		StartDate: pulumi.String("string"),
    		StartTime: pulumi.String("string"),
    		UtcOffset: pulumi.String("string"),
    		WeekIndex: pulumi.String("string"),
    	},
    	MicrosoftDefender: &containerservice.KubernetesClusterMicrosoftDefenderArgs{
    		LogAnalyticsWorkspaceId: pulumi.String("string"),
    	},
    	MonitorMetrics: &containerservice.KubernetesClusterMonitorMetricsArgs{
    		AnnotationsAllowed: pulumi.String("string"),
    		LabelsAllowed:      pulumi.String("string"),
    	},
    	Name: pulumi.String("string"),
    	NetworkProfile: &containerservice.KubernetesClusterNetworkProfileArgs{
    		NetworkPlugin: pulumi.String("string"),
    		LoadBalancerProfile: &containerservice.KubernetesClusterNetworkProfileLoadBalancerProfileArgs{
    			EffectiveOutboundIps: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			IdleTimeoutInMinutes:     pulumi.Int(0),
    			ManagedOutboundIpCount:   pulumi.Int(0),
    			ManagedOutboundIpv6Count: pulumi.Int(0),
    			OutboundIpAddressIds: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			OutboundIpPrefixIds: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			OutboundPortsAllocated: pulumi.Int(0),
    		},
    		LoadBalancerSku:   pulumi.String("string"),
    		NetworkPluginMode: pulumi.String("string"),
    		DnsServiceIp:      pulumi.String("string"),
    		NetworkPolicy:     pulumi.String("string"),
    		NatGatewayProfile: &containerservice.KubernetesClusterNetworkProfileNatGatewayProfileArgs{
    			EffectiveOutboundIps: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    			IdleTimeoutInMinutes:   pulumi.Int(0),
    			ManagedOutboundIpCount: pulumi.Int(0),
    		},
    		NetworkMode: pulumi.String("string"),
    		OutboundIpAddressIds: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		IpVersions: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		EbpfDataPlane: pulumi.String("string"),
    		OutboundIpPrefixIds: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		OutboundType: pulumi.String("string"),
    		PodCidr:      pulumi.String("string"),
    		PodCidrs: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    		ServiceCidr: pulumi.String("string"),
    		ServiceCidrs: pulumi.StringArray{
    			pulumi.String("string"),
    		},
    	},
    	NodeOsChannelUpgrade: pulumi.String("string"),
    	NodeResourceGroup:    pulumi.String("string"),
    	OidcIssuerEnabled:    pulumi.Bool(false),
    	OmsAgent: &containerservice.KubernetesClusterOmsAgentArgs{
    		LogAnalyticsWorkspaceId:     pulumi.String("string"),
    		MsiAuthForMonitoringEnabled: pulumi.Bool(false),
    		OmsAgentIdentities: containerservice.KubernetesClusterOmsAgentOmsAgentIdentityArray{
    			&containerservice.KubernetesClusterOmsAgentOmsAgentIdentityArgs{
    				ClientId:               pulumi.String("string"),
    				ObjectId:               pulumi.String("string"),
    				UserAssignedIdentityId: pulumi.String("string"),
    			},
    		},
    	},
    	OpenServiceMeshEnabled:          pulumi.Bool(false),
    	PrivateClusterEnabled:           pulumi.Bool(false),
    	PrivateClusterPublicFqdnEnabled: pulumi.Bool(false),
    	PrivateDnsZoneId:                pulumi.String("string"),
    	RoleBasedAccessControlEnabled:   pulumi.Bool(false),
    	RunCommandEnabled:               pulumi.Bool(false),
    	ServiceMeshProfile: &containerservice.KubernetesClusterServiceMeshProfileArgs{
    		Mode:                          pulumi.String("string"),
    		ExternalIngressGatewayEnabled: pulumi.Bool(false),
    		InternalIngressGatewayEnabled: pulumi.Bool(false),
    	},
    	ServicePrincipal: &containerservice.KubernetesClusterServicePrincipalArgs{
    		ClientId:     pulumi.String("string"),
    		ClientSecret: pulumi.String("string"),
    	},
    	SkuTier: pulumi.String("string"),
    	StorageProfile: &containerservice.KubernetesClusterStorageProfileArgs{
    		BlobDriverEnabled:         pulumi.Bool(false),
    		DiskDriverEnabled:         pulumi.Bool(false),
    		DiskDriverVersion:         pulumi.String("string"),
    		FileDriverEnabled:         pulumi.Bool(false),
    		SnapshotControllerEnabled: pulumi.Bool(false),
    	},
    	SupportPlan: pulumi.String("string"),
    	Tags: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	WebAppRouting: &containerservice.KubernetesClusterWebAppRoutingArgs{
    		DnsZoneId: pulumi.String("string"),
    		WebAppRoutingIdentities: containerservice.KubernetesClusterWebAppRoutingWebAppRoutingIdentityArray{
    			&containerservice.KubernetesClusterWebAppRoutingWebAppRoutingIdentityArgs{
    				ClientId:               pulumi.String("string"),
    				ObjectId:               pulumi.String("string"),
    				UserAssignedIdentityId: pulumi.String("string"),
    			},
    		},
    	},
    	WindowsProfile: &containerservice.KubernetesClusterWindowsProfileArgs{
    		AdminUsername: pulumi.String("string"),
    		AdminPassword: pulumi.String("string"),
    		Gmsa: &containerservice.KubernetesClusterWindowsProfileGmsaArgs{
    			DnsServer:  pulumi.String("string"),
    			RootDomain: pulumi.String("string"),
    		},
    		License: pulumi.String("string"),
    	},
    	WorkloadAutoscalerProfile: &containerservice.KubernetesClusterWorkloadAutoscalerProfileArgs{
    		KedaEnabled:                           pulumi.Bool(false),
    		VerticalPodAutoscalerControlledValues: pulumi.String("string"),
    		VerticalPodAutoscalerEnabled:          pulumi.Bool(false),
    		VerticalPodAutoscalerUpdateMode:       pulumi.String("string"),
    	},
    	WorkloadIdentityEnabled: pulumi.Bool(false),
    })
    
    var kubernetesClusterResource = new KubernetesCluster("kubernetesClusterResource", KubernetesClusterArgs.builder()        
        .defaultNodePool(KubernetesClusterDefaultNodePoolArgs.builder()
            .name("string")
            .vmSize("string")
            .nodeNetworkProfile(KubernetesClusterDefaultNodePoolNodeNetworkProfileArgs.builder()
                .allowedHostPorts(KubernetesClusterDefaultNodePoolNodeNetworkProfileAllowedHostPortArgs.builder()
                    .portEnd(0)
                    .portStart(0)
                    .protocol("string")
                    .build())
                .applicationSecurityGroupIds("string")
                .nodePublicIpTags(Map.of("string", "string"))
                .build())
            .workloadRuntime("string")
            .enableNodePublicIp(false)
            .gpuInstance("string")
            .hostGroupId("string")
            .kubeletConfig(KubernetesClusterDefaultNodePoolKubeletConfigArgs.builder()
                .allowedUnsafeSysctls("string")
                .containerLogMaxLine(0)
                .containerLogMaxSizeMb(0)
                .cpuCfsQuotaEnabled(false)
                .cpuCfsQuotaPeriod("string")
                .cpuManagerPolicy("string")
                .imageGcHighThreshold(0)
                .imageGcLowThreshold(0)
                .podMaxPid(0)
                .topologyManagerPolicy("string")
                .build())
            .kubeletDiskType("string")
            .linuxOsConfig(KubernetesClusterDefaultNodePoolLinuxOsConfigArgs.builder()
                .swapFileSizeMb(0)
                .sysctlConfig(KubernetesClusterDefaultNodePoolLinuxOsConfigSysctlConfigArgs.builder()
                    .fsAioMaxNr(0)
                    .fsFileMax(0)
                    .fsInotifyMaxUserWatches(0)
                    .fsNrOpen(0)
                    .kernelThreadsMax(0)
                    .netCoreNetdevMaxBacklog(0)
                    .netCoreOptmemMax(0)
                    .netCoreRmemDefault(0)
                    .netCoreRmemMax(0)
                    .netCoreSomaxconn(0)
                    .netCoreWmemDefault(0)
                    .netCoreWmemMax(0)
                    .netIpv4IpLocalPortRangeMax(0)
                    .netIpv4IpLocalPortRangeMin(0)
                    .netIpv4NeighDefaultGcThresh1(0)
                    .netIpv4NeighDefaultGcThresh2(0)
                    .netIpv4NeighDefaultGcThresh3(0)
                    .netIpv4TcpFinTimeout(0)
                    .netIpv4TcpKeepaliveIntvl(0)
                    .netIpv4TcpKeepaliveProbes(0)
                    .netIpv4TcpKeepaliveTime(0)
                    .netIpv4TcpMaxSynBacklog(0)
                    .netIpv4TcpMaxTwBuckets(0)
                    .netIpv4TcpTwReuse(false)
                    .netNetfilterNfConntrackBuckets(0)
                    .netNetfilterNfConntrackMax(0)
                    .vmMaxMapCount(0)
                    .vmSwappiness(0)
                    .vmVfsCachePressure(0)
                    .build())
                .transparentHugePageDefrag("string")
                .transparentHugePageEnabled("string")
                .build())
            .maxCount(0)
            .maxPods(0)
            .messageOfTheDay("string")
            .minCount(0)
            .enableAutoScaling(false)
            .nodeCount(0)
            .nodeLabels(Map.of("string", "string"))
            .capacityReservationGroupId("string")
            .nodePublicIpPrefixId("string")
            .fipsEnabled(false)
            .enableHostEncryption(false)
            .osDiskSizeGb(0)
            .orchestratorVersion("string")
            .osDiskType("string")
            .osSku("string")
            .podSubnetId("string")
            .proximityPlacementGroupId("string")
            .scaleDownMode("string")
            .snapshotId("string")
            .tags(Map.of("string", "string"))
            .temporaryNameForRotation("string")
            .type("string")
            .ultraSsdEnabled(false)
            .upgradeSettings(KubernetesClusterDefaultNodePoolUpgradeSettingsArgs.builder()
                .maxSurge("string")
                .build())
            .customCaTrustEnabled(false)
            .vnetSubnetId("string")
            .onlyCriticalAddonsEnabled(false)
            .zones("string")
            .build())
        .resourceGroupName("string")
        .aciConnectorLinux(KubernetesClusterAciConnectorLinuxArgs.builder()
            .subnetName("string")
            .connectorIdentities(KubernetesClusterAciConnectorLinuxConnectorIdentityArgs.builder()
                .clientId("string")
                .objectId("string")
                .userAssignedIdentityId("string")
                .build())
            .build())
        .apiServerAccessProfile(KubernetesClusterApiServerAccessProfileArgs.builder()
            .authorizedIpRanges("string")
            .subnetId("string")
            .vnetIntegrationEnabled(false)
            .build())
        .autoScalerProfile(KubernetesClusterAutoScalerProfileArgs.builder()
            .balanceSimilarNodeGroups(false)
            .emptyBulkDeleteMax("string")
            .expander("string")
            .maxGracefulTerminationSec("string")
            .maxNodeProvisioningTime("string")
            .maxUnreadyNodes(0)
            .maxUnreadyPercentage(0)
            .newPodScaleUpDelay("string")
            .scaleDownDelayAfterAdd("string")
            .scaleDownDelayAfterDelete("string")
            .scaleDownDelayAfterFailure("string")
            .scaleDownUnneeded("string")
            .scaleDownUnready("string")
            .scaleDownUtilizationThreshold("string")
            .scanInterval("string")
            .skipNodesWithLocalStorage(false)
            .skipNodesWithSystemPods(false)
            .build())
        .automaticChannelUpgrade("string")
        .azureActiveDirectoryRoleBasedAccessControl(KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs.builder()
            .adminGroupObjectIds("string")
            .azureRbacEnabled(false)
            .tenantId("string")
            .build())
        .azurePolicyEnabled(false)
        .confidentialComputing(KubernetesClusterConfidentialComputingArgs.builder()
            .sgxQuoteHelperEnabled(false)
            .build())
        .customCaTrustCertificatesBase64s("string")
        .diskEncryptionSetId("string")
        .dnsPrefix("string")
        .dnsPrefixPrivateCluster("string")
        .edgeZone("string")
        .httpApplicationRoutingEnabled(false)
        .httpProxyConfig(KubernetesClusterHttpProxyConfigArgs.builder()
            .httpProxy("string")
            .httpsProxy("string")
            .noProxies("string")
            .trustedCa("string")
            .build())
        .identity(KubernetesClusterIdentityArgs.builder()
            .type("string")
            .identityIds("string")
            .principalId("string")
            .tenantId("string")
            .build())
        .imageCleanerEnabled(false)
        .imageCleanerIntervalHours(0)
        .ingressApplicationGateway(KubernetesClusterIngressApplicationGatewayArgs.builder()
            .effectiveGatewayId("string")
            .gatewayId("string")
            .gatewayName("string")
            .ingressApplicationGatewayIdentities(KubernetesClusterIngressApplicationGatewayIngressApplicationGatewayIdentityArgs.builder()
                .clientId("string")
                .objectId("string")
                .userAssignedIdentityId("string")
                .build())
            .subnetCidr("string")
            .subnetId("string")
            .build())
        .keyManagementService(KubernetesClusterKeyManagementServiceArgs.builder()
            .keyVaultKeyId("string")
            .keyVaultNetworkAccess("string")
            .build())
        .keyVaultSecretsProvider(KubernetesClusterKeyVaultSecretsProviderArgs.builder()
            .secretIdentities(KubernetesClusterKeyVaultSecretsProviderSecretIdentityArgs.builder()
                .clientId("string")
                .objectId("string")
                .userAssignedIdentityId("string")
                .build())
            .secretRotationEnabled(false)
            .secretRotationInterval("string")
            .build())
        .kubeletIdentity(KubernetesClusterKubeletIdentityArgs.builder()
            .clientId("string")
            .objectId("string")
            .userAssignedIdentityId("string")
            .build())
        .kubernetesVersion("string")
        .linuxProfile(KubernetesClusterLinuxProfileArgs.builder()
            .adminUsername("string")
            .sshKey(KubernetesClusterLinuxProfileSshKeyArgs.builder()
                .keyData("string")
                .build())
            .build())
        .localAccountDisabled(false)
        .location("string")
        .maintenanceWindow(KubernetesClusterMaintenanceWindowArgs.builder()
            .alloweds(KubernetesClusterMaintenanceWindowAllowedArgs.builder()
                .day("string")
                .hours(0)
                .build())
            .notAlloweds(KubernetesClusterMaintenanceWindowNotAllowedArgs.builder()
                .end("string")
                .start("string")
                .build())
            .build())
        .maintenanceWindowAutoUpgrade(KubernetesClusterMaintenanceWindowAutoUpgradeArgs.builder()
            .duration(0)
            .frequency("string")
            .interval(0)
            .dayOfMonth(0)
            .dayOfWeek("string")
            .notAlloweds(KubernetesClusterMaintenanceWindowAutoUpgradeNotAllowedArgs.builder()
                .end("string")
                .start("string")
                .build())
            .startDate("string")
            .startTime("string")
            .utcOffset("string")
            .weekIndex("string")
            .build())
        .maintenanceWindowNodeOs(KubernetesClusterMaintenanceWindowNodeOsArgs.builder()
            .duration(0)
            .frequency("string")
            .interval(0)
            .dayOfMonth(0)
            .dayOfWeek("string")
            .notAlloweds(KubernetesClusterMaintenanceWindowNodeOsNotAllowedArgs.builder()
                .end("string")
                .start("string")
                .build())
            .startDate("string")
            .startTime("string")
            .utcOffset("string")
            .weekIndex("string")
            .build())
        .microsoftDefender(KubernetesClusterMicrosoftDefenderArgs.builder()
            .logAnalyticsWorkspaceId("string")
            .build())
        .monitorMetrics(KubernetesClusterMonitorMetricsArgs.builder()
            .annotationsAllowed("string")
            .labelsAllowed("string")
            .build())
        .name("string")
        .networkProfile(KubernetesClusterNetworkProfileArgs.builder()
            .networkPlugin("string")
            .loadBalancerProfile(KubernetesClusterNetworkProfileLoadBalancerProfileArgs.builder()
                .effectiveOutboundIps("string")
                .idleTimeoutInMinutes(0)
                .managedOutboundIpCount(0)
                .managedOutboundIpv6Count(0)
                .outboundIpAddressIds("string")
                .outboundIpPrefixIds("string")
                .outboundPortsAllocated(0)
                .build())
            .loadBalancerSku("string")
            .networkPluginMode("string")
            .dnsServiceIp("string")
            .networkPolicy("string")
            .natGatewayProfile(KubernetesClusterNetworkProfileNatGatewayProfileArgs.builder()
                .effectiveOutboundIps("string")
                .idleTimeoutInMinutes(0)
                .managedOutboundIpCount(0)
                .build())
            .networkMode("string")
            .outboundIpAddressIds("string")
            .ipVersions("string")
            .ebpfDataPlane("string")
            .outboundIpPrefixIds("string")
            .outboundType("string")
            .podCidr("string")
            .podCidrs("string")
            .serviceCidr("string")
            .serviceCidrs("string")
            .build())
        .nodeOsChannelUpgrade("string")
        .nodeResourceGroup("string")
        .oidcIssuerEnabled(false)
        .omsAgent(KubernetesClusterOmsAgentArgs.builder()
            .logAnalyticsWorkspaceId("string")
            .msiAuthForMonitoringEnabled(false)
            .omsAgentIdentities(KubernetesClusterOmsAgentOmsAgentIdentityArgs.builder()
                .clientId("string")
                .objectId("string")
                .userAssignedIdentityId("string")
                .build())
            .build())
        .openServiceMeshEnabled(false)
        .privateClusterEnabled(false)
        .privateClusterPublicFqdnEnabled(false)
        .privateDnsZoneId("string")
        .roleBasedAccessControlEnabled(false)
        .runCommandEnabled(false)
        .serviceMeshProfile(KubernetesClusterServiceMeshProfileArgs.builder()
            .mode("string")
            .externalIngressGatewayEnabled(false)
            .internalIngressGatewayEnabled(false)
            .build())
        .servicePrincipal(KubernetesClusterServicePrincipalArgs.builder()
            .clientId("string")
            .clientSecret("string")
            .build())
        .skuTier("string")
        .storageProfile(KubernetesClusterStorageProfileArgs.builder()
            .blobDriverEnabled(false)
            .diskDriverEnabled(false)
            .diskDriverVersion("string")
            .fileDriverEnabled(false)
            .snapshotControllerEnabled(false)
            .build())
        .supportPlan("string")
        .tags(Map.of("string", "string"))
        .webAppRouting(KubernetesClusterWebAppRoutingArgs.builder()
            .dnsZoneId("string")
            .webAppRoutingIdentities(KubernetesClusterWebAppRoutingWebAppRoutingIdentityArgs.builder()
                .clientId("string")
                .objectId("string")
                .userAssignedIdentityId("string")
                .build())
            .build())
        .windowsProfile(KubernetesClusterWindowsProfileArgs.builder()
            .adminUsername("string")
            .adminPassword("string")
            .gmsa(KubernetesClusterWindowsProfileGmsaArgs.builder()
                .dnsServer("string")
                .rootDomain("string")
                .build())
            .license("string")
            .build())
        .workloadAutoscalerProfile(KubernetesClusterWorkloadAutoscalerProfileArgs.builder()
            .kedaEnabled(false)
            .verticalPodAutoscalerControlledValues("string")
            .verticalPodAutoscalerEnabled(false)
            .verticalPodAutoscalerUpdateMode("string")
            .build())
        .workloadIdentityEnabled(false)
        .build());
    
    kubernetes_cluster_resource = azure.containerservice.KubernetesCluster("kubernetesClusterResource",
        default_node_pool=azure.containerservice.KubernetesClusterDefaultNodePoolArgs(
            name="string",
            vm_size="string",
            node_network_profile=azure.containerservice.KubernetesClusterDefaultNodePoolNodeNetworkProfileArgs(
                allowed_host_ports=[azure.containerservice.KubernetesClusterDefaultNodePoolNodeNetworkProfileAllowedHostPortArgs(
                    port_end=0,
                    port_start=0,
                    protocol="string",
                )],
                application_security_group_ids=["string"],
                node_public_ip_tags={
                    "string": "string",
                },
            ),
            workload_runtime="string",
            enable_node_public_ip=False,
            gpu_instance="string",
            host_group_id="string",
            kubelet_config=azure.containerservice.KubernetesClusterDefaultNodePoolKubeletConfigArgs(
                allowed_unsafe_sysctls=["string"],
                container_log_max_line=0,
                container_log_max_size_mb=0,
                cpu_cfs_quota_enabled=False,
                cpu_cfs_quota_period="string",
                cpu_manager_policy="string",
                image_gc_high_threshold=0,
                image_gc_low_threshold=0,
                pod_max_pid=0,
                topology_manager_policy="string",
            ),
            kubelet_disk_type="string",
            linux_os_config=azure.containerservice.KubernetesClusterDefaultNodePoolLinuxOsConfigArgs(
                swap_file_size_mb=0,
                sysctl_config=azure.containerservice.KubernetesClusterDefaultNodePoolLinuxOsConfigSysctlConfigArgs(
                    fs_aio_max_nr=0,
                    fs_file_max=0,
                    fs_inotify_max_user_watches=0,
                    fs_nr_open=0,
                    kernel_threads_max=0,
                    net_core_netdev_max_backlog=0,
                    net_core_optmem_max=0,
                    net_core_rmem_default=0,
                    net_core_rmem_max=0,
                    net_core_somaxconn=0,
                    net_core_wmem_default=0,
                    net_core_wmem_max=0,
                    net_ipv4_ip_local_port_range_max=0,
                    net_ipv4_ip_local_port_range_min=0,
                    net_ipv4_neigh_default_gc_thresh1=0,
                    net_ipv4_neigh_default_gc_thresh2=0,
                    net_ipv4_neigh_default_gc_thresh3=0,
                    net_ipv4_tcp_fin_timeout=0,
                    net_ipv4_tcp_keepalive_intvl=0,
                    net_ipv4_tcp_keepalive_probes=0,
                    net_ipv4_tcp_keepalive_time=0,
                    net_ipv4_tcp_max_syn_backlog=0,
                    net_ipv4_tcp_max_tw_buckets=0,
                    net_ipv4_tcp_tw_reuse=False,
                    net_netfilter_nf_conntrack_buckets=0,
                    net_netfilter_nf_conntrack_max=0,
                    vm_max_map_count=0,
                    vm_swappiness=0,
                    vm_vfs_cache_pressure=0,
                ),
                transparent_huge_page_defrag="string",
                transparent_huge_page_enabled="string",
            ),
            max_count=0,
            max_pods=0,
            message_of_the_day="string",
            min_count=0,
            enable_auto_scaling=False,
            node_count=0,
            node_labels={
                "string": "string",
            },
            capacity_reservation_group_id="string",
            node_public_ip_prefix_id="string",
            fips_enabled=False,
            enable_host_encryption=False,
            os_disk_size_gb=0,
            orchestrator_version="string",
            os_disk_type="string",
            os_sku="string",
            pod_subnet_id="string",
            proximity_placement_group_id="string",
            scale_down_mode="string",
            snapshot_id="string",
            tags={
                "string": "string",
            },
            temporary_name_for_rotation="string",
            type="string",
            ultra_ssd_enabled=False,
            upgrade_settings=azure.containerservice.KubernetesClusterDefaultNodePoolUpgradeSettingsArgs(
                max_surge="string",
            ),
            custom_ca_trust_enabled=False,
            vnet_subnet_id="string",
            only_critical_addons_enabled=False,
            zones=["string"],
        ),
        resource_group_name="string",
        aci_connector_linux=azure.containerservice.KubernetesClusterAciConnectorLinuxArgs(
            subnet_name="string",
            connector_identities=[azure.containerservice.KubernetesClusterAciConnectorLinuxConnectorIdentityArgs(
                client_id="string",
                object_id="string",
                user_assigned_identity_id="string",
            )],
        ),
        api_server_access_profile=azure.containerservice.KubernetesClusterApiServerAccessProfileArgs(
            authorized_ip_ranges=["string"],
            subnet_id="string",
            vnet_integration_enabled=False,
        ),
        auto_scaler_profile=azure.containerservice.KubernetesClusterAutoScalerProfileArgs(
            balance_similar_node_groups=False,
            empty_bulk_delete_max="string",
            expander="string",
            max_graceful_termination_sec="string",
            max_node_provisioning_time="string",
            max_unready_nodes=0,
            max_unready_percentage=0,
            new_pod_scale_up_delay="string",
            scale_down_delay_after_add="string",
            scale_down_delay_after_delete="string",
            scale_down_delay_after_failure="string",
            scale_down_unneeded="string",
            scale_down_unready="string",
            scale_down_utilization_threshold="string",
            scan_interval="string",
            skip_nodes_with_local_storage=False,
            skip_nodes_with_system_pods=False,
        ),
        automatic_channel_upgrade="string",
        azure_active_directory_role_based_access_control=azure.containerservice.KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs(
            admin_group_object_ids=["string"],
            azure_rbac_enabled=False,
            tenant_id="string",
        ),
        azure_policy_enabled=False,
        confidential_computing=azure.containerservice.KubernetesClusterConfidentialComputingArgs(
            sgx_quote_helper_enabled=False,
        ),
        custom_ca_trust_certificates_base64s=["string"],
        disk_encryption_set_id="string",
        dns_prefix="string",
        dns_prefix_private_cluster="string",
        edge_zone="string",
        http_application_routing_enabled=False,
        http_proxy_config=azure.containerservice.KubernetesClusterHttpProxyConfigArgs(
            http_proxy="string",
            https_proxy="string",
            no_proxies=["string"],
            trusted_ca="string",
        ),
        identity=azure.containerservice.KubernetesClusterIdentityArgs(
            type="string",
            identity_ids=["string"],
            principal_id="string",
            tenant_id="string",
        ),
        image_cleaner_enabled=False,
        image_cleaner_interval_hours=0,
        ingress_application_gateway=azure.containerservice.KubernetesClusterIngressApplicationGatewayArgs(
            effective_gateway_id="string",
            gateway_id="string",
            gateway_name="string",
            ingress_application_gateway_identities=[azure.containerservice.KubernetesClusterIngressApplicationGatewayIngressApplicationGatewayIdentityArgs(
                client_id="string",
                object_id="string",
                user_assigned_identity_id="string",
            )],
            subnet_cidr="string",
            subnet_id="string",
        ),
        key_management_service=azure.containerservice.KubernetesClusterKeyManagementServiceArgs(
            key_vault_key_id="string",
            key_vault_network_access="string",
        ),
        key_vault_secrets_provider=azure.containerservice.KubernetesClusterKeyVaultSecretsProviderArgs(
            secret_identities=[azure.containerservice.KubernetesClusterKeyVaultSecretsProviderSecretIdentityArgs(
                client_id="string",
                object_id="string",
                user_assigned_identity_id="string",
            )],
            secret_rotation_enabled=False,
            secret_rotation_interval="string",
        ),
        kubelet_identity=azure.containerservice.KubernetesClusterKubeletIdentityArgs(
            client_id="string",
            object_id="string",
            user_assigned_identity_id="string",
        ),
        kubernetes_version="string",
        linux_profile=azure.containerservice.KubernetesClusterLinuxProfileArgs(
            admin_username="string",
            ssh_key=azure.containerservice.KubernetesClusterLinuxProfileSshKeyArgs(
                key_data="string",
            ),
        ),
        local_account_disabled=False,
        location="string",
        maintenance_window=azure.containerservice.KubernetesClusterMaintenanceWindowArgs(
            alloweds=[azure.containerservice.KubernetesClusterMaintenanceWindowAllowedArgs(
                day="string",
                hours=[0],
            )],
            not_alloweds=[azure.containerservice.KubernetesClusterMaintenanceWindowNotAllowedArgs(
                end="string",
                start="string",
            )],
        ),
        maintenance_window_auto_upgrade=azure.containerservice.KubernetesClusterMaintenanceWindowAutoUpgradeArgs(
            duration=0,
            frequency="string",
            interval=0,
            day_of_month=0,
            day_of_week="string",
            not_alloweds=[azure.containerservice.KubernetesClusterMaintenanceWindowAutoUpgradeNotAllowedArgs(
                end="string",
                start="string",
            )],
            start_date="string",
            start_time="string",
            utc_offset="string",
            week_index="string",
        ),
        maintenance_window_node_os=azure.containerservice.KubernetesClusterMaintenanceWindowNodeOsArgs(
            duration=0,
            frequency="string",
            interval=0,
            day_of_month=0,
            day_of_week="string",
            not_alloweds=[azure.containerservice.KubernetesClusterMaintenanceWindowNodeOsNotAllowedArgs(
                end="string",
                start="string",
            )],
            start_date="string",
            start_time="string",
            utc_offset="string",
            week_index="string",
        ),
        microsoft_defender=azure.containerservice.KubernetesClusterMicrosoftDefenderArgs(
            log_analytics_workspace_id="string",
        ),
        monitor_metrics=azure.containerservice.KubernetesClusterMonitorMetricsArgs(
            annotations_allowed="string",
            labels_allowed="string",
        ),
        name="string",
        network_profile=azure.containerservice.KubernetesClusterNetworkProfileArgs(
            network_plugin="string",
            load_balancer_profile=azure.containerservice.KubernetesClusterNetworkProfileLoadBalancerProfileArgs(
                effective_outbound_ips=["string"],
                idle_timeout_in_minutes=0,
                managed_outbound_ip_count=0,
                managed_outbound_ipv6_count=0,
                outbound_ip_address_ids=["string"],
                outbound_ip_prefix_ids=["string"],
                outbound_ports_allocated=0,
            ),
            load_balancer_sku="string",
            network_plugin_mode="string",
            dns_service_ip="string",
            network_policy="string",
            nat_gateway_profile=azure.containerservice.KubernetesClusterNetworkProfileNatGatewayProfileArgs(
                effective_outbound_ips=["string"],
                idle_timeout_in_minutes=0,
                managed_outbound_ip_count=0,
            ),
            network_mode="string",
            outbound_ip_address_ids=["string"],
            ip_versions=["string"],
            ebpf_data_plane="string",
            outbound_ip_prefix_ids=["string"],
            outbound_type="string",
            pod_cidr="string",
            pod_cidrs=["string"],
            service_cidr="string",
            service_cidrs=["string"],
        ),
        node_os_channel_upgrade="string",
        node_resource_group="string",
        oidc_issuer_enabled=False,
        oms_agent=azure.containerservice.KubernetesClusterOmsAgentArgs(
            log_analytics_workspace_id="string",
            msi_auth_for_monitoring_enabled=False,
            oms_agent_identities=[azure.containerservice.KubernetesClusterOmsAgentOmsAgentIdentityArgs(
                client_id="string",
                object_id="string",
                user_assigned_identity_id="string",
            )],
        ),
        open_service_mesh_enabled=False,
        private_cluster_enabled=False,
        private_cluster_public_fqdn_enabled=False,
        private_dns_zone_id="string",
        role_based_access_control_enabled=False,
        run_command_enabled=False,
        service_mesh_profile=azure.containerservice.KubernetesClusterServiceMeshProfileArgs(
            mode="string",
            external_ingress_gateway_enabled=False,
            internal_ingress_gateway_enabled=False,
        ),
        service_principal=azure.containerservice.KubernetesClusterServicePrincipalArgs(
            client_id="string",
            client_secret="string",
        ),
        sku_tier="string",
        storage_profile=azure.containerservice.KubernetesClusterStorageProfileArgs(
            blob_driver_enabled=False,
            disk_driver_enabled=False,
            disk_driver_version="string",
            file_driver_enabled=False,
            snapshot_controller_enabled=False,
        ),
        support_plan="string",
        tags={
            "string": "string",
        },
        web_app_routing=azure.containerservice.KubernetesClusterWebAppRoutingArgs(
            dns_zone_id="string",
            web_app_routing_identities=[azure.containerservice.KubernetesClusterWebAppRoutingWebAppRoutingIdentityArgs(
                client_id="string",
                object_id="string",
                user_assigned_identity_id="string",
            )],
        ),
        windows_profile=azure.containerservice.KubernetesClusterWindowsProfileArgs(
            admin_username="string",
            admin_password="string",
            gmsa=azure.containerservice.KubernetesClusterWindowsProfileGmsaArgs(
                dns_server="string",
                root_domain="string",
            ),
            license="string",
        ),
        workload_autoscaler_profile=azure.containerservice.KubernetesClusterWorkloadAutoscalerProfileArgs(
            keda_enabled=False,
            vertical_pod_autoscaler_controlled_values="string",
            vertical_pod_autoscaler_enabled=False,
            vertical_pod_autoscaler_update_mode="string",
        ),
        workload_identity_enabled=False)
    
    const kubernetesClusterResource = new azure.containerservice.KubernetesCluster("kubernetesClusterResource", {
        defaultNodePool: {
            name: "string",
            vmSize: "string",
            nodeNetworkProfile: {
                allowedHostPorts: [{
                    portEnd: 0,
                    portStart: 0,
                    protocol: "string",
                }],
                applicationSecurityGroupIds: ["string"],
                nodePublicIpTags: {
                    string: "string",
                },
            },
            workloadRuntime: "string",
            enableNodePublicIp: false,
            gpuInstance: "string",
            hostGroupId: "string",
            kubeletConfig: {
                allowedUnsafeSysctls: ["string"],
                containerLogMaxLine: 0,
                containerLogMaxSizeMb: 0,
                cpuCfsQuotaEnabled: false,
                cpuCfsQuotaPeriod: "string",
                cpuManagerPolicy: "string",
                imageGcHighThreshold: 0,
                imageGcLowThreshold: 0,
                podMaxPid: 0,
                topologyManagerPolicy: "string",
            },
            kubeletDiskType: "string",
            linuxOsConfig: {
                swapFileSizeMb: 0,
                sysctlConfig: {
                    fsAioMaxNr: 0,
                    fsFileMax: 0,
                    fsInotifyMaxUserWatches: 0,
                    fsNrOpen: 0,
                    kernelThreadsMax: 0,
                    netCoreNetdevMaxBacklog: 0,
                    netCoreOptmemMax: 0,
                    netCoreRmemDefault: 0,
                    netCoreRmemMax: 0,
                    netCoreSomaxconn: 0,
                    netCoreWmemDefault: 0,
                    netCoreWmemMax: 0,
                    netIpv4IpLocalPortRangeMax: 0,
                    netIpv4IpLocalPortRangeMin: 0,
                    netIpv4NeighDefaultGcThresh1: 0,
                    netIpv4NeighDefaultGcThresh2: 0,
                    netIpv4NeighDefaultGcThresh3: 0,
                    netIpv4TcpFinTimeout: 0,
                    netIpv4TcpKeepaliveIntvl: 0,
                    netIpv4TcpKeepaliveProbes: 0,
                    netIpv4TcpKeepaliveTime: 0,
                    netIpv4TcpMaxSynBacklog: 0,
                    netIpv4TcpMaxTwBuckets: 0,
                    netIpv4TcpTwReuse: false,
                    netNetfilterNfConntrackBuckets: 0,
                    netNetfilterNfConntrackMax: 0,
                    vmMaxMapCount: 0,
                    vmSwappiness: 0,
                    vmVfsCachePressure: 0,
                },
                transparentHugePageDefrag: "string",
                transparentHugePageEnabled: "string",
            },
            maxCount: 0,
            maxPods: 0,
            messageOfTheDay: "string",
            minCount: 0,
            enableAutoScaling: false,
            nodeCount: 0,
            nodeLabels: {
                string: "string",
            },
            capacityReservationGroupId: "string",
            nodePublicIpPrefixId: "string",
            fipsEnabled: false,
            enableHostEncryption: false,
            osDiskSizeGb: 0,
            orchestratorVersion: "string",
            osDiskType: "string",
            osSku: "string",
            podSubnetId: "string",
            proximityPlacementGroupId: "string",
            scaleDownMode: "string",
            snapshotId: "string",
            tags: {
                string: "string",
            },
            temporaryNameForRotation: "string",
            type: "string",
            ultraSsdEnabled: false,
            upgradeSettings: {
                maxSurge: "string",
            },
            customCaTrustEnabled: false,
            vnetSubnetId: "string",
            onlyCriticalAddonsEnabled: false,
            zones: ["string"],
        },
        resourceGroupName: "string",
        aciConnectorLinux: {
            subnetName: "string",
            connectorIdentities: [{
                clientId: "string",
                objectId: "string",
                userAssignedIdentityId: "string",
            }],
        },
        apiServerAccessProfile: {
            authorizedIpRanges: ["string"],
            subnetId: "string",
            vnetIntegrationEnabled: false,
        },
        autoScalerProfile: {
            balanceSimilarNodeGroups: false,
            emptyBulkDeleteMax: "string",
            expander: "string",
            maxGracefulTerminationSec: "string",
            maxNodeProvisioningTime: "string",
            maxUnreadyNodes: 0,
            maxUnreadyPercentage: 0,
            newPodScaleUpDelay: "string",
            scaleDownDelayAfterAdd: "string",
            scaleDownDelayAfterDelete: "string",
            scaleDownDelayAfterFailure: "string",
            scaleDownUnneeded: "string",
            scaleDownUnready: "string",
            scaleDownUtilizationThreshold: "string",
            scanInterval: "string",
            skipNodesWithLocalStorage: false,
            skipNodesWithSystemPods: false,
        },
        automaticChannelUpgrade: "string",
        azureActiveDirectoryRoleBasedAccessControl: {
            adminGroupObjectIds: ["string"],
            azureRbacEnabled: false,
            tenantId: "string",
        },
        azurePolicyEnabled: false,
        confidentialComputing: {
            sgxQuoteHelperEnabled: false,
        },
        customCaTrustCertificatesBase64s: ["string"],
        diskEncryptionSetId: "string",
        dnsPrefix: "string",
        dnsPrefixPrivateCluster: "string",
        edgeZone: "string",
        httpApplicationRoutingEnabled: false,
        httpProxyConfig: {
            httpProxy: "string",
            httpsProxy: "string",
            noProxies: ["string"],
            trustedCa: "string",
        },
        identity: {
            type: "string",
            identityIds: ["string"],
            principalId: "string",
            tenantId: "string",
        },
        imageCleanerEnabled: false,
        imageCleanerIntervalHours: 0,
        ingressApplicationGateway: {
            effectiveGatewayId: "string",
            gatewayId: "string",
            gatewayName: "string",
            ingressApplicationGatewayIdentities: [{
                clientId: "string",
                objectId: "string",
                userAssignedIdentityId: "string",
            }],
            subnetCidr: "string",
            subnetId: "string",
        },
        keyManagementService: {
            keyVaultKeyId: "string",
            keyVaultNetworkAccess: "string",
        },
        keyVaultSecretsProvider: {
            secretIdentities: [{
                clientId: "string",
                objectId: "string",
                userAssignedIdentityId: "string",
            }],
            secretRotationEnabled: false,
            secretRotationInterval: "string",
        },
        kubeletIdentity: {
            clientId: "string",
            objectId: "string",
            userAssignedIdentityId: "string",
        },
        kubernetesVersion: "string",
        linuxProfile: {
            adminUsername: "string",
            sshKey: {
                keyData: "string",
            },
        },
        localAccountDisabled: false,
        location: "string",
        maintenanceWindow: {
            alloweds: [{
                day: "string",
                hours: [0],
            }],
            notAlloweds: [{
                end: "string",
                start: "string",
            }],
        },
        maintenanceWindowAutoUpgrade: {
            duration: 0,
            frequency: "string",
            interval: 0,
            dayOfMonth: 0,
            dayOfWeek: "string",
            notAlloweds: [{
                end: "string",
                start: "string",
            }],
            startDate: "string",
            startTime: "string",
            utcOffset: "string",
            weekIndex: "string",
        },
        maintenanceWindowNodeOs: {
            duration: 0,
            frequency: "string",
            interval: 0,
            dayOfMonth: 0,
            dayOfWeek: "string",
            notAlloweds: [{
                end: "string",
                start: "string",
            }],
            startDate: "string",
            startTime: "string",
            utcOffset: "string",
            weekIndex: "string",
        },
        microsoftDefender: {
            logAnalyticsWorkspaceId: "string",
        },
        monitorMetrics: {
            annotationsAllowed: "string",
            labelsAllowed: "string",
        },
        name: "string",
        networkProfile: {
            networkPlugin: "string",
            loadBalancerProfile: {
                effectiveOutboundIps: ["string"],
                idleTimeoutInMinutes: 0,
                managedOutboundIpCount: 0,
                managedOutboundIpv6Count: 0,
                outboundIpAddressIds: ["string"],
                outboundIpPrefixIds: ["string"],
                outboundPortsAllocated: 0,
            },
            loadBalancerSku: "string",
            networkPluginMode: "string",
            dnsServiceIp: "string",
            networkPolicy: "string",
            natGatewayProfile: {
                effectiveOutboundIps: ["string"],
                idleTimeoutInMinutes: 0,
                managedOutboundIpCount: 0,
            },
            networkMode: "string",
            outboundIpAddressIds: ["string"],
            ipVersions: ["string"],
            ebpfDataPlane: "string",
            outboundIpPrefixIds: ["string"],
            outboundType: "string",
            podCidr: "string",
            podCidrs: ["string"],
            serviceCidr: "string",
            serviceCidrs: ["string"],
        },
        nodeOsChannelUpgrade: "string",
        nodeResourceGroup: "string",
        oidcIssuerEnabled: false,
        omsAgent: {
            logAnalyticsWorkspaceId: "string",
            msiAuthForMonitoringEnabled: false,
            omsAgentIdentities: [{
                clientId: "string",
                objectId: "string",
                userAssignedIdentityId: "string",
            }],
        },
        openServiceMeshEnabled: false,
        privateClusterEnabled: false,
        privateClusterPublicFqdnEnabled: false,
        privateDnsZoneId: "string",
        roleBasedAccessControlEnabled: false,
        runCommandEnabled: false,
        serviceMeshProfile: {
            mode: "string",
            externalIngressGatewayEnabled: false,
            internalIngressGatewayEnabled: false,
        },
        servicePrincipal: {
            clientId: "string",
            clientSecret: "string",
        },
        skuTier: "string",
        storageProfile: {
            blobDriverEnabled: false,
            diskDriverEnabled: false,
            diskDriverVersion: "string",
            fileDriverEnabled: false,
            snapshotControllerEnabled: false,
        },
        supportPlan: "string",
        tags: {
            string: "string",
        },
        webAppRouting: {
            dnsZoneId: "string",
            webAppRoutingIdentities: [{
                clientId: "string",
                objectId: "string",
                userAssignedIdentityId: "string",
            }],
        },
        windowsProfile: {
            adminUsername: "string",
            adminPassword: "string",
            gmsa: {
                dnsServer: "string",
                rootDomain: "string",
            },
            license: "string",
        },
        workloadAutoscalerProfile: {
            kedaEnabled: false,
            verticalPodAutoscalerControlledValues: "string",
            verticalPodAutoscalerEnabled: false,
            verticalPodAutoscalerUpdateMode: "string",
        },
        workloadIdentityEnabled: false,
    });
    
    type: azure:containerservice:KubernetesCluster
    properties:
        aciConnectorLinux:
            connectorIdentities:
                - clientId: string
                  objectId: string
                  userAssignedIdentityId: string
            subnetName: string
        apiServerAccessProfile:
            authorizedIpRanges:
                - string
            subnetId: string
            vnetIntegrationEnabled: false
        autoScalerProfile:
            balanceSimilarNodeGroups: false
            emptyBulkDeleteMax: string
            expander: string
            maxGracefulTerminationSec: string
            maxNodeProvisioningTime: string
            maxUnreadyNodes: 0
            maxUnreadyPercentage: 0
            newPodScaleUpDelay: string
            scaleDownDelayAfterAdd: string
            scaleDownDelayAfterDelete: string
            scaleDownDelayAfterFailure: string
            scaleDownUnneeded: string
            scaleDownUnready: string
            scaleDownUtilizationThreshold: string
            scanInterval: string
            skipNodesWithLocalStorage: false
            skipNodesWithSystemPods: false
        automaticChannelUpgrade: string
        azureActiveDirectoryRoleBasedAccessControl:
            adminGroupObjectIds:
                - string
            azureRbacEnabled: false
            tenantId: string
        azurePolicyEnabled: false
        confidentialComputing:
            sgxQuoteHelperEnabled: false
        customCaTrustCertificatesBase64s:
            - string
        defaultNodePool:
            capacityReservationGroupId: string
            customCaTrustEnabled: false
            enableAutoScaling: false
            enableHostEncryption: false
            enableNodePublicIp: false
            fipsEnabled: false
            gpuInstance: string
            hostGroupId: string
            kubeletConfig:
                allowedUnsafeSysctls:
                    - string
                containerLogMaxLine: 0
                containerLogMaxSizeMb: 0
                cpuCfsQuotaEnabled: false
                cpuCfsQuotaPeriod: string
                cpuManagerPolicy: string
                imageGcHighThreshold: 0
                imageGcLowThreshold: 0
                podMaxPid: 0
                topologyManagerPolicy: string
            kubeletDiskType: string
            linuxOsConfig:
                swapFileSizeMb: 0
                sysctlConfig:
                    fsAioMaxNr: 0
                    fsFileMax: 0
                    fsInotifyMaxUserWatches: 0
                    fsNrOpen: 0
                    kernelThreadsMax: 0
                    netCoreNetdevMaxBacklog: 0
                    netCoreOptmemMax: 0
                    netCoreRmemDefault: 0
                    netCoreRmemMax: 0
                    netCoreSomaxconn: 0
                    netCoreWmemDefault: 0
                    netCoreWmemMax: 0
                    netIpv4IpLocalPortRangeMax: 0
                    netIpv4IpLocalPortRangeMin: 0
                    netIpv4NeighDefaultGcThresh1: 0
                    netIpv4NeighDefaultGcThresh2: 0
                    netIpv4NeighDefaultGcThresh3: 0
                    netIpv4TcpFinTimeout: 0
                    netIpv4TcpKeepaliveIntvl: 0
                    netIpv4TcpKeepaliveProbes: 0
                    netIpv4TcpKeepaliveTime: 0
                    netIpv4TcpMaxSynBacklog: 0
                    netIpv4TcpMaxTwBuckets: 0
                    netIpv4TcpTwReuse: false
                    netNetfilterNfConntrackBuckets: 0
                    netNetfilterNfConntrackMax: 0
                    vmMaxMapCount: 0
                    vmSwappiness: 0
                    vmVfsCachePressure: 0
                transparentHugePageDefrag: string
                transparentHugePageEnabled: string
            maxCount: 0
            maxPods: 0
            messageOfTheDay: string
            minCount: 0
            name: string
            nodeCount: 0
            nodeLabels:
                string: string
            nodeNetworkProfile:
                allowedHostPorts:
                    - portEnd: 0
                      portStart: 0
                      protocol: string
                applicationSecurityGroupIds:
                    - string
                nodePublicIpTags:
                    string: string
            nodePublicIpPrefixId: string
            onlyCriticalAddonsEnabled: false
            orchestratorVersion: string
            osDiskSizeGb: 0
            osDiskType: string
            osSku: string
            podSubnetId: string
            proximityPlacementGroupId: string
            scaleDownMode: string
            snapshotId: string
            tags:
                string: string
            temporaryNameForRotation: string
            type: string
            ultraSsdEnabled: false
            upgradeSettings:
                maxSurge: string
            vmSize: string
            vnetSubnetId: string
            workloadRuntime: string
            zones:
                - string
        diskEncryptionSetId: string
        dnsPrefix: string
        dnsPrefixPrivateCluster: string
        edgeZone: string
        httpApplicationRoutingEnabled: false
        httpProxyConfig:
            httpProxy: string
            httpsProxy: string
            noProxies:
                - string
            trustedCa: string
        identity:
            identityIds:
                - string
            principalId: string
            tenantId: string
            type: string
        imageCleanerEnabled: false
        imageCleanerIntervalHours: 0
        ingressApplicationGateway:
            effectiveGatewayId: string
            gatewayId: string
            gatewayName: string
            ingressApplicationGatewayIdentities:
                - clientId: string
                  objectId: string
                  userAssignedIdentityId: string
            subnetCidr: string
            subnetId: string
        keyManagementService:
            keyVaultKeyId: string
            keyVaultNetworkAccess: string
        keyVaultSecretsProvider:
            secretIdentities:
                - clientId: string
                  objectId: string
                  userAssignedIdentityId: string
            secretRotationEnabled: false
            secretRotationInterval: string
        kubeletIdentity:
            clientId: string
            objectId: string
            userAssignedIdentityId: string
        kubernetesVersion: string
        linuxProfile:
            adminUsername: string
            sshKey:
                keyData: string
        localAccountDisabled: false
        location: string
        maintenanceWindow:
            alloweds:
                - day: string
                  hours:
                    - 0
            notAlloweds:
                - end: string
                  start: string
        maintenanceWindowAutoUpgrade:
            dayOfMonth: 0
            dayOfWeek: string
            duration: 0
            frequency: string
            interval: 0
            notAlloweds:
                - end: string
                  start: string
            startDate: string
            startTime: string
            utcOffset: string
            weekIndex: string
        maintenanceWindowNodeOs:
            dayOfMonth: 0
            dayOfWeek: string
            duration: 0
            frequency: string
            interval: 0
            notAlloweds:
                - end: string
                  start: string
            startDate: string
            startTime: string
            utcOffset: string
            weekIndex: string
        microsoftDefender:
            logAnalyticsWorkspaceId: string
        monitorMetrics:
            annotationsAllowed: string
            labelsAllowed: string
        name: string
        networkProfile:
            dnsServiceIp: string
            ebpfDataPlane: string
            ipVersions:
                - string
            loadBalancerProfile:
                effectiveOutboundIps:
                    - string
                idleTimeoutInMinutes: 0
                managedOutboundIpCount: 0
                managedOutboundIpv6Count: 0
                outboundIpAddressIds:
                    - string
                outboundIpPrefixIds:
                    - string
                outboundPortsAllocated: 0
            loadBalancerSku: string
            natGatewayProfile:
                effectiveOutboundIps:
                    - string
                idleTimeoutInMinutes: 0
                managedOutboundIpCount: 0
            networkMode: string
            networkPlugin: string
            networkPluginMode: string
            networkPolicy: string
            outboundIpAddressIds:
                - string
            outboundIpPrefixIds:
                - string
            outboundType: string
            podCidr: string
            podCidrs:
                - string
            serviceCidr: string
            serviceCidrs:
                - string
        nodeOsChannelUpgrade: string
        nodeResourceGroup: string
        oidcIssuerEnabled: false
        omsAgent:
            logAnalyticsWorkspaceId: string
            msiAuthForMonitoringEnabled: false
            omsAgentIdentities:
                - clientId: string
                  objectId: string
                  userAssignedIdentityId: string
        openServiceMeshEnabled: false
        privateClusterEnabled: false
        privateClusterPublicFqdnEnabled: false
        privateDnsZoneId: string
        resourceGroupName: string
        roleBasedAccessControlEnabled: false
        runCommandEnabled: false
        serviceMeshProfile:
            externalIngressGatewayEnabled: false
            internalIngressGatewayEnabled: false
            mode: string
        servicePrincipal:
            clientId: string
            clientSecret: string
        skuTier: string
        storageProfile:
            blobDriverEnabled: false
            diskDriverEnabled: false
            diskDriverVersion: string
            fileDriverEnabled: false
            snapshotControllerEnabled: false
        supportPlan: string
        tags:
            string: string
        webAppRouting:
            dnsZoneId: string
            webAppRoutingIdentities:
                - clientId: string
                  objectId: string
                  userAssignedIdentityId: string
        windowsProfile:
            adminPassword: string
            adminUsername: string
            gmsa:
                dnsServer: string
                rootDomain: string
            license: string
        workloadAutoscalerProfile:
            kedaEnabled: false
            verticalPodAutoscalerControlledValues: string
            verticalPodAutoscalerEnabled: false
            verticalPodAutoscalerUpdateMode: string
        workloadIdentityEnabled: false
    

    KubernetesCluster Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The KubernetesCluster resource accepts the following input properties:

    DefaultNodePool KubernetesClusterDefaultNodePool
    A default_node_pool block as defined below.
    ResourceGroupName string
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    AciConnectorLinux KubernetesClusterAciConnectorLinux
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    ApiServerAccessProfile KubernetesClusterApiServerAccessProfile
    An api_server_access_profile block as defined below.
    ApiServerAuthorizedIpRanges List<string>

    Deprecated: This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    AutoScalerProfile KubernetesClusterAutoScalerProfile
    A auto_scaler_profile block as defined below.
    AutomaticChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    AzureActiveDirectoryRoleBasedAccessControl KubernetesClusterAzureActiveDirectoryRoleBasedAccessControl
    A azure_active_directory_role_based_access_control block as defined below.
    AzurePolicyEnabled bool
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    ConfidentialComputing KubernetesClusterConfidentialComputing
    A confidential_computing block as defined below. For more details please the documentation
    CustomCaTrustCertificatesBase64s List<string>

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    DiskEncryptionSetId string
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    DnsPrefix string
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    DnsPrefixPrivateCluster string

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    EdgeZone string
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    EnablePodSecurityPolicy bool

    Deprecated: The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    HttpApplicationRoutingEnabled bool

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    HttpProxyConfig KubernetesClusterHttpProxyConfig
    A http_proxy_config block as defined below.
    Identity KubernetesClusterIdentity

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    ImageCleanerEnabled bool
    Specifies whether Image Cleaner is enabled.
    ImageCleanerIntervalHours int
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    IngressApplicationGateway KubernetesClusterIngressApplicationGateway

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    KeyManagementService KubernetesClusterKeyManagementService
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    KeyVaultSecretsProvider KubernetesClusterKeyVaultSecretsProvider
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    KubeletIdentity KubernetesClusterKubeletIdentity
    A kubelet_identity block as defined below.
    KubernetesVersion string

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    LinuxProfile KubernetesClusterLinuxProfile
    A linux_profile block as defined below.
    LocalAccountDisabled bool

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    Location string
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    MaintenanceWindow KubernetesClusterMaintenanceWindow
    A maintenance_window block as defined below.
    MaintenanceWindowAutoUpgrade KubernetesClusterMaintenanceWindowAutoUpgrade
    A maintenance_window_auto_upgrade block as defined below.
    MaintenanceWindowNodeOs KubernetesClusterMaintenanceWindowNodeOs
    A maintenance_window_node_os block as defined below.
    MicrosoftDefender KubernetesClusterMicrosoftDefender
    A microsoft_defender block as defined below.
    MonitorMetrics KubernetesClusterMonitorMetrics

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    Name string
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    NetworkProfile KubernetesClusterNetworkProfile

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    NodeOsChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    NodeResourceGroup string

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    OidcIssuerEnabled bool
    Enable or Disable the OIDC issuer URL
    OmsAgent KubernetesClusterOmsAgent
    A oms_agent block as defined below.
    OpenServiceMeshEnabled bool
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    PrivateClusterEnabled bool
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    PrivateClusterPublicFqdnEnabled bool

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    PrivateDnsZoneId string
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    PublicNetworkAccessEnabled bool

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated: public_network_access_enabled is currently not functional and is not be passed to the API

    RoleBasedAccessControlEnabled bool
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    RunCommandEnabled bool
    Whether to enable run command for the cluster or not. Defaults to true.
    ServiceMeshProfile KubernetesClusterServiceMeshProfile

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    ServicePrincipal KubernetesClusterServicePrincipal

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    SkuTier string

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    StorageProfile KubernetesClusterStorageProfile
    A storage_profile block as defined below.
    SupportPlan string
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    Tags Dictionary<string, string>
    A mapping of tags to assign to the resource.
    WebAppRouting KubernetesClusterWebAppRouting
    A web_app_routing block as defined below.
    WindowsProfile KubernetesClusterWindowsProfile
    A windows_profile block as defined below.
    WorkloadAutoscalerProfile KubernetesClusterWorkloadAutoscalerProfile
    A workload_autoscaler_profile block defined below.
    WorkloadIdentityEnabled bool

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    DefaultNodePool KubernetesClusterDefaultNodePoolArgs
    A default_node_pool block as defined below.
    ResourceGroupName string
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    AciConnectorLinux KubernetesClusterAciConnectorLinuxArgs
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    ApiServerAccessProfile KubernetesClusterApiServerAccessProfileArgs
    An api_server_access_profile block as defined below.
    ApiServerAuthorizedIpRanges []string

    Deprecated: This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    AutoScalerProfile KubernetesClusterAutoScalerProfileArgs
    A auto_scaler_profile block as defined below.
    AutomaticChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    AzureActiveDirectoryRoleBasedAccessControl KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs
    A azure_active_directory_role_based_access_control block as defined below.
    AzurePolicyEnabled bool
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    ConfidentialComputing KubernetesClusterConfidentialComputingArgs
    A confidential_computing block as defined below. For more details please the documentation
    CustomCaTrustCertificatesBase64s []string

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    DiskEncryptionSetId string
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    DnsPrefix string
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    DnsPrefixPrivateCluster string

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    EdgeZone string
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    EnablePodSecurityPolicy bool

    Deprecated: The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    HttpApplicationRoutingEnabled bool

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    HttpProxyConfig KubernetesClusterHttpProxyConfigArgs
    A http_proxy_config block as defined below.
    Identity KubernetesClusterIdentityArgs

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    ImageCleanerEnabled bool
    Specifies whether Image Cleaner is enabled.
    ImageCleanerIntervalHours int
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    IngressApplicationGateway KubernetesClusterIngressApplicationGatewayArgs

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    KeyManagementService KubernetesClusterKeyManagementServiceArgs
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    KeyVaultSecretsProvider KubernetesClusterKeyVaultSecretsProviderArgs
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    KubeletIdentity KubernetesClusterKubeletIdentityArgs
    A kubelet_identity block as defined below.
    KubernetesVersion string

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    LinuxProfile KubernetesClusterLinuxProfileArgs
    A linux_profile block as defined below.
    LocalAccountDisabled bool

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    Location string
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    MaintenanceWindow KubernetesClusterMaintenanceWindowArgs
    A maintenance_window block as defined below.
    MaintenanceWindowAutoUpgrade KubernetesClusterMaintenanceWindowAutoUpgradeArgs
    A maintenance_window_auto_upgrade block as defined below.
    MaintenanceWindowNodeOs KubernetesClusterMaintenanceWindowNodeOsArgs
    A maintenance_window_node_os block as defined below.
    MicrosoftDefender KubernetesClusterMicrosoftDefenderArgs
    A microsoft_defender block as defined below.
    MonitorMetrics KubernetesClusterMonitorMetricsArgs

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    Name string
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    NetworkProfile KubernetesClusterNetworkProfileArgs

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    NodeOsChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    NodeResourceGroup string

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    OidcIssuerEnabled bool
    Enable or Disable the OIDC issuer URL
    OmsAgent KubernetesClusterOmsAgentArgs
    A oms_agent block as defined below.
    OpenServiceMeshEnabled bool
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    PrivateClusterEnabled bool
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    PrivateClusterPublicFqdnEnabled bool

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    PrivateDnsZoneId string
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    PublicNetworkAccessEnabled bool

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated: public_network_access_enabled is currently not functional and is not be passed to the API

    RoleBasedAccessControlEnabled bool
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    RunCommandEnabled bool
    Whether to enable run command for the cluster or not. Defaults to true.
    ServiceMeshProfile KubernetesClusterServiceMeshProfileArgs

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    ServicePrincipal KubernetesClusterServicePrincipalArgs

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    SkuTier string

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    StorageProfile KubernetesClusterStorageProfileArgs
    A storage_profile block as defined below.
    SupportPlan string
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    Tags map[string]string
    A mapping of tags to assign to the resource.
    WebAppRouting KubernetesClusterWebAppRoutingArgs
    A web_app_routing block as defined below.
    WindowsProfile KubernetesClusterWindowsProfileArgs
    A windows_profile block as defined below.
    WorkloadAutoscalerProfile KubernetesClusterWorkloadAutoscalerProfileArgs
    A workload_autoscaler_profile block defined below.
    WorkloadIdentityEnabled bool

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    defaultNodePool KubernetesClusterDefaultNodePool
    A default_node_pool block as defined below.
    resourceGroupName String
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    aciConnectorLinux KubernetesClusterAciConnectorLinux
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    apiServerAccessProfile KubernetesClusterApiServerAccessProfile
    An api_server_access_profile block as defined below.
    apiServerAuthorizedIpRanges List<String>

    Deprecated: This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    autoScalerProfile KubernetesClusterAutoScalerProfile
    A auto_scaler_profile block as defined below.
    automaticChannelUpgrade String

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    azureActiveDirectoryRoleBasedAccessControl KubernetesClusterAzureActiveDirectoryRoleBasedAccessControl
    A azure_active_directory_role_based_access_control block as defined below.
    azurePolicyEnabled Boolean
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    confidentialComputing KubernetesClusterConfidentialComputing
    A confidential_computing block as defined below. For more details please the documentation
    customCaTrustCertificatesBase64s List<String>

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    diskEncryptionSetId String
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    dnsPrefix String
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    dnsPrefixPrivateCluster String

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    edgeZone String
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    enablePodSecurityPolicy Boolean

    Deprecated: The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    httpApplicationRoutingEnabled Boolean

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    httpProxyConfig KubernetesClusterHttpProxyConfig
    A http_proxy_config block as defined below.
    identity KubernetesClusterIdentity

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    imageCleanerEnabled Boolean
    Specifies whether Image Cleaner is enabled.
    imageCleanerIntervalHours Integer
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    ingressApplicationGateway KubernetesClusterIngressApplicationGateway

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    keyManagementService KubernetesClusterKeyManagementService
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    keyVaultSecretsProvider KubernetesClusterKeyVaultSecretsProvider
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    kubeletIdentity KubernetesClusterKubeletIdentity
    A kubelet_identity block as defined below.
    kubernetesVersion String

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    linuxProfile KubernetesClusterLinuxProfile
    A linux_profile block as defined below.
    localAccountDisabled Boolean

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    location String
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    maintenanceWindow KubernetesClusterMaintenanceWindow
    A maintenance_window block as defined below.
    maintenanceWindowAutoUpgrade KubernetesClusterMaintenanceWindowAutoUpgrade
    A maintenance_window_auto_upgrade block as defined below.
    maintenanceWindowNodeOs KubernetesClusterMaintenanceWindowNodeOs
    A maintenance_window_node_os block as defined below.
    microsoftDefender KubernetesClusterMicrosoftDefender
    A microsoft_defender block as defined below.
    monitorMetrics KubernetesClusterMonitorMetrics

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    name String
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    networkProfile KubernetesClusterNetworkProfile

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    nodeOsChannelUpgrade String

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    nodeResourceGroup String

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    oidcIssuerEnabled Boolean
    Enable or Disable the OIDC issuer URL
    omsAgent KubernetesClusterOmsAgent
    A oms_agent block as defined below.
    openServiceMeshEnabled Boolean
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    privateClusterEnabled Boolean
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    privateClusterPublicFqdnEnabled Boolean

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    privateDnsZoneId String
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    publicNetworkAccessEnabled Boolean

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated: public_network_access_enabled is currently not functional and is not be passed to the API

    roleBasedAccessControlEnabled Boolean
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    runCommandEnabled Boolean
    Whether to enable run command for the cluster or not. Defaults to true.
    serviceMeshProfile KubernetesClusterServiceMeshProfile

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    servicePrincipal KubernetesClusterServicePrincipal

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    skuTier String

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    storageProfile KubernetesClusterStorageProfile
    A storage_profile block as defined below.
    supportPlan String
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    tags Map<String,String>
    A mapping of tags to assign to the resource.
    webAppRouting KubernetesClusterWebAppRouting
    A web_app_routing block as defined below.
    windowsProfile KubernetesClusterWindowsProfile
    A windows_profile block as defined below.
    workloadAutoscalerProfile KubernetesClusterWorkloadAutoscalerProfile
    A workload_autoscaler_profile block defined below.
    workloadIdentityEnabled Boolean

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    defaultNodePool KubernetesClusterDefaultNodePool
    A default_node_pool block as defined below.
    resourceGroupName string
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    aciConnectorLinux KubernetesClusterAciConnectorLinux
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    apiServerAccessProfile KubernetesClusterApiServerAccessProfile
    An api_server_access_profile block as defined below.
    apiServerAuthorizedIpRanges string[]

    Deprecated: This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    autoScalerProfile KubernetesClusterAutoScalerProfile
    A auto_scaler_profile block as defined below.
    automaticChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    azureActiveDirectoryRoleBasedAccessControl KubernetesClusterAzureActiveDirectoryRoleBasedAccessControl
    A azure_active_directory_role_based_access_control block as defined below.
    azurePolicyEnabled boolean
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    confidentialComputing KubernetesClusterConfidentialComputing
    A confidential_computing block as defined below. For more details please the documentation
    customCaTrustCertificatesBase64s string[]

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    diskEncryptionSetId string
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    dnsPrefix string
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    dnsPrefixPrivateCluster string

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    edgeZone string
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    enablePodSecurityPolicy boolean

    Deprecated: The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    httpApplicationRoutingEnabled boolean

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    httpProxyConfig KubernetesClusterHttpProxyConfig
    A http_proxy_config block as defined below.
    identity KubernetesClusterIdentity

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    imageCleanerEnabled boolean
    Specifies whether Image Cleaner is enabled.
    imageCleanerIntervalHours number
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    ingressApplicationGateway KubernetesClusterIngressApplicationGateway

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    keyManagementService KubernetesClusterKeyManagementService
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    keyVaultSecretsProvider KubernetesClusterKeyVaultSecretsProvider
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    kubeletIdentity KubernetesClusterKubeletIdentity
    A kubelet_identity block as defined below.
    kubernetesVersion string

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    linuxProfile KubernetesClusterLinuxProfile
    A linux_profile block as defined below.
    localAccountDisabled boolean

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    location string
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    maintenanceWindow KubernetesClusterMaintenanceWindow
    A maintenance_window block as defined below.
    maintenanceWindowAutoUpgrade KubernetesClusterMaintenanceWindowAutoUpgrade
    A maintenance_window_auto_upgrade block as defined below.
    maintenanceWindowNodeOs KubernetesClusterMaintenanceWindowNodeOs
    A maintenance_window_node_os block as defined below.
    microsoftDefender KubernetesClusterMicrosoftDefender
    A microsoft_defender block as defined below.
    monitorMetrics KubernetesClusterMonitorMetrics

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    name string
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    networkProfile KubernetesClusterNetworkProfile

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    nodeOsChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    nodeResourceGroup string

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    oidcIssuerEnabled boolean
    Enable or Disable the OIDC issuer URL
    omsAgent KubernetesClusterOmsAgent
    A oms_agent block as defined below.
    openServiceMeshEnabled boolean
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    privateClusterEnabled boolean
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    privateClusterPublicFqdnEnabled boolean

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    privateDnsZoneId string
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    publicNetworkAccessEnabled boolean

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated: public_network_access_enabled is currently not functional and is not be passed to the API

    roleBasedAccessControlEnabled boolean
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    runCommandEnabled boolean
    Whether to enable run command for the cluster or not. Defaults to true.
    serviceMeshProfile KubernetesClusterServiceMeshProfile

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    servicePrincipal KubernetesClusterServicePrincipal

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    skuTier string

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    storageProfile KubernetesClusterStorageProfile
    A storage_profile block as defined below.
    supportPlan string
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    tags {[key: string]: string}
    A mapping of tags to assign to the resource.
    webAppRouting KubernetesClusterWebAppRouting
    A web_app_routing block as defined below.
    windowsProfile KubernetesClusterWindowsProfile
    A windows_profile block as defined below.
    workloadAutoscalerProfile KubernetesClusterWorkloadAutoscalerProfile
    A workload_autoscaler_profile block defined below.
    workloadIdentityEnabled boolean

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    default_node_pool KubernetesClusterDefaultNodePoolArgs
    A default_node_pool block as defined below.
    resource_group_name str
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    aci_connector_linux KubernetesClusterAciConnectorLinuxArgs
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    api_server_access_profile KubernetesClusterApiServerAccessProfileArgs
    An api_server_access_profile block as defined below.
    api_server_authorized_ip_ranges Sequence[str]

    Deprecated: This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    auto_scaler_profile KubernetesClusterAutoScalerProfileArgs
    A auto_scaler_profile block as defined below.
    automatic_channel_upgrade str

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    azure_active_directory_role_based_access_control KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs
    A azure_active_directory_role_based_access_control block as defined below.
    azure_policy_enabled bool
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    confidential_computing KubernetesClusterConfidentialComputingArgs
    A confidential_computing block as defined below. For more details please the documentation
    custom_ca_trust_certificates_base64s Sequence[str]

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    disk_encryption_set_id str
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    dns_prefix str
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    dns_prefix_private_cluster str

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    edge_zone str
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    enable_pod_security_policy bool

    Deprecated: The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    http_application_routing_enabled bool

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    http_proxy_config KubernetesClusterHttpProxyConfigArgs
    A http_proxy_config block as defined below.
    identity KubernetesClusterIdentityArgs

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    image_cleaner_enabled bool
    Specifies whether Image Cleaner is enabled.
    image_cleaner_interval_hours int
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    ingress_application_gateway KubernetesClusterIngressApplicationGatewayArgs

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    key_management_service KubernetesClusterKeyManagementServiceArgs
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    key_vault_secrets_provider KubernetesClusterKeyVaultSecretsProviderArgs
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    kubelet_identity KubernetesClusterKubeletIdentityArgs
    A kubelet_identity block as defined below.
    kubernetes_version str

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    linux_profile KubernetesClusterLinuxProfileArgs
    A linux_profile block as defined below.
    local_account_disabled bool

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    location str
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    maintenance_window KubernetesClusterMaintenanceWindowArgs
    A maintenance_window block as defined below.
    maintenance_window_auto_upgrade KubernetesClusterMaintenanceWindowAutoUpgradeArgs
    A maintenance_window_auto_upgrade block as defined below.
    maintenance_window_node_os KubernetesClusterMaintenanceWindowNodeOsArgs
    A maintenance_window_node_os block as defined below.
    microsoft_defender KubernetesClusterMicrosoftDefenderArgs
    A microsoft_defender block as defined below.
    monitor_metrics KubernetesClusterMonitorMetricsArgs

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    name str
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    network_profile KubernetesClusterNetworkProfileArgs

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    node_os_channel_upgrade str

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    node_resource_group str

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    oidc_issuer_enabled bool
    Enable or Disable the OIDC issuer URL
    oms_agent KubernetesClusterOmsAgentArgs
    A oms_agent block as defined below.
    open_service_mesh_enabled bool
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    private_cluster_enabled bool
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    private_cluster_public_fqdn_enabled bool

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    private_dns_zone_id str
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    public_network_access_enabled bool

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated: public_network_access_enabled is currently not functional and is not be passed to the API

    role_based_access_control_enabled bool
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    run_command_enabled bool
    Whether to enable run command for the cluster or not. Defaults to true.
    service_mesh_profile KubernetesClusterServiceMeshProfileArgs

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    service_principal KubernetesClusterServicePrincipalArgs

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    sku_tier str

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    storage_profile KubernetesClusterStorageProfileArgs
    A storage_profile block as defined below.
    support_plan str
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    tags Mapping[str, str]
    A mapping of tags to assign to the resource.
    web_app_routing KubernetesClusterWebAppRoutingArgs
    A web_app_routing block as defined below.
    windows_profile KubernetesClusterWindowsProfileArgs
    A windows_profile block as defined below.
    workload_autoscaler_profile KubernetesClusterWorkloadAutoscalerProfileArgs
    A workload_autoscaler_profile block defined below.
    workload_identity_enabled bool

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    defaultNodePool Property Map
    A default_node_pool block as defined below.
    resourceGroupName String
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    aciConnectorLinux Property Map
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    apiServerAccessProfile Property Map
    An api_server_access_profile block as defined below.
    apiServerAuthorizedIpRanges List<String>

    Deprecated: This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    autoScalerProfile Property Map
    A auto_scaler_profile block as defined below.
    automaticChannelUpgrade String

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    azureActiveDirectoryRoleBasedAccessControl Property Map
    A azure_active_directory_role_based_access_control block as defined below.
    azurePolicyEnabled Boolean
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    confidentialComputing Property Map
    A confidential_computing block as defined below. For more details please the documentation
    customCaTrustCertificatesBase64s List<String>

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    diskEncryptionSetId String
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    dnsPrefix String
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    dnsPrefixPrivateCluster String

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    edgeZone String
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    enablePodSecurityPolicy Boolean

    Deprecated: The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    httpApplicationRoutingEnabled Boolean

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    httpProxyConfig Property Map
    A http_proxy_config block as defined below.
    identity Property Map

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    imageCleanerEnabled Boolean
    Specifies whether Image Cleaner is enabled.
    imageCleanerIntervalHours Number
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    ingressApplicationGateway Property Map

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    keyManagementService Property Map
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    keyVaultSecretsProvider Property Map
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    kubeletIdentity Property Map
    A kubelet_identity block as defined below.
    kubernetesVersion String

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    linuxProfile Property Map
    A linux_profile block as defined below.
    localAccountDisabled Boolean

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    location String
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    maintenanceWindow Property Map
    A maintenance_window block as defined below.
    maintenanceWindowAutoUpgrade Property Map
    A maintenance_window_auto_upgrade block as defined below.
    maintenanceWindowNodeOs Property Map
    A maintenance_window_node_os block as defined below.
    microsoftDefender Property Map
    A microsoft_defender block as defined below.
    monitorMetrics Property Map

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    name String
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    networkProfile Property Map

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    nodeOsChannelUpgrade String

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    nodeResourceGroup String

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    oidcIssuerEnabled Boolean
    Enable or Disable the OIDC issuer URL
    omsAgent Property Map
    A oms_agent block as defined below.
    openServiceMeshEnabled Boolean
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    privateClusterEnabled Boolean
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    privateClusterPublicFqdnEnabled Boolean

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    privateDnsZoneId String
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    publicNetworkAccessEnabled Boolean

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated: public_network_access_enabled is currently not functional and is not be passed to the API

    roleBasedAccessControlEnabled Boolean
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    runCommandEnabled Boolean
    Whether to enable run command for the cluster or not. Defaults to true.
    serviceMeshProfile Property Map

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    servicePrincipal Property Map

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    skuTier String

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    storageProfile Property Map
    A storage_profile block as defined below.
    supportPlan String
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    tags Map<String>
    A mapping of tags to assign to the resource.
    webAppRouting Property Map
    A web_app_routing block as defined below.
    windowsProfile Property Map
    A windows_profile block as defined below.
    workloadAutoscalerProfile Property Map
    A workload_autoscaler_profile block defined below.
    workloadIdentityEnabled Boolean

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the KubernetesCluster resource produces the following output properties:

    CurrentKubernetesVersion string
    The current version running on the Azure Kubernetes Managed Cluster.
    Fqdn string
    The FQDN of the Azure Kubernetes Managed Cluster.
    HttpApplicationRoutingZoneName string
    The Zone Name of the HTTP Application Routing.
    Id string
    The provider-assigned unique ID for this managed resource.
    KubeAdminConfigRaw string
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    KubeAdminConfigs List<KubernetesClusterKubeAdminConfig>
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    KubeConfigRaw string
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    KubeConfigs List<KubernetesClusterKubeConfig>
    A kube_config block as defined below.
    NodeResourceGroupId string
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    OidcIssuerUrl string
    The OIDC issuer URL that is associated with the cluster.
    PortalFqdn string
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    PrivateFqdn string
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    CurrentKubernetesVersion string
    The current version running on the Azure Kubernetes Managed Cluster.
    Fqdn string
    The FQDN of the Azure Kubernetes Managed Cluster.
    HttpApplicationRoutingZoneName string
    The Zone Name of the HTTP Application Routing.
    Id string
    The provider-assigned unique ID for this managed resource.
    KubeAdminConfigRaw string
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    KubeAdminConfigs []KubernetesClusterKubeAdminConfig
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    KubeConfigRaw string
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    KubeConfigs []KubernetesClusterKubeConfig
    A kube_config block as defined below.
    NodeResourceGroupId string
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    OidcIssuerUrl string
    The OIDC issuer URL that is associated with the cluster.
    PortalFqdn string
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    PrivateFqdn string
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    currentKubernetesVersion String
    The current version running on the Azure Kubernetes Managed Cluster.
    fqdn String
    The FQDN of the Azure Kubernetes Managed Cluster.
    httpApplicationRoutingZoneName String
    The Zone Name of the HTTP Application Routing.
    id String
    The provider-assigned unique ID for this managed resource.
    kubeAdminConfigRaw String
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeAdminConfigs List<KubernetesClusterKubeAdminConfig>
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeConfigRaw String
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    kubeConfigs List<KubernetesClusterKubeConfig>
    A kube_config block as defined below.
    nodeResourceGroupId String
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    oidcIssuerUrl String
    The OIDC issuer URL that is associated with the cluster.
    portalFqdn String
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    privateFqdn String
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    currentKubernetesVersion string
    The current version running on the Azure Kubernetes Managed Cluster.
    fqdn string
    The FQDN of the Azure Kubernetes Managed Cluster.
    httpApplicationRoutingZoneName string
    The Zone Name of the HTTP Application Routing.
    id string
    The provider-assigned unique ID for this managed resource.
    kubeAdminConfigRaw string
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeAdminConfigs KubernetesClusterKubeAdminConfig[]
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeConfigRaw string
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    kubeConfigs KubernetesClusterKubeConfig[]
    A kube_config block as defined below.
    nodeResourceGroupId string
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    oidcIssuerUrl string
    The OIDC issuer URL that is associated with the cluster.
    portalFqdn string
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    privateFqdn string
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    current_kubernetes_version str
    The current version running on the Azure Kubernetes Managed Cluster.
    fqdn str
    The FQDN of the Azure Kubernetes Managed Cluster.
    http_application_routing_zone_name str
    The Zone Name of the HTTP Application Routing.
    id str
    The provider-assigned unique ID for this managed resource.
    kube_admin_config_raw str
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kube_admin_configs Sequence[KubernetesClusterKubeAdminConfig]
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kube_config_raw str
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    kube_configs Sequence[KubernetesClusterKubeConfig]
    A kube_config block as defined below.
    node_resource_group_id str
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    oidc_issuer_url str
    The OIDC issuer URL that is associated with the cluster.
    portal_fqdn str
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    private_fqdn str
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    currentKubernetesVersion String
    The current version running on the Azure Kubernetes Managed Cluster.
    fqdn String
    The FQDN of the Azure Kubernetes Managed Cluster.
    httpApplicationRoutingZoneName String
    The Zone Name of the HTTP Application Routing.
    id String
    The provider-assigned unique ID for this managed resource.
    kubeAdminConfigRaw String
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeAdminConfigs List<Property Map>
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeConfigRaw String
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    kubeConfigs List<Property Map>
    A kube_config block as defined below.
    nodeResourceGroupId String
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    oidcIssuerUrl String
    The OIDC issuer URL that is associated with the cluster.
    portalFqdn String
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    privateFqdn String
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.

    Look up Existing KubernetesCluster Resource

    Get an existing KubernetesCluster resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: KubernetesClusterState, opts?: CustomResourceOptions): KubernetesCluster
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            aci_connector_linux: Optional[KubernetesClusterAciConnectorLinuxArgs] = None,
            api_server_access_profile: Optional[KubernetesClusterApiServerAccessProfileArgs] = None,
            api_server_authorized_ip_ranges: Optional[Sequence[str]] = None,
            auto_scaler_profile: Optional[KubernetesClusterAutoScalerProfileArgs] = None,
            automatic_channel_upgrade: Optional[str] = None,
            azure_active_directory_role_based_access_control: Optional[KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs] = None,
            azure_policy_enabled: Optional[bool] = None,
            confidential_computing: Optional[KubernetesClusterConfidentialComputingArgs] = None,
            current_kubernetes_version: Optional[str] = None,
            custom_ca_trust_certificates_base64s: Optional[Sequence[str]] = None,
            default_node_pool: Optional[KubernetesClusterDefaultNodePoolArgs] = None,
            disk_encryption_set_id: Optional[str] = None,
            dns_prefix: Optional[str] = None,
            dns_prefix_private_cluster: Optional[str] = None,
            edge_zone: Optional[str] = None,
            enable_pod_security_policy: Optional[bool] = None,
            fqdn: Optional[str] = None,
            http_application_routing_enabled: Optional[bool] = None,
            http_application_routing_zone_name: Optional[str] = None,
            http_proxy_config: Optional[KubernetesClusterHttpProxyConfigArgs] = None,
            identity: Optional[KubernetesClusterIdentityArgs] = None,
            image_cleaner_enabled: Optional[bool] = None,
            image_cleaner_interval_hours: Optional[int] = None,
            ingress_application_gateway: Optional[KubernetesClusterIngressApplicationGatewayArgs] = None,
            key_management_service: Optional[KubernetesClusterKeyManagementServiceArgs] = None,
            key_vault_secrets_provider: Optional[KubernetesClusterKeyVaultSecretsProviderArgs] = None,
            kube_admin_config_raw: Optional[str] = None,
            kube_admin_configs: Optional[Sequence[KubernetesClusterKubeAdminConfigArgs]] = None,
            kube_config_raw: Optional[str] = None,
            kube_configs: Optional[Sequence[KubernetesClusterKubeConfigArgs]] = None,
            kubelet_identity: Optional[KubernetesClusterKubeletIdentityArgs] = None,
            kubernetes_version: Optional[str] = None,
            linux_profile: Optional[KubernetesClusterLinuxProfileArgs] = None,
            local_account_disabled: Optional[bool] = None,
            location: Optional[str] = None,
            maintenance_window: Optional[KubernetesClusterMaintenanceWindowArgs] = None,
            maintenance_window_auto_upgrade: Optional[KubernetesClusterMaintenanceWindowAutoUpgradeArgs] = None,
            maintenance_window_node_os: Optional[KubernetesClusterMaintenanceWindowNodeOsArgs] = None,
            microsoft_defender: Optional[KubernetesClusterMicrosoftDefenderArgs] = None,
            monitor_metrics: Optional[KubernetesClusterMonitorMetricsArgs] = None,
            name: Optional[str] = None,
            network_profile: Optional[KubernetesClusterNetworkProfileArgs] = None,
            node_os_channel_upgrade: Optional[str] = None,
            node_resource_group: Optional[str] = None,
            node_resource_group_id: Optional[str] = None,
            oidc_issuer_enabled: Optional[bool] = None,
            oidc_issuer_url: Optional[str] = None,
            oms_agent: Optional[KubernetesClusterOmsAgentArgs] = None,
            open_service_mesh_enabled: Optional[bool] = None,
            portal_fqdn: Optional[str] = None,
            private_cluster_enabled: Optional[bool] = None,
            private_cluster_public_fqdn_enabled: Optional[bool] = None,
            private_dns_zone_id: Optional[str] = None,
            private_fqdn: Optional[str] = None,
            public_network_access_enabled: Optional[bool] = None,
            resource_group_name: Optional[str] = None,
            role_based_access_control_enabled: Optional[bool] = None,
            run_command_enabled: Optional[bool] = None,
            service_mesh_profile: Optional[KubernetesClusterServiceMeshProfileArgs] = None,
            service_principal: Optional[KubernetesClusterServicePrincipalArgs] = None,
            sku_tier: Optional[str] = None,
            storage_profile: Optional[KubernetesClusterStorageProfileArgs] = None,
            support_plan: Optional[str] = None,
            tags: Optional[Mapping[str, str]] = None,
            web_app_routing: Optional[KubernetesClusterWebAppRoutingArgs] = None,
            windows_profile: Optional[KubernetesClusterWindowsProfileArgs] = None,
            workload_autoscaler_profile: Optional[KubernetesClusterWorkloadAutoscalerProfileArgs] = None,
            workload_identity_enabled: Optional[bool] = None) -> KubernetesCluster
    func GetKubernetesCluster(ctx *Context, name string, id IDInput, state *KubernetesClusterState, opts ...ResourceOption) (*KubernetesCluster, error)
    public static KubernetesCluster Get(string name, Input<string> id, KubernetesClusterState? state, CustomResourceOptions? opts = null)
    public static KubernetesCluster get(String name, Output<String> id, KubernetesClusterState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AciConnectorLinux KubernetesClusterAciConnectorLinux
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    ApiServerAccessProfile KubernetesClusterApiServerAccessProfile
    An api_server_access_profile block as defined below.
    ApiServerAuthorizedIpRanges List<string>

    Deprecated: This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    AutoScalerProfile KubernetesClusterAutoScalerProfile
    A auto_scaler_profile block as defined below.
    AutomaticChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    AzureActiveDirectoryRoleBasedAccessControl KubernetesClusterAzureActiveDirectoryRoleBasedAccessControl
    A azure_active_directory_role_based_access_control block as defined below.
    AzurePolicyEnabled bool
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    ConfidentialComputing KubernetesClusterConfidentialComputing
    A confidential_computing block as defined below. For more details please the documentation
    CurrentKubernetesVersion string
    The current version running on the Azure Kubernetes Managed Cluster.
    CustomCaTrustCertificatesBase64s List<string>

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    DefaultNodePool KubernetesClusterDefaultNodePool
    A default_node_pool block as defined below.
    DiskEncryptionSetId string
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    DnsPrefix string
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    DnsPrefixPrivateCluster string

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    EdgeZone string
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    EnablePodSecurityPolicy bool

    Deprecated: The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    Fqdn string
    The FQDN of the Azure Kubernetes Managed Cluster.
    HttpApplicationRoutingEnabled bool

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    HttpApplicationRoutingZoneName string
    The Zone Name of the HTTP Application Routing.
    HttpProxyConfig KubernetesClusterHttpProxyConfig
    A http_proxy_config block as defined below.
    Identity KubernetesClusterIdentity

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    ImageCleanerEnabled bool
    Specifies whether Image Cleaner is enabled.
    ImageCleanerIntervalHours int
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    IngressApplicationGateway KubernetesClusterIngressApplicationGateway

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    KeyManagementService KubernetesClusterKeyManagementService
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    KeyVaultSecretsProvider KubernetesClusterKeyVaultSecretsProvider
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    KubeAdminConfigRaw string
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    KubeAdminConfigs List<KubernetesClusterKubeAdminConfig>
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    KubeConfigRaw string
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    KubeConfigs List<KubernetesClusterKubeConfig>
    A kube_config block as defined below.
    KubeletIdentity KubernetesClusterKubeletIdentity
    A kubelet_identity block as defined below.
    KubernetesVersion string

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    LinuxProfile KubernetesClusterLinuxProfile
    A linux_profile block as defined below.
    LocalAccountDisabled bool

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    Location string
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    MaintenanceWindow KubernetesClusterMaintenanceWindow
    A maintenance_window block as defined below.
    MaintenanceWindowAutoUpgrade KubernetesClusterMaintenanceWindowAutoUpgrade
    A maintenance_window_auto_upgrade block as defined below.
    MaintenanceWindowNodeOs KubernetesClusterMaintenanceWindowNodeOs
    A maintenance_window_node_os block as defined below.
    MicrosoftDefender KubernetesClusterMicrosoftDefender
    A microsoft_defender block as defined below.
    MonitorMetrics KubernetesClusterMonitorMetrics

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    Name string
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    NetworkProfile KubernetesClusterNetworkProfile

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    NodeOsChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    NodeResourceGroup string

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    NodeResourceGroupId string
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    OidcIssuerEnabled bool
    Enable or Disable the OIDC issuer URL
    OidcIssuerUrl string
    The OIDC issuer URL that is associated with the cluster.
    OmsAgent KubernetesClusterOmsAgent
    A oms_agent block as defined below.
    OpenServiceMeshEnabled bool
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    PortalFqdn string
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    PrivateClusterEnabled bool
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    PrivateClusterPublicFqdnEnabled bool

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    PrivateDnsZoneId string
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    PrivateFqdn string
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    PublicNetworkAccessEnabled bool

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated: public_network_access_enabled is currently not functional and is not be passed to the API

    ResourceGroupName string
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    RoleBasedAccessControlEnabled bool
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    RunCommandEnabled bool
    Whether to enable run command for the cluster or not. Defaults to true.
    ServiceMeshProfile KubernetesClusterServiceMeshProfile

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    ServicePrincipal KubernetesClusterServicePrincipal

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    SkuTier string

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    StorageProfile KubernetesClusterStorageProfile
    A storage_profile block as defined below.
    SupportPlan string
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    Tags Dictionary<string, string>
    A mapping of tags to assign to the resource.
    WebAppRouting KubernetesClusterWebAppRouting
    A web_app_routing block as defined below.
    WindowsProfile KubernetesClusterWindowsProfile
    A windows_profile block as defined below.
    WorkloadAutoscalerProfile KubernetesClusterWorkloadAutoscalerProfile
    A workload_autoscaler_profile block defined below.
    WorkloadIdentityEnabled bool

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    AciConnectorLinux KubernetesClusterAciConnectorLinuxArgs
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    ApiServerAccessProfile KubernetesClusterApiServerAccessProfileArgs
    An api_server_access_profile block as defined below.
    ApiServerAuthorizedIpRanges []string

    Deprecated: This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    AutoScalerProfile KubernetesClusterAutoScalerProfileArgs
    A auto_scaler_profile block as defined below.
    AutomaticChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    AzureActiveDirectoryRoleBasedAccessControl KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs
    A azure_active_directory_role_based_access_control block as defined below.
    AzurePolicyEnabled bool
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    ConfidentialComputing KubernetesClusterConfidentialComputingArgs
    A confidential_computing block as defined below. For more details please the documentation
    CurrentKubernetesVersion string
    The current version running on the Azure Kubernetes Managed Cluster.
    CustomCaTrustCertificatesBase64s []string

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    DefaultNodePool KubernetesClusterDefaultNodePoolArgs
    A default_node_pool block as defined below.
    DiskEncryptionSetId string
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    DnsPrefix string
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    DnsPrefixPrivateCluster string

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    EdgeZone string
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    EnablePodSecurityPolicy bool

    Deprecated: The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    Fqdn string
    The FQDN of the Azure Kubernetes Managed Cluster.
    HttpApplicationRoutingEnabled bool

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    HttpApplicationRoutingZoneName string
    The Zone Name of the HTTP Application Routing.
    HttpProxyConfig KubernetesClusterHttpProxyConfigArgs
    A http_proxy_config block as defined below.
    Identity KubernetesClusterIdentityArgs

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    ImageCleanerEnabled bool
    Specifies whether Image Cleaner is enabled.
    ImageCleanerIntervalHours int
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    IngressApplicationGateway KubernetesClusterIngressApplicationGatewayArgs

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    KeyManagementService KubernetesClusterKeyManagementServiceArgs
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    KeyVaultSecretsProvider KubernetesClusterKeyVaultSecretsProviderArgs
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    KubeAdminConfigRaw string
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    KubeAdminConfigs []KubernetesClusterKubeAdminConfigArgs
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    KubeConfigRaw string
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    KubeConfigs []KubernetesClusterKubeConfigArgs
    A kube_config block as defined below.
    KubeletIdentity KubernetesClusterKubeletIdentityArgs
    A kubelet_identity block as defined below.
    KubernetesVersion string

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    LinuxProfile KubernetesClusterLinuxProfileArgs
    A linux_profile block as defined below.
    LocalAccountDisabled bool

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    Location string
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    MaintenanceWindow KubernetesClusterMaintenanceWindowArgs
    A maintenance_window block as defined below.
    MaintenanceWindowAutoUpgrade KubernetesClusterMaintenanceWindowAutoUpgradeArgs
    A maintenance_window_auto_upgrade block as defined below.
    MaintenanceWindowNodeOs KubernetesClusterMaintenanceWindowNodeOsArgs
    A maintenance_window_node_os block as defined below.
    MicrosoftDefender KubernetesClusterMicrosoftDefenderArgs
    A microsoft_defender block as defined below.
    MonitorMetrics KubernetesClusterMonitorMetricsArgs

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    Name string
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    NetworkProfile KubernetesClusterNetworkProfileArgs

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    NodeOsChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    NodeResourceGroup string

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    NodeResourceGroupId string
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    OidcIssuerEnabled bool
    Enable or Disable the OIDC issuer URL
    OidcIssuerUrl string
    The OIDC issuer URL that is associated with the cluster.
    OmsAgent KubernetesClusterOmsAgentArgs
    A oms_agent block as defined below.
    OpenServiceMeshEnabled bool
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    PortalFqdn string
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    PrivateClusterEnabled bool
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    PrivateClusterPublicFqdnEnabled bool

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    PrivateDnsZoneId string
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    PrivateFqdn string
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    PublicNetworkAccessEnabled bool

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated: public_network_access_enabled is currently not functional and is not be passed to the API

    ResourceGroupName string
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    RoleBasedAccessControlEnabled bool
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    RunCommandEnabled bool
    Whether to enable run command for the cluster or not. Defaults to true.
    ServiceMeshProfile KubernetesClusterServiceMeshProfileArgs

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    ServicePrincipal KubernetesClusterServicePrincipalArgs

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    SkuTier string

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    StorageProfile KubernetesClusterStorageProfileArgs
    A storage_profile block as defined below.
    SupportPlan string
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    Tags map[string]string
    A mapping of tags to assign to the resource.
    WebAppRouting KubernetesClusterWebAppRoutingArgs
    A web_app_routing block as defined below.
    WindowsProfile KubernetesClusterWindowsProfileArgs
    A windows_profile block as defined below.
    WorkloadAutoscalerProfile KubernetesClusterWorkloadAutoscalerProfileArgs
    A workload_autoscaler_profile block defined below.
    WorkloadIdentityEnabled bool

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    aciConnectorLinux KubernetesClusterAciConnectorLinux
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    apiServerAccessProfile KubernetesClusterApiServerAccessProfile
    An api_server_access_profile block as defined below.
    apiServerAuthorizedIpRanges List<String>

    Deprecated: This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    autoScalerProfile KubernetesClusterAutoScalerProfile
    A auto_scaler_profile block as defined below.
    automaticChannelUpgrade String

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    azureActiveDirectoryRoleBasedAccessControl KubernetesClusterAzureActiveDirectoryRoleBasedAccessControl
    A azure_active_directory_role_based_access_control block as defined below.
    azurePolicyEnabled Boolean
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    confidentialComputing KubernetesClusterConfidentialComputing
    A confidential_computing block as defined below. For more details please the documentation
    currentKubernetesVersion String
    The current version running on the Azure Kubernetes Managed Cluster.
    customCaTrustCertificatesBase64s List<String>

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    defaultNodePool KubernetesClusterDefaultNodePool
    A default_node_pool block as defined below.
    diskEncryptionSetId String
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    dnsPrefix String
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    dnsPrefixPrivateCluster String

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    edgeZone String
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    enablePodSecurityPolicy Boolean

    Deprecated: The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    fqdn String
    The FQDN of the Azure Kubernetes Managed Cluster.
    httpApplicationRoutingEnabled Boolean

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    httpApplicationRoutingZoneName String
    The Zone Name of the HTTP Application Routing.
    httpProxyConfig KubernetesClusterHttpProxyConfig
    A http_proxy_config block as defined below.
    identity KubernetesClusterIdentity

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    imageCleanerEnabled Boolean
    Specifies whether Image Cleaner is enabled.
    imageCleanerIntervalHours Integer
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    ingressApplicationGateway KubernetesClusterIngressApplicationGateway

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    keyManagementService KubernetesClusterKeyManagementService
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    keyVaultSecretsProvider KubernetesClusterKeyVaultSecretsProvider
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    kubeAdminConfigRaw String
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeAdminConfigs List<KubernetesClusterKubeAdminConfig>
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeConfigRaw String
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    kubeConfigs List<KubernetesClusterKubeConfig>
    A kube_config block as defined below.
    kubeletIdentity KubernetesClusterKubeletIdentity
    A kubelet_identity block as defined below.
    kubernetesVersion String

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    linuxProfile KubernetesClusterLinuxProfile
    A linux_profile block as defined below.
    localAccountDisabled Boolean

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    location String
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    maintenanceWindow KubernetesClusterMaintenanceWindow
    A maintenance_window block as defined below.
    maintenanceWindowAutoUpgrade KubernetesClusterMaintenanceWindowAutoUpgrade
    A maintenance_window_auto_upgrade block as defined below.
    maintenanceWindowNodeOs KubernetesClusterMaintenanceWindowNodeOs
    A maintenance_window_node_os block as defined below.
    microsoftDefender KubernetesClusterMicrosoftDefender
    A microsoft_defender block as defined below.
    monitorMetrics KubernetesClusterMonitorMetrics

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    name String
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    networkProfile KubernetesClusterNetworkProfile

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    nodeOsChannelUpgrade String

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    nodeResourceGroup String

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    nodeResourceGroupId String
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    oidcIssuerEnabled Boolean
    Enable or Disable the OIDC issuer URL
    oidcIssuerUrl String
    The OIDC issuer URL that is associated with the cluster.
    omsAgent KubernetesClusterOmsAgent
    A oms_agent block as defined below.
    openServiceMeshEnabled Boolean
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    portalFqdn String
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    privateClusterEnabled Boolean
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    privateClusterPublicFqdnEnabled Boolean

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    privateDnsZoneId String
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    privateFqdn String
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    publicNetworkAccessEnabled Boolean

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated: public_network_access_enabled is currently not functional and is not be passed to the API

    resourceGroupName String
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    roleBasedAccessControlEnabled Boolean
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    runCommandEnabled Boolean
    Whether to enable run command for the cluster or not. Defaults to true.
    serviceMeshProfile KubernetesClusterServiceMeshProfile

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    servicePrincipal KubernetesClusterServicePrincipal

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    skuTier String

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    storageProfile KubernetesClusterStorageProfile
    A storage_profile block as defined below.
    supportPlan String
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    tags Map<String,String>
    A mapping of tags to assign to the resource.
    webAppRouting KubernetesClusterWebAppRouting
    A web_app_routing block as defined below.
    windowsProfile KubernetesClusterWindowsProfile
    A windows_profile block as defined below.
    workloadAutoscalerProfile KubernetesClusterWorkloadAutoscalerProfile
    A workload_autoscaler_profile block defined below.
    workloadIdentityEnabled Boolean

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    aciConnectorLinux KubernetesClusterAciConnectorLinux
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    apiServerAccessProfile KubernetesClusterApiServerAccessProfile
    An api_server_access_profile block as defined below.
    apiServerAuthorizedIpRanges string[]

    Deprecated: This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    autoScalerProfile KubernetesClusterAutoScalerProfile
    A auto_scaler_profile block as defined below.
    automaticChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    azureActiveDirectoryRoleBasedAccessControl KubernetesClusterAzureActiveDirectoryRoleBasedAccessControl
    A azure_active_directory_role_based_access_control block as defined below.
    azurePolicyEnabled boolean
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    confidentialComputing KubernetesClusterConfidentialComputing
    A confidential_computing block as defined below. For more details please the documentation
    currentKubernetesVersion string
    The current version running on the Azure Kubernetes Managed Cluster.
    customCaTrustCertificatesBase64s string[]

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    defaultNodePool KubernetesClusterDefaultNodePool
    A default_node_pool block as defined below.
    diskEncryptionSetId string
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    dnsPrefix string
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    dnsPrefixPrivateCluster string

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    edgeZone string
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    enablePodSecurityPolicy boolean

    Deprecated: The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    fqdn string
    The FQDN of the Azure Kubernetes Managed Cluster.
    httpApplicationRoutingEnabled boolean

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    httpApplicationRoutingZoneName string
    The Zone Name of the HTTP Application Routing.
    httpProxyConfig KubernetesClusterHttpProxyConfig
    A http_proxy_config block as defined below.
    identity KubernetesClusterIdentity

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    imageCleanerEnabled boolean
    Specifies whether Image Cleaner is enabled.
    imageCleanerIntervalHours number
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    ingressApplicationGateway KubernetesClusterIngressApplicationGateway

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    keyManagementService KubernetesClusterKeyManagementService
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    keyVaultSecretsProvider KubernetesClusterKeyVaultSecretsProvider
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    kubeAdminConfigRaw string
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeAdminConfigs KubernetesClusterKubeAdminConfig[]
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kubeConfigRaw string
    Raw Kubernetes config to be used by kubectl and other compatible tools.
    kubeConfigs KubernetesClusterKubeConfig[]
    A kube_config block as defined below.
    kubeletIdentity KubernetesClusterKubeletIdentity
    A kubelet_identity block as defined below.
    kubernetesVersion string

    Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as 1.22 are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in the documentation.

    Note: Upgrading your cluster may take up to 10 minutes per node.

    linuxProfile KubernetesClusterLinuxProfile
    A linux_profile block as defined below.
    localAccountDisabled boolean

    If true local accounts will be disabled. See the documentation for more information.

    Note: If local_account_disabled is set to true, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See the documentation for more information.

    location string
    The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created.
    maintenanceWindow KubernetesClusterMaintenanceWindow
    A maintenance_window block as defined below.
    maintenanceWindowAutoUpgrade KubernetesClusterMaintenanceWindowAutoUpgrade
    A maintenance_window_auto_upgrade block as defined below.
    maintenanceWindowNodeOs KubernetesClusterMaintenanceWindowNodeOs
    A maintenance_window_node_os block as defined below.
    microsoftDefender KubernetesClusterMicrosoftDefender
    A microsoft_defender block as defined below.
    monitorMetrics KubernetesClusterMonitorMetrics

    Specifies a Prometheus add-on profile for the Kubernetes Cluster. A monitor_metrics block as defined below.

    Note: If deploying Managed Prometheus, the monitor_metrics properties are required to configure the cluster for metrics collection. If no value is needed, set properties to null.

    name string
    The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created.
    networkProfile KubernetesClusterNetworkProfile

    A network_profile block as defined below. Changing this forces a new resource to be created.

    Note: If network_profile is not defined, kubenet profile will be used by default.

    nodeOsChannelUpgrade string

    The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are Unmanaged, SecurityPatch, NodeImage and None.

    Note: node_os_channel_upgrade must be set to NodeImage if automatic_channel_upgrade has been set to node-image

    Note: This requires that the Preview Feature Microsoft.ContainerService/NodeOsUpgradeChannelPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    nodeResourceGroup string

    The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created.

    Note: Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail.

    nodeResourceGroupId string
    The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster.
    oidcIssuerEnabled boolean
    Enable or Disable the OIDC issuer URL
    oidcIssuerUrl string
    The OIDC issuer URL that is associated with the cluster.
    omsAgent KubernetesClusterOmsAgent
    A oms_agent block as defined below.
    openServiceMeshEnabled boolean
    Is Open Service Mesh enabled? For more details, please visit Open Service Mesh for AKS.
    portalFqdn string
    The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    privateClusterEnabled boolean
    Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to false. Changing this forces a new resource to be created.
    privateClusterPublicFqdnEnabled boolean

    Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to false.

    Note: If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the Private DNS Zone Contributor role and access to this Private DNS Zone. If UserAssigned identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example:

    import * as pulumi from "@pulumi/pulumi";
    import * as azure from "@pulumi/azure";
    

    const example = new azure.core.ResourceGroup("example", { name: "example", location: "West Europe", }); const exampleZone = new azure.privatedns.Zone("example", { name: "privatelink.eastus2.azmk8s.io", resourceGroupName: example.name, }); const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { name: "aks-example-identity", resourceGroupName: example.name, location: example.location, }); const exampleAssignment = new azure.authorization.Assignment("example", { scope: exampleZone.id, roleDefinitionName: "Private DNS Zone Contributor", principalId: exampleUserAssignedIdentity.principalId, }); const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { name: "aksexamplewithprivatednszone1", location: example.location, resourceGroupName: example.name, dnsPrefix: "aksexamplednsprefix1", privateClusterEnabled: true, privateDnsZoneId: exampleZone.id, });

    import pulumi
    import pulumi_azure as azure
    
    example = azure.core.ResourceGroup("example",
        name="example",
        location="West Europe")
    example_zone = azure.privatedns.Zone("example",
        name="privatelink.eastus2.azmk8s.io",
        resource_group_name=example.name)
    example_user_assigned_identity = azure.authorization.UserAssignedIdentity("example",
        name="aks-example-identity",
        resource_group_name=example.name,
        location=example.location)
    example_assignment = azure.authorization.Assignment("example",
        scope=example_zone.id,
        role_definition_name="Private DNS Zone Contributor",
        principal_id=example_user_assigned_identity.principal_id)
    example_kubernetes_cluster = azure.containerservice.KubernetesCluster("example",
        name="aksexamplewithprivatednszone1",
        location=example.location,
        resource_group_name=example.name,
        dns_prefix="aksexamplednsprefix1",
        private_cluster_enabled=True,
        private_dns_zone_id=example_zone.id)
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Azure = Pulumi.Azure;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Azure.Core.ResourceGroup("example", new()
        {
            Name = "example",
            Location = "West Europe",
        });
    
        var exampleZone = new Azure.PrivateDns.Zone("example", new()
        {
            Name = "privatelink.eastus2.azmk8s.io",
            ResourceGroupName = example.Name,
        });
    
        var exampleUserAssignedIdentity = new Azure.Authorization.UserAssignedIdentity("example", new()
        {
            Name = "aks-example-identity",
            ResourceGroupName = example.Name,
            Location = example.Location,
        });
    
        var exampleAssignment = new Azure.Authorization.Assignment("example", new()
        {
            Scope = exampleZone.Id,
            RoleDefinitionName = "Private DNS Zone Contributor",
            PrincipalId = exampleUserAssignedIdentity.PrincipalId,
        });
    
        var exampleKubernetesCluster = new Azure.ContainerService.KubernetesCluster("example", new()
        {
            Name = "aksexamplewithprivatednszone1",
            Location = example.Location,
            ResourceGroupName = example.Name,
            DnsPrefix = "aksexamplednsprefix1",
            PrivateClusterEnabled = true,
            PrivateDnsZoneId = exampleZone.Id,
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/authorization"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/containerservice"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/core"
    	"github.com/pulumi/pulumi-azure/sdk/v5/go/azure/privatedns"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		example, err := core.NewResourceGroup(ctx, "example", &core.ResourceGroupArgs{
    			Name:     pulumi.String("example"),
    			Location: pulumi.String("West Europe"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleZone, err := privatedns.NewZone(ctx, "example", &privatedns.ZoneArgs{
    			Name:              pulumi.String("privatelink.eastus2.azmk8s.io"),
    			ResourceGroupName: example.Name,
    		})
    		if err != nil {
    			return err
    		}
    		exampleUserAssignedIdentity, err := authorization.NewUserAssignedIdentity(ctx, "example", &authorization.UserAssignedIdentityArgs{
    			Name:              pulumi.String("aks-example-identity"),
    			ResourceGroupName: example.Name,
    			Location:          example.Location,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = authorization.NewAssignment(ctx, "example", &authorization.AssignmentArgs{
    			Scope:              exampleZone.ID(),
    			RoleDefinitionName: pulumi.String("Private DNS Zone Contributor"),
    			PrincipalId:        exampleUserAssignedIdentity.PrincipalId,
    		})
    		if err != nil {
    			return err
    		}
    		_, err = containerservice.NewKubernetesCluster(ctx, "example", &containerservice.KubernetesClusterArgs{
    			Name:                  pulumi.String("aksexamplewithprivatednszone1"),
    			Location:              example.Location,
    			ResourceGroupName:     example.Name,
    			DnsPrefix:             pulumi.String("aksexamplednsprefix1"),
    			PrivateClusterEnabled: pulumi.Bool(true),
    			PrivateDnsZoneId:      exampleZone.ID(),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.azure.core.ResourceGroup;
    import com.pulumi.azure.core.ResourceGroupArgs;
    import com.pulumi.azure.privatedns.Zone;
    import com.pulumi.azure.privatedns.ZoneArgs;
    import com.pulumi.azure.authorization.UserAssignedIdentity;
    import com.pulumi.azure.authorization.UserAssignedIdentityArgs;
    import com.pulumi.azure.authorization.Assignment;
    import com.pulumi.azure.authorization.AssignmentArgs;
    import com.pulumi.azure.containerservice.KubernetesCluster;
    import com.pulumi.azure.containerservice.KubernetesClusterArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new ResourceGroup("example", ResourceGroupArgs.builder()        
                .name("example")
                .location("West Europe")
                .build());
    
            var exampleZone = new Zone("exampleZone", ZoneArgs.builder()        
                .name("privatelink.eastus2.azmk8s.io")
                .resourceGroupName(example.name())
                .build());
    
            var exampleUserAssignedIdentity = new UserAssignedIdentity("exampleUserAssignedIdentity", UserAssignedIdentityArgs.builder()        
                .name("aks-example-identity")
                .resourceGroupName(example.name())
                .location(example.location())
                .build());
    
            var exampleAssignment = new Assignment("exampleAssignment", AssignmentArgs.builder()        
                .scope(exampleZone.id())
                .roleDefinitionName("Private DNS Zone Contributor")
                .principalId(exampleUserAssignedIdentity.principalId())
                .build());
    
            var exampleKubernetesCluster = new KubernetesCluster("exampleKubernetesCluster", KubernetesClusterArgs.builder()        
                .name("aksexamplewithprivatednszone1")
                .location(example.location())
                .resourceGroupName(example.name())
                .dnsPrefix("aksexamplednsprefix1")
                .privateClusterEnabled(true)
                .privateDnsZoneId(exampleZone.id())
                .build());
    
        }
    }
    
    resources:
      example:
        type: azure:core:ResourceGroup
        properties:
          name: example
          location: West Europe
      exampleZone:
        type: azure:privatedns:Zone
        name: example
        properties:
          name: privatelink.eastus2.azmk8s.io
          resourceGroupName: ${example.name}
      exampleUserAssignedIdentity:
        type: azure:authorization:UserAssignedIdentity
        name: example
        properties:
          name: aks-example-identity
          resourceGroupName: ${example.name}
          location: ${example.location}
      exampleAssignment:
        type: azure:authorization:Assignment
        name: example
        properties:
          scope: ${exampleZone.id}
          roleDefinitionName: Private DNS Zone Contributor
          principalId: ${exampleUserAssignedIdentity.principalId}
      exampleKubernetesCluster:
        type: azure:containerservice:KubernetesCluster
        name: example
        properties:
          name: aksexamplewithprivatednszone1
          location: ${example.location}
          resourceGroupName: ${example.name}
          dnsPrefix: aksexamplednsprefix1
          privateClusterEnabled: true
          privateDnsZoneId: ${exampleZone.id}
    
    privateDnsZoneId string
    Either the ID of Private DNS Zone which should be delegated to this Cluster, System to have AKS manage this or None. In case of None you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created.
    privateFqdn string
    The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster.
    publicNetworkAccessEnabled boolean

    Whether public network access is allowed for this Kubernetes Cluster. Defaults to true.

    !> Note: public_network_access_enabled is currently not functional and is not passed to the Azure API. For further information please see this issue. For controlling the public and private exposure of a cluster please see the properties private_cluster_enabled and api_server_access_profile.

    Deprecated: public_network_access_enabled is currently not functional and is not be passed to the API

    resourceGroupName string
    Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    roleBasedAccessControlEnabled boolean
    Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to true. Changing this forces a new resource to be created.
    runCommandEnabled boolean
    Whether to enable run command for the cluster or not. Defaults to true.
    serviceMeshProfile KubernetesClusterServiceMeshProfile

    A service_mesh_profile block as defined below.

    Note: This requires that the Preview Feature Microsoft.ContainerService/AzureServiceMeshPreview is enabled and the Resource Provider is re-registered, see the documentation for more information.

    servicePrincipal KubernetesClusterServicePrincipal

    A service_principal block as documented below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    skuTier string

    The SKU Tier that should be used for this Kubernetes Cluster. Possible values are Free, Standard (which includes the Uptime SLA) and Premium. Defaults to Free.

    Note: Whilst the AKS API previously supported the Paid SKU - the AKS API introduced a breaking change in API Version 2023-02-01 (used in v3.51.0 and later) where the value Paid must now be set to Standard.

    storageProfile KubernetesClusterStorageProfile
    A storage_profile block as defined below.
    supportPlan string
    Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are KubernetesOfficial and AKSLongTermSupport. Defaults to KubernetesOfficial.
    tags {[key: string]: string}
    A mapping of tags to assign to the resource.
    webAppRouting KubernetesClusterWebAppRouting
    A web_app_routing block as defined below.
    windowsProfile KubernetesClusterWindowsProfile
    A windows_profile block as defined below.
    workloadAutoscalerProfile KubernetesClusterWorkloadAutoscalerProfile
    A workload_autoscaler_profile block defined below.
    workloadIdentityEnabled boolean

    Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to false.

    Note: To enable Azure AD Workload Identity oidc_issuer_enabled must be set to true.

    Note: Enabling this option will allocate Workload Identity resources to the kube-system namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to the documentation on Azure AD Workload Identity. The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment.

    aci_connector_linux KubernetesClusterAciConnectorLinuxArgs
    A aci_connector_linux block as defined below. For more details, please visit Create and configure an AKS cluster to use virtual nodes.
    api_server_access_profile KubernetesClusterApiServerAccessProfileArgs
    An api_server_access_profile block as defined below.
    api_server_authorized_ip_ranges Sequence[str]

    Deprecated: This property has been renamed to authorized_ip_ranges within the api_server_access_profile block and will be removed in v4.0 of the provider

    auto_scaler_profile KubernetesClusterAutoScalerProfileArgs
    A auto_scaler_profile block as defined below.
    automatic_channel_upgrade str

    The upgrade channel for this Kubernetes Cluster. Possible values are patch, rapid, node-image and stable. Omitting this field sets this value to none.

    !> Note: Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please see the Azure documentation for more information.

    Note: Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions.

    azure_active_directory_role_based_access_control KubernetesClusterAzureActiveDirectoryRoleBasedAccessControlArgs
    A azure_active_directory_role_based_access_control block as defined below.
    azure_policy_enabled bool
    Should the Azure Policy Add-On be enabled? For more details please visit Understand Azure Policy for Azure Kubernetes Service
    confidential_computing KubernetesClusterConfidentialComputingArgs
    A confidential_computing block as defined below. For more details please the documentation
    current_kubernetes_version str
    The current version running on the Azure Kubernetes Managed Cluster.
    custom_ca_trust_certificates_base64s Sequence[str]

    A list of up to 10 base64 encoded CAs that will be added to the trust store on nodes with the custom_ca_trust_enabled feature enabled.

    Note: Removing custom_ca_trust_certificates_base64 after it has been set forces a new resource to be created.

    default_node_pool KubernetesClusterDefaultNodePoolArgs
    A default_node_pool block as defined below.
    disk_encryption_set_id str
    The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information can be found in the documentation. Changing this forces a new resource to be created.
    dns_prefix str
    DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created.
    dns_prefix_private_cluster str

    Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created.

    Note: You must define either a dns_prefix or a dns_prefix_private_cluster field.

    In addition, one of either identity or service_principal blocks must be specified.

    edge_zone str
    Specifies the Edge Zone within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created.
    enable_pod_security_policy bool

    Deprecated: The AKS API has removed support for this field on 2020-10-15 and is no longer possible to configure this the Pod Security Policy.

    fqdn str
    The FQDN of the Azure Kubernetes Managed Cluster.
    http_application_routing_enabled bool

    Should HTTP Application Routing be enabled?

    Note: At this time HTTP Application Routing is not supported in Azure China or Azure US Government.

    http_application_routing_zone_name str
    The Zone Name of the HTTP Application Routing.
    http_proxy_config KubernetesClusterHttpProxyConfigArgs
    A http_proxy_config block as defined below.
    identity KubernetesClusterIdentityArgs

    An identity block as defined below. One of either identity or service_principal must be specified.

    !> Note: A migration scenario from service_principal to identity is supported. When upgrading service_principal to identity, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured service_principal until you upgrade your Node Pool.

    image_cleaner_enabled bool
    Specifies whether Image Cleaner is enabled.
    image_cleaner_interval_hours int
    Specifies the interval in hours when images should be cleaned up. Defaults to 48.
    ingress_application_gateway KubernetesClusterIngressApplicationGatewayArgs

    A ingress_application_gateway block as defined below.

    Note: Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the Microsoft.Network/virtualNetworks/subnets/join/action permission on the Virtual Network or Subnet. For more details, please visit Virtual Network Permission.

    key_management_service KubernetesClusterKeyManagementServiceArgs
    A key_management_service block as defined below. For more details, please visit Key Management Service (KMS) etcd encryption to an AKS cluster.
    key_vault_secrets_provider KubernetesClusterKeyVaultSecretsProviderArgs
    A key_vault_secrets_provider block as defined below. For more details, please visit Azure Keyvault Secrets Provider for AKS.
    kube_admin_config_raw str
    Raw Kubernetes config for the admin account to be used by kubectl and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled.
    kube_admin_configs Sequence[KubernetesClusterKubeAdminConfigArgs]
    A kube_admin_config block as defined below. This is only available when Role Based Access Control with Azure Active Directory i