Terraform ARM v3 k8s core

terraform-arm-k8s-core is a Terraform module that deploys core Kubernetes platform services on an existing Kubernetes cluster (AKS or bare metal) using Helm and Kubernetes manifests.

It integrates with Azure Storage remote state to read cluster/network inputs (DNS, public IP, cluster metadata) and then installs and configures a set of operational components such as:

• cert-manager (with optional Let’s Encrypt issuer/certificates)
• ingress-nginx
• kube-prometheus-stack (Prometheus + Grafana, etc.)
• Loki stack
• HashiCorp Vault (with automated init/unseal + optional scheduled re-unseal)
• Velero backup
• StorageClass provisioning helper (Azure disk/file)

The repository also includes helper shell scripts to initialize Terraform backend, plan/apply, and export Terraform outputs as environment variables.

Diagrams

High-level deployment workflow

flowchart TD
  A[terraform apply] --> RS1[remote state: core_ip_dns]
  A --> RS2[remote state: core_infra]

  A --> M1[module deploy-storageclass]
  M1 --> SC[create-storageclass: StorageClass resources]

  A --> M2[module create-prometheus-stack]
  M2 --> PROM[create-prometheus-stack: kube-prometheus-stack Helm release]

  A --> M3[module deploy-pvc-prometheus-stack]
  M3 --> PVCG[persistence-claim-prometheus-stack: Grafana PVC]

  A --> M4[module loki]
  M4 --> LOKI[create-loki: Loki stack Helm release]

  A --> M5[module deploy-pvc-loki-stack]
  M5 --> PVCL[persistence-claim-loki-stack: Loki PVC]

  A --> M6[module create-ingress-nginx]
  M6 --> NGINX[create-ingress-nginx: ingress-nginx Helm release]

  A --> M7[module cert-manager]
  M7 --> CM[create-cert-manager: cert-manager + issuer + certificate]

  A --> M8[module create_vault]
  M8 --> VAULT[create_vault: Vault Helm release + init/unseal jobs]

  A --> M9[module deploy_velero]
  M9 --> VELERO[create_velero: Velero Helm release]

  A --> OUT[output rendered: summary.tpl.md]

Loading

Features

• Deploys Kubernetes “core services” via Terraform + Helm
• Supports multiple optional components toggled by Terraform booleans
• Supports both “bare metal” and “Azure” (AKS) modes for some charts/templates
• TLS options:
  • let_s_encrypt: installs cert-manager and creates ClusterIssuer/Certificate resources
  • custom: creates a Kubernetes TLS secret from provided cert/key content
  • none: no cert/issuer creation
• Generates a human-readable summary (summary.tpl.md) via Terraform template_file
• Vault automation:
  • init + unseal job that stores unseal keys + root token in a Kubernetes Secret
  • optional CronJob to re-unseal after scheduled cluster restarts
  • optional “enable auth” job (script-based)

Tech Stack

• Terraform >= 1.13.0
• Terraform providers:
  • hashicorp/kubernetes 2.38.0
  • hashicorp/helm 2.17.0
  • alekc/kubectl 2.1.3
  • hashicorp/template 2.2.0
• Azure backend: Terraform azurerm backend (remote state in Azure Storage)
• Shell tooling (helper scripts): bash / sh
• External CLIs used by scripts:
  • terraform
  • az (Azure CLI)

Project Structure

Root module

• main.tf: reads remote state (core_ip_dns, core_infra) and renders the summary template
• modules.*.tf: wires submodules for each component (cert-manager, nginx, loki, prometheus, vault, velero, storageclass)
• providers.tf: provider versions + provider configuration (uses ~/.kube/config)
• variables.*.tf: input variables grouped by component
• outputs.tf: outputs rendered summary content
• summary.tpl.md: Markdown template rendered with values from remote states and module variables
• terraform.tfvars, terraform.auto.tfvars: example/default variable values

Submodules

• create-cert-manager/: Helm release + ClusterIssuer/Certificate manifests + optional TLS secret
• create-ingress-nginx/: ingress-nginx Helm chart with Azure/bare-metal values
• create-prometheus-stack/: kube-prometheus-stack Helm chart
• persistence-claim-prometheus-stack/: PVC deployment for Grafana storage
• create-loki/: Loki stack Helm chart + optional bare-metal PV/PVC concepts
• persistence-claim-loki-stack/: PVC deployment for Loki stack
• create_vault/: Vault Helm chart + RBAC + init/unseal jobs + optional cron unseal + enable auth job
• create_velero/: Velero Helm chart configuration for Azure
• create-storageclass/: StorageClass provisioning helper (Azure disk/file provisioners)

Helper scripts

• _run-terraform.sh: convenience wrapper (init + plan; apply is commented)
• _run-init.sh: initializes Terraform backend (Azure Storage) and exports access key
• _run-plan.sh: runs terraform plan -out=tfplan -var-file=...
• _run-apply.sh: runs terraform apply tfplan
• _export_tfvars.sh: exports Terraform outputs as TF_VAR_* environment variables

Installation

Prerequisites

• Terraform >= 1.13.0
• Azure CLI (az) authenticated with rights to read the Terraform backend storage account keys
• Access to the target Kubernetes cluster via ~/.kube/config (this repo’s providers use config_path = "~/.kube/config")

Terraform initialization

This repository is configured to use the azurerm backend (see providers.tf).

The helper script _run-init.sh expects a “state key” argument and uses fixed backend names:

• Resource group: cosmotechstates
• Storage account: cosmotechstates
• Container: cosmotechstates

If your backend differs, update _run-init.sh accordingly.

Usage

Typical workflow (plan/apply)

1. Create or edit your variable file (terraform.tfvars or another *.tfvars).
2. Initialize the backend.
3. Plan and apply.

This repo provides scripts that encode that flow:

./_run-init.sh <state_key>
./_run-plan.sh <var-file>
./_run-apply.sh

Or, simply run the _run-terraform.sh script to execute all three steps (init, plan, apply) in sequence. The script will stop if any step fails.

./_run-terraform.sh

Rendering the deployment summary

The root module renders summary.tpl.md through data.template_file.example and exposes it via:

• output "rendered" in outputs.tf

License

See LICENSE.

Made with ❤️ by Cosmo Tech DevOps team