updated examples

Author: joseEnrique

BASTION_ACCESS.md

@@ -9,32 +9,9 @@ This guide shows how to connect to a private AKS cluster using Azure Bastion, ei
 - Azure CLI installed locally
 - Your SSH private key corresponding to jumpbox_ssh_public_key
 
-## Option A: Run kubectl from the Jumpbox
 
-1. Open an SSH session to the jumpbox via Bastion (Native client):
-```bash
-export RG="<RESOURCE_GROUP>"
-export BASTION="<BASTION_NAME>"
-export VM="<JUMPBOX_NAME>"
-export SSH_KEY="$HOME/.ssh/id_rsa"
-
-VM_ID=$(az vm show -g "$RG" -n "$VM" --query id -o tsv)
-az network bastion ssh \
-  --name "$BASTION" \
-  --resource-group "$RG" \
-  --target-resource-id "$VM_ID" \
-  --auth-type ssh-key --username <ADMIN_USERNAME> --ssh-key $SSH_KEY
-```
-
-2. Inside the VM, authenticate and fetch kubeconfig:
-```bash
-az login --use-device-code
-az account set --subscription "<SUBSCRIPTION_ID>"
-az aks get-credentials -g "<RESOURCE_GROUP>" -n "<AKS_NAME>" --overwrite-existing
-kubectl get nodes -o wide
-```
 
-## Option B: Run kubectl from your local machine (Bastion tunneling)
+## Run kubectl from your local machine (Bastion tunneling)
 
 1. Start SSH tunnel to the VM via Bastion:
 ```bash

README.md

@@ -46,6 +46,28 @@ module "quix_aks" {
 }
 ```
 
+### Private DNS Zone for Private Clusters
+
+When deploying a private AKS cluster, you can control how the Private DNS Zone is managed using the `private_dns_zone_id` variable:
+
+```hcl
+module "quix_aks" {
+  # ...
+  private_cluster_enabled = true
+  
+  # Option 1: Let AKS manage the Private DNS Zone automatically (default)
+  private_dns_zone_id = "System"
+  
+  # Option 2: Disable Private DNS Zone management (manual DNS configuration required)
+  # private_dns_zone_id = "None"
+  
+  # Option 3: Use an existing Private DNS Zone (BYO)
+  # private_dns_zone_id = "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Network/privateDnsZones/privatelink.<region>.azmk8s.io"
+}
+```
+
+**Note:** When using an existing Private DNS Zone (Option 3), the module automatically assigns the `Private DNS Zone Contributor` role to the AKS cluster identity.
+
 ## Tiered Storage module (tiered-storage)
 
 Module documentation (inputs/outputs/resources):
@@ -115,7 +137,7 @@ module "quix_aks" {
   nodes_subnet_name  = "Subnet-Nodes"
   nodes_subnet_cidr  = "10.240.0.0/22"
 
-  nat_identity_name = "my-nat-id"
+  identity_name = "my-nat-id"
   public_ip_name    = "my-nat-ip"
   nat_gateway_name  = "my-nat"
   availability_zone = "1"

examples/private-quix-infr-external-vnet/main.tf

@@ -79,16 +79,10 @@ module "aks" {
   sku_tier                = "Standard"
   private_cluster_enabled = true
 
-  vnet_name          = "vnet-quix-private"
-  vnet_address_space = ["10.240.0.0/16"]
-  nodes_subnet_name  = "Subnet-Nodes"
-  nodes_subnet_cidr  = "10.240.0.0/22"
+  vnet_name          = azurerm_virtual_network.ext.name
+  nodes_subnet_name  = azurerm_subnet.nodes_ext.name
 
-  # Reuse external VNet/Subnets
-  vnet_id         = azurerm_virtual_network.ext.id
-  nodes_subnet_id = azurerm_subnet.nodes_ext.id
-
-  nat_identity_name = "quix-private-nat-id"
+  identity_name     = "quix-private-nat-id"
   public_ip_name    = "quix-private-nat-ip"
   nat_gateway_name  = "quix-private-nat"
   availability_zone = "2"
@@ -117,8 +111,6 @@ module "aks" {
   create_bastion_subnet = false
   enable_bastion        = true
   bastion_name          = "quix-bastion"
-  # Reuse external Bastion subnet & IP
-  bastion_subnet_id = azurerm_subnet.bastion_ext.id
 
   jumpbox_name           = "quix-jumpbox"
   jumpbox_vm_size        = "Standard_B2s"

examples/private-quix-infr/main.tf

@@ -20,25 +20,60 @@ resource "azurerm_resource_group" "this" {
 module "aks" {
   source = "../../modules/quix-aks"
 
+  # Core + RG
   name                    = "quix-aks-private"
   location                = "westeurope"
   resource_group_name     = "rg-quix-private"
   create_resource_group   = false
   kubernetes_version      = "1.32.4"
   sku_tier                = "Standard"
   private_cluster_enabled = true
-
+  # Use existing Private DNS Zone for the AKS private API server:
+  #   - "System" lets AKS manage it automatically (default)
+  #   - "None" disables creation/association (you must manage DNS yourself)
+  #   - "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.Network/privateDnsZones/privatelink.westeurope.azmk8s.io"
+  #     to reuse an existing zone
+  private_dns_zone_id = "System"
+
+  # Networking (VNet/Subnet)
   vnet_name          = "vnet-quix-private"
   vnet_address_space = ["10.240.0.0/16"]
   nodes_subnet_name  = "Subnet-Nodes"
   nodes_subnet_cidr  = "10.240.0.0/22"
 
-  nat_identity_name = "quix-private-nat-id"
+  # Network profile
+  network_profile = {
+    network_plugin_mode = "overlay"
+    service_cidr        = "172.22.0.0/16"
+    dns_service_ip      = "172.22.0.10"
+    pod_cidr            = "10.144.0.0/16"
+  }
+
+  # NAT (names reserved even if not used with userDefinedRouting)
+  identity_name     = "quix-private-nat-id"
   public_ip_name    = "quix-private-nat-ip"
   nat_gateway_name  = "quix-private-nat"
   availability_zone = "2"
 
-  enable_credentials_fetch = true
+  # Bastion
+  create_bastion_subnet  = true
+  enable_bastion         = true
+  bastion_subnet_cidr    = "10.240.5.0/27"
+  bastion_name           = "quix-bastion"
+  bastion_public_ip_name = "quix-bastion-ip"
+
+  # Jumpbox
+  jumpbox_name           = "quix-jumpbox"
+  jumpbox_vm_size        = "Standard_B2s"
+  jumpbox_admin_username = "azureuser"
+  jumpbox_ssh_public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3Zz+tHUEI7ulzE69GxtLwi9DOvROBG4aI7h3za2FAP6Ya9/GhG2zcBiKOzk3SlKavE3/5NomgGifTC/ica6rTPlpb4U5oky/2phs9AtczVVI2G+yNC43hJzVhWbqKT3qAGGCGEm2+Cpxx7spKEbZAfAcq5GxL3k9kTcpaQEv3hpVvqK3zlCziHyahUv1pxQGuX3b2hqi4idgFX3m0FaqU98DtQu/I9x95jXHrb7Wltp3sbTSKCDxGo3nk4plpzILs/OqTMSPpfxwarCXA1ZtU82hyWO4Szn2U4I+MbuNaO/dso1oNlprqJQgsQ8t+hawCdIHeZ00M/QELdnYldBjo1jM19AT1OwMcB7PP7GRTNv7YsDW10YCvX9XRPab66PIKpe5R4IG/n6TzEwUP2pb4hRJWvnPJzrHK5HEJg7G7baCEyjCtaWkL4M7dBxIGJ3sp9IfjdeztV2Llh+hYmwPefTejprER+Q/qHZTNr1wEW4BV0TQQd+jeqdIL4QkIno3IyM3IBX+uPM/WlSpi2sT+hDqiUcCRu/x21O/bVYz/UbeHIqptRDfGc5rVoAN/zc/kGsGeGuP3auyI6aQxlnU0wMDdyS8rf3SpWagOB2UFNxZSuU2gnYdtz2uWG4vF75Sqr04MFJImHIY4N7gHJrvdarg6YBaDDnmdREcqp3ooAw=="
+
+  # Features
+  oidc_issuer_enabled       = true
+  workload_identity_enabled = true
+  enable_credentials_fetch  = true
+
+  # Node pools
   node_pools = {
     default = {
       name       = "default"
@@ -56,32 +91,13 @@ module "aks" {
     }
   }
 
-  network_profile = {
-    network_plugin_mode = "overlay"
-    service_cidr        = "172.22.0.0/16"
-    dns_service_ip      = "172.22.0.10"
-    pod_cidr            = "10.144.0.0/16"
-  }
-
-  enable_bastion         = true
-  bastion_subnet_cidr    = "10.240.5.0/27"
-  bastion_name           = "quix-bastion"
-  bastion_public_ip_name = "quix-bastion-ip"
-
-  jumpbox_name           = "quix-jumpbox"
-  jumpbox_vm_size        = "Standard_B2s"
-  jumpbox_admin_username = "azureuser"
-  jumpbox_ssh_public_key = "ssh-rsa ......"
-
-  oidc_issuer_enabled       = true
-  workload_identity_enabled = true
-
-
+  # Tags
   tags = {
     environment = "demo"
     project     = "Quix"
   }
 
+  # Dependencies
   depends_on = [azurerm_resource_group.this]
 }
 

examples/public-quix-infr-tiered-storage/main.tf

@@ -27,7 +27,7 @@ module "aks" {
   nodes_subnet_name  = "Subnet-Nodes"
   nodes_subnet_cidr  = "10.240.0.0/22"
 
-  nat_identity_name = "quix-public-nat-id"
+  identity_name     = "quix-public-nat-id"
   public_ip_name    = "quix-public-nat-ip"
   nat_gateway_name  = "quix-public-nat"
   availability_zone = "1"

examples/public-quix-infr/main.tf

@@ -27,7 +27,7 @@ module "aks" {
   nodes_subnet_name  = "Subnet-Nodes"
   nodes_subnet_cidr  = "10.240.0.0/22"
 
-  nat_identity_name = "quix-public-nat-id"
+  identity_name     = "quix-public-nat-id"
   public_ip_name    = "quix-public-nat-ip"
   nat_gateway_name  = "quix-public-nat"
   availability_zone = "1"