Azure · lonegunmanb · May 12, 2025 · May 7, 2025
diff --git a/README.md b/README.md
@@ -337,7 +337,7 @@ No modules.
 | <a name="input_identity_type"></a> [identity\_type](#input\_identity\_type) | (Optional) The type of identity used for the managed cluster. Conflicts with `client_id` and `client_secret`. Possible values are `SystemAssigned` and `UserAssigned`. If `UserAssigned` is set, an `identity_ids` must be set as well. | `string` | `"SystemAssigned"` | no |
 | <a name="input_image_cleaner_enabled"></a> [image\_cleaner\_enabled](#input\_image\_cleaner\_enabled) | (Optional) Specifies whether Image Cleaner is enabled. | `bool` | `false` | no |
 | <a name="input_image_cleaner_interval_hours"></a> [image\_cleaner\_interval\_hours](#input\_image\_cleaner\_interval\_hours) | (Optional) Specifies the interval in hours when images should be cleaned up. Defaults to `48`. | `number` | `48` | no |
-| <a name="input_interval_before_cluster_update"></a> [interval\_before\_cluster\_update](#input\_interval\_before\_cluster\_update) | interval before cluster kubernetes version update, defaults to `30s`. | `string` | `"30s"` | no |
+| <a name="input_interval_before_cluster_update"></a> [interval\_before\_cluster\_update](#input\_interval\_before\_cluster\_update) | Interval before cluster kubernetes version update, defaults to `30s`. Set this variable to `null` would disable interval before cluster kubernetes version update. | `string` | `"30s"` | no |
 | <a name="input_key_vault_secrets_provider_enabled"></a> [key\_vault\_secrets\_provider\_enabled](#input\_key\_vault\_secrets\_provider\_enabled) | (Optional) Whether to use the Azure Key Vault Provider for Secrets Store CSI Driver in an AKS cluster. For more details: https://docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver | `bool` | `false` | no |
 | <a name="input_kms_enabled"></a> [kms\_enabled](#input\_kms\_enabled) | (Optional) Enable Azure KeyVault Key Management Service. | `bool` | `false` | no |
 | <a name="input_kms_key_vault_key_id"></a> [kms\_key\_vault\_key\_id](#input\_kms\_key\_vault\_key\_id) | (Optional) Identifier of Azure Key Vault key. When Azure Key Vault key management service is enabled, this field is required and must be a valid key identifier. | `string` | `null` | no |
@@ -407,6 +407,7 @@ No modules.
 | <a name="input_os_sku"></a> [os\_sku](#input\_os\_sku) | (Optional) Specifies the OS SKU used by the agent pool. Possible values include: `Ubuntu`, `CBLMariner`, `Mariner`, `Windows2019`, `Windows2022`. If not specified, the default is `Ubuntu` if OSType=Linux or `Windows2019` if OSType=Windows. And the default Windows OSSKU will be changed to `Windows2022` after Windows2019 is deprecated. Changing this forces a new resource to be created. | `string` | `null` | no |
 | <a name="input_pod_subnet"></a> [pod\_subnet](#input\_pod\_subnet) | object({<br/>  id = The ID of the Subnet where the pods in the default Node Pool should exist. Changing this forces a new resource to be created.<br/>}) | <pre>object({<br/>    id = string<br/>  })</pre> | `null` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | (Optional) The prefix for the resources created in the specified Azure Resource Group. Omitting this variable requires both `var.cluster_log_analytics_workspace_name` and `var.cluster_name` have been set. Only one of `var.prefix,var.dns_prefix_private_cluster` can be specified. | `string` | `""` | no |
+| <a name="input_private_cluster_enabled"></a> [private\_cluster\_enabled](#input\_private\_cluster\_enabled) | If true cluster API server will be exposed only on internal IP address and available only in cluster vnet. | `bool` | `false` | no |
 | <a name="input_private_cluster_public_fqdn_enabled"></a> [private\_cluster\_public\_fqdn\_enabled](#input\_private\_cluster\_public\_fqdn\_enabled) | (Optional) Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to `false`. | `bool` | `false` | no |
 | <a name="input_private_dns_zone_id"></a> [private\_dns\_zone\_id](#input\_private\_dns\_zone\_id) | (Optional) Either the ID of Private DNS Zone which should be delegated to this Cluster, `System` to have AKS manage this or `None`. In case of `None` you will need to bring your own DNS server and set up resolving, otherwise cluster will have issues after provisioning. Changing this forces a new resource to be created. | `string` | `null` | no |
 | <a name="input_public_ssh_key"></a> [public\_ssh\_key](#input\_public\_ssh\_key) | A custom ssh key to control access to the AKS cluster. Changing this forces a new resource to be created. | `string` | `""` | no |

diff --git a/examples/application_gateway_ingress/main.tf b/examples/application_gateway_ingress/main.tf
@@ -181,6 +181,7 @@ module "aks" {
   network_plugin                                  = "azure"
   network_policy                                  = "azure"
   os_disk_size_gb                                 = 60
+  private_cluster_enabled                         = false
   role_based_access_control_enabled               = true
   rbac_aad                                        = true
   sku_tier                                        = "Standard"

diff --git a/examples/multiple_node_pools/main.tf b/examples/multiple_node_pools/main.tf
@@ -53,12 +53,13 @@ locals {
 module "aks" {
   source = "../.."
 
-  prefix              = "prefix-${random_id.prefix.hex}"
-  resource_group_name = local.resource_group.name
-  location            = local.resource_group.location
-  os_disk_size_gb     = 60
-  rbac_aad            = true
-  sku_tier            = "Standard"
+  prefix                  = "prefix-${random_id.prefix.hex}"
+  resource_group_name     = local.resource_group.name
+  location                = local.resource_group.location
+  os_disk_size_gb         = 60
+  rbac_aad                = true
+  sku_tier                = "Standard"
+  private_cluster_enabled = false
   vnet_subnet = {
     id = azurerm_subnet.default_node_pool_subnet.id
   }

diff --git a/examples/named_cluster/main.tf b/examples/named_cluster/main.tf
@@ -89,6 +89,7 @@ module "aks_cluster_name" {
     not_allowed = []
   }
   net_profile_pod_cidr              = "10.1.0.0/16"
+  private_cluster_enabled           = true
   rbac_aad                          = true
   role_based_access_control_enabled = true
 

diff --git a/examples/startup/main.tf b/examples/startup/main.tf
@@ -104,6 +104,7 @@ module "aks" {
   network_policy                    = "azure"
   node_os_channel_upgrade           = "NodeImage"
   os_disk_size_gb                   = 60
+  private_cluster_enabled           = true
   rbac_aad                          = true
   role_based_access_control_enabled = true
   sku_tier                          = "Standard"

diff --git a/examples/without_monitor/main.tf b/examples/without_monitor/main.tf
@@ -47,6 +47,7 @@ module "aks_without_monitor" {
   #checkov:skip=CKV_AZURE_4:The logging is turn off for demo purpose. DO NOT DO THIS IN PRODUCTION ENVIRONMENT!
   log_analytics_workspace_enabled   = false
   net_profile_pod_cidr              = "10.1.0.0/16"
+  private_cluster_enabled           = true
   role_based_access_control_enabled = true
   web_app_routing = {
     dns_zone_ids = [azurerm_dns_zone.aks_web_app_routing.id]

diff --git a/main.tf b/main.tf
@@ -26,6 +26,7 @@ resource "azurerm_kubernetes_cluster" "main" {
   node_resource_group                 = var.node_resource_group
   oidc_issuer_enabled                 = var.oidc_issuer_enabled
   open_service_mesh_enabled           = var.open_service_mesh_enabled
+  private_cluster_enabled             = var.private_cluster_enabled
   private_cluster_public_fqdn_enabled = var.private_cluster_public_fqdn_enabled
   private_dns_zone_id                 = var.private_dns_zone_id
   role_based_access_control_enabled   = var.role_based_access_control_enabled
@@ -648,6 +649,10 @@ resource "azurerm_kubernetes_cluster" "main" {
       condition     = var.prefix == null || var.dns_prefix_private_cluster == null
       error_message = "Only one of `var.prefix,var.dns_prefix_private_cluster` can be specified."
     }
+    precondition {
+      condition     = var.dns_prefix_private_cluster == null || var.private_cluster_enabled
+      error_message = "When `dns_prefix_private_cluster` is set, `private_cluster_enabled` must be set to `true`."
+    }
     precondition {
       condition     = var.dns_prefix_private_cluster == null || var.identity_type == "UserAssigned" || var.client_id != ""
       error_message = "A user assigned identity or a service principal must be used when using a custom private dns zone"

diff --git a/test/e2e/terraform_aks_test.go b/test/e2e/terraform_aks_test.go
@@ -35,6 +35,7 @@ func TestExamplesStartup(t *testing.T) {
 		assert.True(t, ok)
 		assert.Regexp(t, regexp.MustCompile("/subscriptions/.+/resourceGroups/.+/providers/Microsoft.ContainerService/managedClusters/.+"), aksId)
 		assertOutputNotEmpty(t, output, "test_cluster_portal_fqdn")
+		assertOutputNotEmpty(t, output, "test_cluster_private_fqdn")
 	})
 }
 

diff --git a/variables.tf b/variables.tf
@@ -1372,6 +1372,12 @@ variable "prefix" {
   description = "(Optional) The prefix for the resources created in the specified Azure Resource Group. Omitting this variable requires both `var.cluster_log_analytics_workspace_name` and `var.cluster_name` have been set. Only one of `var.prefix,var.dns_prefix_private_cluster` can be specified."
 }
 
+variable "private_cluster_enabled" {
+  type        = bool
+  default     = false
+  description = "If true cluster API server will be exposed only on internal IP address and available only in cluster vnet."
+}
+
 variable "private_cluster_public_fqdn_enabled" {
   type        = bool
   default     = false