import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Manages a Managed Kubernetes Cluster (also known as AKS / Azure Kubernetes Service) * * > **Note:** Due to the fast-moving nature of AKS, we recommend using the latest version of the Azure Provider when using AKS. * * ## Example Usage * * This example provisions a basic Managed Kubernetes Cluster. * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const example = new azure.core.ResourceGroup("example", { * name: "example-resources", * location: "West Europe", * }); * const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { * name: "example-aks1", * location: example.location, * resourceGroupName: example.name, * dnsPrefix: "exampleaks1", * defaultNodePool: { * name: "default", * nodeCount: 1, * vmSize: "Standard_D2_v2", * }, * identity: { * type: "SystemAssigned", * }, * tags: { * Environment: "Production", * }, * }); * export const clientCertificate = exampleKubernetesCluster.kubeConfigs.apply(kubeConfigs => kubeConfigs[0].clientCertificate); * export const kubeConfig = exampleKubernetesCluster.kubeConfigRaw; * ``` * * ## API Providers * * * This resource uses the following Azure API Providers: * * * `Microsoft.ContainerService` - 2025-10-01 * * ## Import * * Managed Kubernetes Clusters can be imported using the `resource id`, e.g. * * ```sh * $ pulumi import azure:containerservice/kubernetesCluster:KubernetesCluster cluster1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/group1/providers/Microsoft.ContainerService/managedClusters/cluster1 * ``` */ export declare class KubernetesCluster extends pulumi.CustomResource { /** * Get an existing KubernetesCluster resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: KubernetesClusterState, opts?: pulumi.CustomResourceOptions): KubernetesCluster; /** * Returns true if the given object is an instance of KubernetesCluster. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is KubernetesCluster; /** * A `aciConnectorLinux` block as defined below. For more details, please visit [Create and configure an AKS cluster to use virtual nodes](https://docs.microsoft.com/azure/aks/virtual-nodes-portal). */ readonly aciConnectorLinux: pulumi.Output; /** * Specifies whether the AI Toolchain Operator should be enabled for the Cluster. Defaults to `false`. */ readonly aiToolchainOperatorEnabled: pulumi.Output; /** * An `apiServerAccessProfile` block as defined below. */ readonly apiServerAccessProfile: pulumi.Output; /** * A `autoScalerProfile` block as defined below. */ readonly autoScalerProfile: pulumi.Output; /** * The upgrade channel for this Kubernetes Cluster. Possible values are `patch`, `rapid`, `node-image` and `stable`. Omitting this field sets this value to `none`. * * !> **Note:** Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please [see the Azure documentation for more information](https://docs.microsoft.com/azure/aks/upgrade-cluster#set-auto-upgrade-channel). * * > **Note:** Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions. */ readonly automaticUpgradeChannel: pulumi.Output; /** * A `azureActiveDirectoryRoleBasedAccessControl` block as defined below. */ readonly azureActiveDirectoryRoleBasedAccessControl: pulumi.Output; /** * Should the Azure Policy Add-On be enabled? For more details please visit [Understand Azure Policy for Azure Kubernetes Service](https://docs.microsoft.com/en-ie/azure/governance/policy/concepts/rego-for-aks) */ readonly azurePolicyEnabled: pulumi.Output; /** * A `bootstrapProfile` block as defined below. */ readonly bootstrapProfile: pulumi.Output; /** * A `confidentialComputing` block as defined below. For more details please [the documentation](https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-aks-overview) */ readonly confidentialComputing: pulumi.Output; /** * Should cost analysis be enabled for this Kubernetes Cluster? Defaults to `false`. The `skuTier` must be set to `Standard` or `Premium` to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. */ readonly costAnalysisEnabled: pulumi.Output; /** * The current version running on the Azure Kubernetes Managed Cluster. */ readonly currentKubernetesVersion: pulumi.Output; /** * A list of up to 10 base64 encoded CA certificates that will be added to the trust store on nodes. */ readonly customCaTrustCertificatesBase64s: pulumi.Output; /** * Specifies configuration for "System" mode node pool. A `defaultNodePool` block as defined below. */ readonly defaultNodePool: pulumi.Output; /** * The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information [can be found in the documentation](https://docs.microsoft.com/azure/aks/azure-disk-customer-managed-keys). Changing this forces a new resource to be created. */ readonly diskEncryptionSetId: pulumi.Output; /** * DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created. */ readonly dnsPrefix: pulumi.Output; /** * Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created. * * > **Note:** You must define either a `dnsPrefix` or a `dnsPrefixPrivateCluster` field. * * In addition, one of either `identity` or `servicePrincipal` blocks must be specified. */ readonly dnsPrefixPrivateCluster: pulumi.Output; /** * Specifies the Extended Zone (formerly called Edge Zone) within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created. */ readonly edgeZone: pulumi.Output; /** * The FQDN of the Azure Kubernetes Managed Cluster. */ readonly fqdn: pulumi.Output; /** * Should HTTP Application Routing be enabled? * * > **Note:** At this time HTTP Application Routing is not supported in Azure China or Azure US Government. */ readonly httpApplicationRoutingEnabled: pulumi.Output; /** * The Zone Name of the HTTP Application Routing. */ readonly httpApplicationRoutingZoneName: pulumi.Output; /** * A `httpProxyConfig` block as defined below. */ readonly httpProxyConfig: pulumi.Output; /** * An `identity` block as defined below. One of either `identity` or `servicePrincipal` must be specified. * * !> **Note:** A migration scenario from `servicePrincipal` to `identity` is supported. When upgrading `servicePrincipal` to `identity`, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured `servicePrincipal` until you upgrade your Node Pool. */ readonly identity: pulumi.Output; /** * Specifies whether Image Cleaner is enabled. */ readonly imageCleanerEnabled: pulumi.Output; /** * Specifies the interval in hours when images should be cleaned up. */ readonly imageCleanerIntervalHours: pulumi.Output; /** * A `ingressApplicationGateway` block as defined below. * * > **Note:** Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the `Microsoft.Network/virtualNetworks/subnets/join/action` permission on the Virtual Network or Subnet. For more details, please visit [Virtual Network Permission](https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#virtual-network-permission). */ readonly ingressApplicationGateway: pulumi.Output; /** * A `keyManagementService` block as defined below. For more details, please visit [Key Management Service (KMS) etcd encryption to an AKS cluster](https://learn.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption). */ readonly keyManagementService: pulumi.Output; /** * A `keyVaultSecretsProvider` block as defined below. For more details, please visit [Azure Keyvault Secrets Provider for AKS](https://docs.microsoft.com/azure/aks/csi-secrets-store-driver). */ readonly keyVaultSecretsProvider: pulumi.Output; /** * Raw Kubernetes config for the admin account to be used by [kubectl](https://kubernetes.io/docs/reference/kubectl/overview/) and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled. */ readonly kubeAdminConfigRaw: pulumi.Output; /** * A `kubeAdminConfig` block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled. */ readonly kubeAdminConfigs: pulumi.Output; /** * Raw Kubernetes config to be used by [kubectl](https://kubernetes.io/docs/reference/kubectl/overview/) and other compatible tools. */ readonly kubeConfigRaw: pulumi.Output; /** * A `kubeConfig` block as defined below. */ readonly kubeConfigs: pulumi.Output; /** * A `kubeletIdentity` block as defined below. */ readonly kubeletIdentity: pulumi.Output; /** * Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as `1.22` are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in [the documentation](https://docs.microsoft.com/en-us/azure/aks/supported-kubernetes-versions?tabs=azure-cli#alias-minor-version). * * > **Note:** Upgrading your cluster may take up to 10 minutes per node. */ readonly kubernetesVersion: pulumi.Output; /** * A `linuxProfile` block as defined below. */ readonly linuxProfile: pulumi.Output; /** * If `true` local accounts will be disabled. See [the documentation](https://docs.microsoft.com/azure/aks/managed-aad#disable-local-accounts) for more information. * * > **Note:** If `localAccountDisabled` is set to `true`, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See [the documentation](https://docs.microsoft.com/azure/aks/managed-aad#azure-ad-authentication-overview) for more information. */ readonly localAccountDisabled: pulumi.Output; /** * The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created. */ readonly location: pulumi.Output; /** * A `maintenanceWindow` block as defined below. */ readonly maintenanceWindow: pulumi.Output; /** * A `maintenanceWindowAutoUpgrade` block as defined below. */ readonly maintenanceWindowAutoUpgrade: pulumi.Output; /** * A `maintenanceWindowNodeOs` block as defined below. */ readonly maintenanceWindowNodeOs: pulumi.Output; /** * A `microsoftDefender` block as defined below. */ readonly microsoftDefender: pulumi.Output; /** * Specifies a Prometheus add-on profile for the Kubernetes Cluster. A `monitorMetrics` block as defined below. * * > **Note:** If deploying Managed Prometheus, the `monitorMetrics` properties are required to configure the cluster for metrics collection. If no value is needed, set properties to `null`. */ readonly monitorMetrics: pulumi.Output; /** * The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created. */ readonly name: pulumi.Output; /** * A `networkProfile` block as defined below. Changing this forces a new resource to be created. * * > **Note:** If `networkProfile` is not defined, `kubenet` profile will be used by default. */ readonly networkProfile: pulumi.Output; /** * The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are `Unmanaged`, `SecurityPatch`, `NodeImage` and `None`. Defaults to `NodeImage`. * * > **Note:** `nodeOsUpgradeChannel` must be set to `NodeImage` if `automaticUpgradeChannel` has been set to `node-image` */ readonly nodeOsUpgradeChannel: pulumi.Output; /** * A `nodeProvisioningProfile` block as defined below. */ readonly nodeProvisioningProfile: pulumi.Output; /** * The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created. * * > **Note:** Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail. */ readonly nodeResourceGroup: pulumi.Output; /** * The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster. */ readonly nodeResourceGroupId: pulumi.Output; /** * Whether to enable the [OIDC issuer feature](https://learn.microsoft.com/en-gb/azure/aks/use-oidc-issuer). * * !> **Note:** Once enabled, this feature cannot be disabled, doing so forces a new resource to be created. */ readonly oidcIssuerEnabled: pulumi.Output; /** * The OIDC issuer URL that is associated with the cluster. */ readonly oidcIssuerUrl: pulumi.Output; /** * A `omsAgent` block as defined below. */ readonly omsAgent: pulumi.Output; /** * Is Open Service Mesh enabled? For more details, please visit [Open Service Mesh for AKS](https://docs.microsoft.com/azure/aks/open-service-mesh-about). */ readonly openServiceMeshEnabled: pulumi.Output; /** * The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster. */ readonly portalFqdn: pulumi.Output; /** * Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to `false`. Changing this forces a new resource to be created. */ readonly privateClusterEnabled: pulumi.Output; /** * Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to `false`. * * > **Note:** If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the `Private DNS Zone Contributor` role and access to this Private DNS Zone. If `UserAssigned` identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const example = new azure.core.ResourceGroup("example", { * name: "example", * location: "West Europe", * }); * const exampleZone = new azure.privatedns.Zone("example", { * name: "privatelink.eastus2.azmk8s.io", * resourceGroupName: example.name, * }); * const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { * name: "aks-example-identity", * resourceGroupName: example.name, * location: example.location, * }); * const exampleAssignment = new azure.authorization.Assignment("example", { * scope: exampleZone.id, * roleDefinitionName: "Private DNS Zone Contributor", * principalId: exampleUserAssignedIdentity.principalId, * }); * const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { * name: "aksexamplewithprivatednszone1", * location: example.location, * resourceGroupName: example.name, * dnsPrefix: "aksexamplednsprefix1", * privateClusterEnabled: true, * privateDnsZoneId: exampleZone.id, * }, { * dependsOn: [exampleAssignment], * }); * ``` */ readonly privateClusterPublicFqdnEnabled: pulumi.Output; /** * Either the ID of Private DNS Zone which should be delegated to this Cluster, `System` to have AKS manage this or `None`. In case of `None` you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created. */ readonly privateDnsZoneId: pulumi.Output; /** * The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster. */ readonly privateFqdn: pulumi.Output; /** * Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created. */ readonly resourceGroupName: pulumi.Output; /** * Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to `true`. Changing this forces a new resource to be created. */ readonly roleBasedAccessControlEnabled: pulumi.Output; /** * Whether to enable run command for the cluster or not. Defaults to `true`. */ readonly runCommandEnabled: pulumi.Output; /** * A `serviceMeshProfile` block as defined below. */ readonly serviceMeshProfile: pulumi.Output; /** * A `servicePrincipal` block as documented below. One of either `identity` or `servicePrincipal` must be specified. * * !> **Note:** A migration scenario from `servicePrincipal` to `identity` is supported. When upgrading `servicePrincipal` to `identity`, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured `servicePrincipal` until you upgrade your Node Pool. */ readonly servicePrincipal: pulumi.Output; /** * The SKU Tier that should be used for this Kubernetes Cluster. Possible values are `Free`, `Standard` (which includes the Uptime SLA) and `Premium`. Defaults to `Free`. * * > **Note:** Whilst the AKS API previously supported the `Paid` SKU - the AKS API introduced a breaking change in API Version `2023-02-01` (used in v3.51.0 and later) where the value `Paid` must now be set to `Standard`. */ readonly skuTier: pulumi.Output; /** * A `storageProfile` block as defined below. */ readonly storageProfile: pulumi.Output; /** * Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are `KubernetesOfficial` and `AKSLongTermSupport`. Defaults to `KubernetesOfficial`. */ readonly supportPlan: pulumi.Output; /** * A mapping of tags to assign to the resource. */ readonly tags: pulumi.Output<{ [key: string]: string; } | undefined>; /** * A `upgradeOverride` block as defined below. */ readonly upgradeOverride: pulumi.Output; /** * A `webAppRouting` block as defined below. */ readonly webAppRouting: pulumi.Output; /** * A `windowsProfile` block as defined below. */ readonly windowsProfile: pulumi.Output; /** * A `workloadAutoscalerProfile` block defined below. */ readonly workloadAutoscalerProfile: pulumi.Output; /** * Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to `false`. * * > **Note:** To enable Azure AD Workload Identity `oidcIssuerEnabled` must be set to `true`. * * > **Note:** Enabling this option will allocate Workload Identity resources to the `kube-system` namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to [the documentation on Azure AD Workload Identity.](https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html) The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment. */ readonly workloadIdentityEnabled: pulumi.Output; /** * Create a KubernetesCluster resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: KubernetesClusterArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering KubernetesCluster resources. */ export interface KubernetesClusterState { /** * A `aciConnectorLinux` block as defined below. For more details, please visit [Create and configure an AKS cluster to use virtual nodes](https://docs.microsoft.com/azure/aks/virtual-nodes-portal). */ aciConnectorLinux?: pulumi.Input; /** * Specifies whether the AI Toolchain Operator should be enabled for the Cluster. Defaults to `false`. */ aiToolchainOperatorEnabled?: pulumi.Input; /** * An `apiServerAccessProfile` block as defined below. */ apiServerAccessProfile?: pulumi.Input; /** * A `autoScalerProfile` block as defined below. */ autoScalerProfile?: pulumi.Input; /** * The upgrade channel for this Kubernetes Cluster. Possible values are `patch`, `rapid`, `node-image` and `stable`. Omitting this field sets this value to `none`. * * !> **Note:** Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please [see the Azure documentation for more information](https://docs.microsoft.com/azure/aks/upgrade-cluster#set-auto-upgrade-channel). * * > **Note:** Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions. */ automaticUpgradeChannel?: pulumi.Input; /** * A `azureActiveDirectoryRoleBasedAccessControl` block as defined below. */ azureActiveDirectoryRoleBasedAccessControl?: pulumi.Input; /** * Should the Azure Policy Add-On be enabled? For more details please visit [Understand Azure Policy for Azure Kubernetes Service](https://docs.microsoft.com/en-ie/azure/governance/policy/concepts/rego-for-aks) */ azurePolicyEnabled?: pulumi.Input; /** * A `bootstrapProfile` block as defined below. */ bootstrapProfile?: pulumi.Input; /** * A `confidentialComputing` block as defined below. For more details please [the documentation](https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-aks-overview) */ confidentialComputing?: pulumi.Input; /** * Should cost analysis be enabled for this Kubernetes Cluster? Defaults to `false`. The `skuTier` must be set to `Standard` or `Premium` to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. */ costAnalysisEnabled?: pulumi.Input; /** * The current version running on the Azure Kubernetes Managed Cluster. */ currentKubernetesVersion?: pulumi.Input; /** * A list of up to 10 base64 encoded CA certificates that will be added to the trust store on nodes. */ customCaTrustCertificatesBase64s?: pulumi.Input[]>; /** * Specifies configuration for "System" mode node pool. A `defaultNodePool` block as defined below. */ defaultNodePool?: pulumi.Input; /** * The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information [can be found in the documentation](https://docs.microsoft.com/azure/aks/azure-disk-customer-managed-keys). Changing this forces a new resource to be created. */ diskEncryptionSetId?: pulumi.Input; /** * DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created. */ dnsPrefix?: pulumi.Input; /** * Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created. * * > **Note:** You must define either a `dnsPrefix` or a `dnsPrefixPrivateCluster` field. * * In addition, one of either `identity` or `servicePrincipal` blocks must be specified. */ dnsPrefixPrivateCluster?: pulumi.Input; /** * Specifies the Extended Zone (formerly called Edge Zone) within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created. */ edgeZone?: pulumi.Input; /** * The FQDN of the Azure Kubernetes Managed Cluster. */ fqdn?: pulumi.Input; /** * Should HTTP Application Routing be enabled? * * > **Note:** At this time HTTP Application Routing is not supported in Azure China or Azure US Government. */ httpApplicationRoutingEnabled?: pulumi.Input; /** * The Zone Name of the HTTP Application Routing. */ httpApplicationRoutingZoneName?: pulumi.Input; /** * A `httpProxyConfig` block as defined below. */ httpProxyConfig?: pulumi.Input; /** * An `identity` block as defined below. One of either `identity` or `servicePrincipal` must be specified. * * !> **Note:** A migration scenario from `servicePrincipal` to `identity` is supported. When upgrading `servicePrincipal` to `identity`, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured `servicePrincipal` until you upgrade your Node Pool. */ identity?: pulumi.Input; /** * Specifies whether Image Cleaner is enabled. */ imageCleanerEnabled?: pulumi.Input; /** * Specifies the interval in hours when images should be cleaned up. */ imageCleanerIntervalHours?: pulumi.Input; /** * A `ingressApplicationGateway` block as defined below. * * > **Note:** Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the `Microsoft.Network/virtualNetworks/subnets/join/action` permission on the Virtual Network or Subnet. For more details, please visit [Virtual Network Permission](https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#virtual-network-permission). */ ingressApplicationGateway?: pulumi.Input; /** * A `keyManagementService` block as defined below. For more details, please visit [Key Management Service (KMS) etcd encryption to an AKS cluster](https://learn.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption). */ keyManagementService?: pulumi.Input; /** * A `keyVaultSecretsProvider` block as defined below. For more details, please visit [Azure Keyvault Secrets Provider for AKS](https://docs.microsoft.com/azure/aks/csi-secrets-store-driver). */ keyVaultSecretsProvider?: pulumi.Input; /** * Raw Kubernetes config for the admin account to be used by [kubectl](https://kubernetes.io/docs/reference/kubectl/overview/) and other compatible tools. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled. */ kubeAdminConfigRaw?: pulumi.Input; /** * A `kubeAdminConfig` block as defined below. This is only available when Role Based Access Control with Azure Active Directory is enabled and local accounts enabled. */ kubeAdminConfigs?: pulumi.Input[]>; /** * Raw Kubernetes config to be used by [kubectl](https://kubernetes.io/docs/reference/kubectl/overview/) and other compatible tools. */ kubeConfigRaw?: pulumi.Input; /** * A `kubeConfig` block as defined below. */ kubeConfigs?: pulumi.Input[]>; /** * A `kubeletIdentity` block as defined below. */ kubeletIdentity?: pulumi.Input; /** * Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as `1.22` are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in [the documentation](https://docs.microsoft.com/en-us/azure/aks/supported-kubernetes-versions?tabs=azure-cli#alias-minor-version). * * > **Note:** Upgrading your cluster may take up to 10 minutes per node. */ kubernetesVersion?: pulumi.Input; /** * A `linuxProfile` block as defined below. */ linuxProfile?: pulumi.Input; /** * If `true` local accounts will be disabled. See [the documentation](https://docs.microsoft.com/azure/aks/managed-aad#disable-local-accounts) for more information. * * > **Note:** If `localAccountDisabled` is set to `true`, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See [the documentation](https://docs.microsoft.com/azure/aks/managed-aad#azure-ad-authentication-overview) for more information. */ localAccountDisabled?: pulumi.Input; /** * The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created. */ location?: pulumi.Input; /** * A `maintenanceWindow` block as defined below. */ maintenanceWindow?: pulumi.Input; /** * A `maintenanceWindowAutoUpgrade` block as defined below. */ maintenanceWindowAutoUpgrade?: pulumi.Input; /** * A `maintenanceWindowNodeOs` block as defined below. */ maintenanceWindowNodeOs?: pulumi.Input; /** * A `microsoftDefender` block as defined below. */ microsoftDefender?: pulumi.Input; /** * Specifies a Prometheus add-on profile for the Kubernetes Cluster. A `monitorMetrics` block as defined below. * * > **Note:** If deploying Managed Prometheus, the `monitorMetrics` properties are required to configure the cluster for metrics collection. If no value is needed, set properties to `null`. */ monitorMetrics?: pulumi.Input; /** * The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * A `networkProfile` block as defined below. Changing this forces a new resource to be created. * * > **Note:** If `networkProfile` is not defined, `kubenet` profile will be used by default. */ networkProfile?: pulumi.Input; /** * The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are `Unmanaged`, `SecurityPatch`, `NodeImage` and `None`. Defaults to `NodeImage`. * * > **Note:** `nodeOsUpgradeChannel` must be set to `NodeImage` if `automaticUpgradeChannel` has been set to `node-image` */ nodeOsUpgradeChannel?: pulumi.Input; /** * A `nodeProvisioningProfile` block as defined below. */ nodeProvisioningProfile?: pulumi.Input; /** * The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created. * * > **Note:** Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail. */ nodeResourceGroup?: pulumi.Input; /** * The ID of the Resource Group containing the resources for this Managed Kubernetes Cluster. */ nodeResourceGroupId?: pulumi.Input; /** * Whether to enable the [OIDC issuer feature](https://learn.microsoft.com/en-gb/azure/aks/use-oidc-issuer). * * !> **Note:** Once enabled, this feature cannot be disabled, doing so forces a new resource to be created. */ oidcIssuerEnabled?: pulumi.Input; /** * The OIDC issuer URL that is associated with the cluster. */ oidcIssuerUrl?: pulumi.Input; /** * A `omsAgent` block as defined below. */ omsAgent?: pulumi.Input; /** * Is Open Service Mesh enabled? For more details, please visit [Open Service Mesh for AKS](https://docs.microsoft.com/azure/aks/open-service-mesh-about). */ openServiceMeshEnabled?: pulumi.Input; /** * The FQDN for the Azure Portal resources when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster. */ portalFqdn?: pulumi.Input; /** * Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to `false`. Changing this forces a new resource to be created. */ privateClusterEnabled?: pulumi.Input; /** * Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to `false`. * * > **Note:** If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the `Private DNS Zone Contributor` role and access to this Private DNS Zone. If `UserAssigned` identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const example = new azure.core.ResourceGroup("example", { * name: "example", * location: "West Europe", * }); * const exampleZone = new azure.privatedns.Zone("example", { * name: "privatelink.eastus2.azmk8s.io", * resourceGroupName: example.name, * }); * const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { * name: "aks-example-identity", * resourceGroupName: example.name, * location: example.location, * }); * const exampleAssignment = new azure.authorization.Assignment("example", { * scope: exampleZone.id, * roleDefinitionName: "Private DNS Zone Contributor", * principalId: exampleUserAssignedIdentity.principalId, * }); * const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { * name: "aksexamplewithprivatednszone1", * location: example.location, * resourceGroupName: example.name, * dnsPrefix: "aksexamplednsprefix1", * privateClusterEnabled: true, * privateDnsZoneId: exampleZone.id, * }, { * dependsOn: [exampleAssignment], * }); * ``` */ privateClusterPublicFqdnEnabled?: pulumi.Input; /** * Either the ID of Private DNS Zone which should be delegated to this Cluster, `System` to have AKS manage this or `None`. In case of `None` you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created. */ privateDnsZoneId?: pulumi.Input; /** * The FQDN for the Kubernetes Cluster when private link has been enabled, which is only resolvable inside the Virtual Network used by the Kubernetes Cluster. */ privateFqdn?: pulumi.Input; /** * Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created. */ resourceGroupName?: pulumi.Input; /** * Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to `true`. Changing this forces a new resource to be created. */ roleBasedAccessControlEnabled?: pulumi.Input; /** * Whether to enable run command for the cluster or not. Defaults to `true`. */ runCommandEnabled?: pulumi.Input; /** * A `serviceMeshProfile` block as defined below. */ serviceMeshProfile?: pulumi.Input; /** * A `servicePrincipal` block as documented below. One of either `identity` or `servicePrincipal` must be specified. * * !> **Note:** A migration scenario from `servicePrincipal` to `identity` is supported. When upgrading `servicePrincipal` to `identity`, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured `servicePrincipal` until you upgrade your Node Pool. */ servicePrincipal?: pulumi.Input; /** * The SKU Tier that should be used for this Kubernetes Cluster. Possible values are `Free`, `Standard` (which includes the Uptime SLA) and `Premium`. Defaults to `Free`. * * > **Note:** Whilst the AKS API previously supported the `Paid` SKU - the AKS API introduced a breaking change in API Version `2023-02-01` (used in v3.51.0 and later) where the value `Paid` must now be set to `Standard`. */ skuTier?: pulumi.Input; /** * A `storageProfile` block as defined below. */ storageProfile?: pulumi.Input; /** * Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are `KubernetesOfficial` and `AKSLongTermSupport`. Defaults to `KubernetesOfficial`. */ supportPlan?: pulumi.Input; /** * A mapping of tags to assign to the resource. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * A `upgradeOverride` block as defined below. */ upgradeOverride?: pulumi.Input; /** * A `webAppRouting` block as defined below. */ webAppRouting?: pulumi.Input; /** * A `windowsProfile` block as defined below. */ windowsProfile?: pulumi.Input; /** * A `workloadAutoscalerProfile` block defined below. */ workloadAutoscalerProfile?: pulumi.Input; /** * Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to `false`. * * > **Note:** To enable Azure AD Workload Identity `oidcIssuerEnabled` must be set to `true`. * * > **Note:** Enabling this option will allocate Workload Identity resources to the `kube-system` namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to [the documentation on Azure AD Workload Identity.](https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html) The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment. */ workloadIdentityEnabled?: pulumi.Input; } /** * The set of arguments for constructing a KubernetesCluster resource. */ export interface KubernetesClusterArgs { /** * A `aciConnectorLinux` block as defined below. For more details, please visit [Create and configure an AKS cluster to use virtual nodes](https://docs.microsoft.com/azure/aks/virtual-nodes-portal). */ aciConnectorLinux?: pulumi.Input; /** * Specifies whether the AI Toolchain Operator should be enabled for the Cluster. Defaults to `false`. */ aiToolchainOperatorEnabled?: pulumi.Input; /** * An `apiServerAccessProfile` block as defined below. */ apiServerAccessProfile?: pulumi.Input; /** * A `autoScalerProfile` block as defined below. */ autoScalerProfile?: pulumi.Input; /** * The upgrade channel for this Kubernetes Cluster. Possible values are `patch`, `rapid`, `node-image` and `stable`. Omitting this field sets this value to `none`. * * !> **Note:** Cluster Auto-Upgrade will update the Kubernetes Cluster (and its Node Pools) to the latest GA version of Kubernetes automatically - please [see the Azure documentation for more information](https://docs.microsoft.com/azure/aks/upgrade-cluster#set-auto-upgrade-channel). * * > **Note:** Cluster Auto-Upgrade only updates to GA versions of Kubernetes and will not update to Preview versions. */ automaticUpgradeChannel?: pulumi.Input; /** * A `azureActiveDirectoryRoleBasedAccessControl` block as defined below. */ azureActiveDirectoryRoleBasedAccessControl?: pulumi.Input; /** * Should the Azure Policy Add-On be enabled? For more details please visit [Understand Azure Policy for Azure Kubernetes Service](https://docs.microsoft.com/en-ie/azure/governance/policy/concepts/rego-for-aks) */ azurePolicyEnabled?: pulumi.Input; /** * A `bootstrapProfile` block as defined below. */ bootstrapProfile?: pulumi.Input; /** * A `confidentialComputing` block as defined below. For more details please [the documentation](https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-aks-overview) */ confidentialComputing?: pulumi.Input; /** * Should cost analysis be enabled for this Kubernetes Cluster? Defaults to `false`. The `skuTier` must be set to `Standard` or `Premium` to enable this feature. Enabling this will add Kubernetes Namespace and Deployment details to the Cost Analysis views in the Azure portal. */ costAnalysisEnabled?: pulumi.Input; /** * A list of up to 10 base64 encoded CA certificates that will be added to the trust store on nodes. */ customCaTrustCertificatesBase64s?: pulumi.Input[]>; /** * Specifies configuration for "System" mode node pool. A `defaultNodePool` block as defined below. */ defaultNodePool: pulumi.Input; /** * The ID of the Disk Encryption Set which should be used for the Nodes and Volumes. More information [can be found in the documentation](https://docs.microsoft.com/azure/aks/azure-disk-customer-managed-keys). Changing this forces a new resource to be created. */ diskEncryptionSetId?: pulumi.Input; /** * DNS prefix specified when creating the managed cluster. Possible values must begin and end with a letter or number, contain only letters, numbers, and hyphens and be between 1 and 54 characters in length. Changing this forces a new resource to be created. */ dnsPrefix?: pulumi.Input; /** * Specifies the DNS prefix to use with private clusters. Changing this forces a new resource to be created. * * > **Note:** You must define either a `dnsPrefix` or a `dnsPrefixPrivateCluster` field. * * In addition, one of either `identity` or `servicePrincipal` blocks must be specified. */ dnsPrefixPrivateCluster?: pulumi.Input; /** * Specifies the Extended Zone (formerly called Edge Zone) within the Azure Region where this Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created. */ edgeZone?: pulumi.Input; /** * Should HTTP Application Routing be enabled? * * > **Note:** At this time HTTP Application Routing is not supported in Azure China or Azure US Government. */ httpApplicationRoutingEnabled?: pulumi.Input; /** * A `httpProxyConfig` block as defined below. */ httpProxyConfig?: pulumi.Input; /** * An `identity` block as defined below. One of either `identity` or `servicePrincipal` must be specified. * * !> **Note:** A migration scenario from `servicePrincipal` to `identity` is supported. When upgrading `servicePrincipal` to `identity`, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured `servicePrincipal` until you upgrade your Node Pool. */ identity?: pulumi.Input; /** * Specifies whether Image Cleaner is enabled. */ imageCleanerEnabled?: pulumi.Input; /** * Specifies the interval in hours when images should be cleaned up. */ imageCleanerIntervalHours?: pulumi.Input; /** * A `ingressApplicationGateway` block as defined below. * * > **Note:** Since the Application Gateway is deployed inside a Virtual Network, users (and Service Principals) that are operating the Application Gateway must have the `Microsoft.Network/virtualNetworks/subnets/join/action` permission on the Virtual Network or Subnet. For more details, please visit [Virtual Network Permission](https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#virtual-network-permission). */ ingressApplicationGateway?: pulumi.Input; /** * A `keyManagementService` block as defined below. For more details, please visit [Key Management Service (KMS) etcd encryption to an AKS cluster](https://learn.microsoft.com/en-us/azure/aks/use-kms-etcd-encryption). */ keyManagementService?: pulumi.Input; /** * A `keyVaultSecretsProvider` block as defined below. For more details, please visit [Azure Keyvault Secrets Provider for AKS](https://docs.microsoft.com/azure/aks/csi-secrets-store-driver). */ keyVaultSecretsProvider?: pulumi.Input; /** * A `kubeletIdentity` block as defined below. */ kubeletIdentity?: pulumi.Input; /** * Version of Kubernetes specified when creating the AKS managed cluster. If not specified, the latest recommended version will be used at provisioning time (but won't auto-upgrade). AKS does not require an exact patch version to be specified, minor version aliases such as `1.22` are also supported. - The minor version's latest GA patch is automatically chosen in that case. More details can be found in [the documentation](https://docs.microsoft.com/en-us/azure/aks/supported-kubernetes-versions?tabs=azure-cli#alias-minor-version). * * > **Note:** Upgrading your cluster may take up to 10 minutes per node. */ kubernetesVersion?: pulumi.Input; /** * A `linuxProfile` block as defined below. */ linuxProfile?: pulumi.Input; /** * If `true` local accounts will be disabled. See [the documentation](https://docs.microsoft.com/azure/aks/managed-aad#disable-local-accounts) for more information. * * > **Note:** If `localAccountDisabled` is set to `true`, it is required to enable Kubernetes RBAC and AKS-managed Azure AD integration. See [the documentation](https://docs.microsoft.com/azure/aks/managed-aad#azure-ad-authentication-overview) for more information. */ localAccountDisabled?: pulumi.Input; /** * The location where the Managed Kubernetes Cluster should be created. Changing this forces a new resource to be created. */ location?: pulumi.Input; /** * A `maintenanceWindow` block as defined below. */ maintenanceWindow?: pulumi.Input; /** * A `maintenanceWindowAutoUpgrade` block as defined below. */ maintenanceWindowAutoUpgrade?: pulumi.Input; /** * A `maintenanceWindowNodeOs` block as defined below. */ maintenanceWindowNodeOs?: pulumi.Input; /** * A `microsoftDefender` block as defined below. */ microsoftDefender?: pulumi.Input; /** * Specifies a Prometheus add-on profile for the Kubernetes Cluster. A `monitorMetrics` block as defined below. * * > **Note:** If deploying Managed Prometheus, the `monitorMetrics` properties are required to configure the cluster for metrics collection. If no value is needed, set properties to `null`. */ monitorMetrics?: pulumi.Input; /** * The name of the Managed Kubernetes Cluster to create. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * A `networkProfile` block as defined below. Changing this forces a new resource to be created. * * > **Note:** If `networkProfile` is not defined, `kubenet` profile will be used by default. */ networkProfile?: pulumi.Input; /** * The upgrade channel for this Kubernetes Cluster Nodes' OS Image. Possible values are `Unmanaged`, `SecurityPatch`, `NodeImage` and `None`. Defaults to `NodeImage`. * * > **Note:** `nodeOsUpgradeChannel` must be set to `NodeImage` if `automaticUpgradeChannel` has been set to `node-image` */ nodeOsUpgradeChannel?: pulumi.Input; /** * A `nodeProvisioningProfile` block as defined below. */ nodeProvisioningProfile?: pulumi.Input; /** * The name of the Resource Group where the Kubernetes Nodes should exist. Changing this forces a new resource to be created. * * > **Note:** Azure requires that a new, non-existent Resource Group is used, as otherwise, the provisioning of the Kubernetes Service will fail. */ nodeResourceGroup?: pulumi.Input; /** * Whether to enable the [OIDC issuer feature](https://learn.microsoft.com/en-gb/azure/aks/use-oidc-issuer). * * !> **Note:** Once enabled, this feature cannot be disabled, doing so forces a new resource to be created. */ oidcIssuerEnabled?: pulumi.Input; /** * A `omsAgent` block as defined below. */ omsAgent?: pulumi.Input; /** * Is Open Service Mesh enabled? For more details, please visit [Open Service Mesh for AKS](https://docs.microsoft.com/azure/aks/open-service-mesh-about). */ openServiceMeshEnabled?: pulumi.Input; /** * Should this Kubernetes Cluster have its API server only exposed on internal IP addresses? This provides a Private IP Address for the Kubernetes API on the Virtual Network where the Kubernetes Cluster is located. Defaults to `false`. Changing this forces a new resource to be created. */ privateClusterEnabled?: pulumi.Input; /** * Specifies whether a Public FQDN for this Private Cluster should be added. Defaults to `false`. * * > **Note:** If you use BYO DNS Zone, the AKS cluster should either use a User Assigned Identity or a service principal (which is deprecated) with the `Private DNS Zone Contributor` role and access to this Private DNS Zone. If `UserAssigned` identity is used - to prevent improper resource order destruction - the cluster should depend on the role assignment, like in this example: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const example = new azure.core.ResourceGroup("example", { * name: "example", * location: "West Europe", * }); * const exampleZone = new azure.privatedns.Zone("example", { * name: "privatelink.eastus2.azmk8s.io", * resourceGroupName: example.name, * }); * const exampleUserAssignedIdentity = new azure.authorization.UserAssignedIdentity("example", { * name: "aks-example-identity", * resourceGroupName: example.name, * location: example.location, * }); * const exampleAssignment = new azure.authorization.Assignment("example", { * scope: exampleZone.id, * roleDefinitionName: "Private DNS Zone Contributor", * principalId: exampleUserAssignedIdentity.principalId, * }); * const exampleKubernetesCluster = new azure.containerservice.KubernetesCluster("example", { * name: "aksexamplewithprivatednszone1", * location: example.location, * resourceGroupName: example.name, * dnsPrefix: "aksexamplednsprefix1", * privateClusterEnabled: true, * privateDnsZoneId: exampleZone.id, * }, { * dependsOn: [exampleAssignment], * }); * ``` */ privateClusterPublicFqdnEnabled?: pulumi.Input; /** * Either the ID of Private DNS Zone which should be delegated to this Cluster, `System` to have AKS manage this or `None`. In case of `None` you will need to bring your own DNS server and set up resolving, otherwise, the cluster will have issues after provisioning. Changing this forces a new resource to be created. */ privateDnsZoneId?: pulumi.Input; /** * Specifies the Resource Group where the Managed Kubernetes Cluster should exist. Changing this forces a new resource to be created. */ resourceGroupName: pulumi.Input; /** * Whether Role Based Access Control for the Kubernetes Cluster should be enabled. Defaults to `true`. Changing this forces a new resource to be created. */ roleBasedAccessControlEnabled?: pulumi.Input; /** * Whether to enable run command for the cluster or not. Defaults to `true`. */ runCommandEnabled?: pulumi.Input; /** * A `serviceMeshProfile` block as defined below. */ serviceMeshProfile?: pulumi.Input; /** * A `servicePrincipal` block as documented below. One of either `identity` or `servicePrincipal` must be specified. * * !> **Note:** A migration scenario from `servicePrincipal` to `identity` is supported. When upgrading `servicePrincipal` to `identity`, your cluster's control plane and addon pods will switch to use managed identity, but the kubelets will keep using your configured `servicePrincipal` until you upgrade your Node Pool. */ servicePrincipal?: pulumi.Input; /** * The SKU Tier that should be used for this Kubernetes Cluster. Possible values are `Free`, `Standard` (which includes the Uptime SLA) and `Premium`. Defaults to `Free`. * * > **Note:** Whilst the AKS API previously supported the `Paid` SKU - the AKS API introduced a breaking change in API Version `2023-02-01` (used in v3.51.0 and later) where the value `Paid` must now be set to `Standard`. */ skuTier?: pulumi.Input; /** * A `storageProfile` block as defined below. */ storageProfile?: pulumi.Input; /** * Specifies the support plan which should be used for this Kubernetes Cluster. Possible values are `KubernetesOfficial` and `AKSLongTermSupport`. Defaults to `KubernetesOfficial`. */ supportPlan?: pulumi.Input; /** * A mapping of tags to assign to the resource. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * A `upgradeOverride` block as defined below. */ upgradeOverride?: pulumi.Input; /** * A `webAppRouting` block as defined below. */ webAppRouting?: pulumi.Input; /** * A `windowsProfile` block as defined below. */ windowsProfile?: pulumi.Input; /** * A `workloadAutoscalerProfile` block defined below. */ workloadAutoscalerProfile?: pulumi.Input; /** * Specifies whether Azure AD Workload Identity should be enabled for the Cluster. Defaults to `false`. * * > **Note:** To enable Azure AD Workload Identity `oidcIssuerEnabled` must be set to `true`. * * > **Note:** Enabling this option will allocate Workload Identity resources to the `kube-system` namespace in Kubernetes. If you wish to customize the deployment of Workload Identity, you can refer to [the documentation on Azure AD Workload Identity.](https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html) The documentation provides guidance on how to install the mutating admission webhook, which allows for the customization of Workload Identity deployment. */ workloadIdentityEnabled?: pulumi.Input; }