IaC Bazaar
Get started
Alibaba CloudStatic-verified

Alibaba Cloud ACK Cluster

Managed ACK Kubernetes with node pools, VPC integration, and RAM roles.

terraformAlt & Specialty Clouds#alicloud

Compare Managed Kubernetes across clouds →

alicloud-ack-clusterterraform v1.7

Verification

Static-verified

Passed: validated and lint-clean (provider-schema-validated for AWS/Azure/GCP; Terraform-language lint elsewhere).

Conformance

  • Static validation (fmt · validate · tflint)
  • No applicable security policies for this provider
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live test pending (no cloud run yet)

Last verified 2026-06-28 · how we verify

Documentation

alicloud-ack-cluster

A production-ready Alibaba Cloud ACK managed Kubernetes cluster (Pro tier) wired into an existing VPC, with autoscaling worker node pools. Designed to sit on top of a network foundation such as alicloud-vpc-foundation: you bring the private vSwitches, this module brings a hardened cluster.

Status: static-validated, live-test pending. Validated with tofu validate + tflint + checkov against the aliyun/alicloud provider. Not yet applied against a live Alibaba Cloud account (no sandbox subscription, and ACK clusters take ~15 min to create and bill a per-cluster fee), so it ships under live-test quarantine.

Design & secure defaults

  • Private API server. slb_internet_enabled = false by default — the Kubernetes API server is reachable only from inside the VPC (use a bastion, VPN, or Cloud Enterprise Network). Opt into a public endpoint explicitly.
  • Pod-scoped RAM identity (RRSA). enable_rrsa = true turns on RAM Roles for Service Accounts: pods assume narrowly-scoped RAM roles via OIDC instead of sharing the node's instance role — least privilege for workloads. (Pro only.)
  • Deletion protection on. Accidental cluster deletion is blocked; a Terraform destroy requires flipping deletion_protection = false first.
  • Secrets envelope encryption. Pass encryption_provider_key (a KMS key id) to encrypt Kubernetes Secrets at rest in etcd. (Pro only.)
  • Advanced security group (is_enterprise_security_group = true), the recommended type with a higher rule ceiling.
  • Encrypted worker disks. Node-pool system disks default to encrypted cloud_essd (PL1); supply system_disk_kms_key for a customer-managed key.
  • Control-plane audit logging. apiserver/kcm/scheduler/ccm logs ship to Log Service (SLS) with a 30-day retention by default.
  • Managed node pools. Auto-repair and auto-upgrade are on so unhealthy nodes self-heal and patch upgrades roll out within the maintenance window.
  • No NAT by default. new_nat_gateway = false — reuse the egress your VPC foundation already provides instead of spawning a second NAT gateway/EIP.

Cross-field invariants (Terway needs pod vSwitches; RRSA and Secrets encryption need a Pro cluster; autoscaling needs min_size <= max_size) are enforced with precondition blocks, so misconfigurations fail at plan time, not mid-apply.

Provider

aliyun/alicloud >= 1.241.0, < 2.0 (floor raised so the non-deprecated vswitch_ids argument is available). Requires Terraform/OpenTofu >= 1.6.

License

Commercial — LicenseRef-IaCBazaar-Commercial. See the IaC Bazaar terms.

Usage code & full reference unlock after purchase

The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.

  • Usage
  • Key inputs
  • Outputs