Tencent TKE Cluster

tencent-tke-cluster

A production-ready Tencent Kubernetes Engine (TKE) managed cluster with VPC-CNI networking and autoscaling worker node pools. It pins one opinionated path — managed control plane, VPC-CNI, and node pools attached separately from the cluster — so the cluster does not churn when worker shapes change. Bring your own VPC and private subnets (e.g. from tencent-vpc-foundation).

Status: static-validated, live-test pending. Validated with tofu validate + tflint + checkov against the tencentcloudstack/tencentcloud provider. Not yet applied against a live Tencent Cloud account (no sandbox subscription), so it ships under live-test quarantine.

Design & secure defaults

• Private API server by default. The public endpoint is off; the cluster is reachable over the intranet endpoint (or via a bastion/VPN). Turning on the internet endpoint is gated by a precondition that forces you to supply a fronting security group.
• No inline worker_config. The cluster is created with zero inline workers; all capacity comes from tencentcloud_kubernetes_node_pool. This avoids the well-known TKE foot-gun where changing worker_config forces the entire cluster to be recreated.
• VPC-CNI networking. Pods receive real VPC ENI IPs from eni_subnet_ids, which enables Kubernetes NetworkPolicy and direct in-VPC addressing.
• Deletion protection on, so an accidental API/console delete is blocked (Terraform destroy still requires flipping it off first).
• Audit + event logs to CLS. API-server audit logging and Kubernetes event persistence are on by default and ship to Cloud Log Service for forensics.
• Encrypted, private nodes. Worker data disks are encrypted; nodes get no public IP and egress through the VPC's NAT.

Provider

tencentcloudstack/tencentcloud >= 1.81.0, < 2.0. Requires Terraform/OpenTofu >= 1.6.

License

Commercial — LicenseRef-IaCBazaar-Commercial. See the IaC Bazaar terms.