Provisioning an Alibaba Cloud Kubernetes (ACK) Multi-AZ Kubernetes Cluster Using Terraform

By Yan Tsz Kin, Solutions Architect

Image for post
Image for post

The purpose of this article is to present a simple and practical example of provisioning an Alibaba Cloud Kubernetes (ACK) Multi-AZ Kubernetes cluster with a sample application on Alibaba Cloud using Terraform. This is also an example of Infrastructure as Code which is a key example of enabling best practices in DevOps.

I will walk through a sample project that is available in my GitHub repository:


  1. Terraform and providers installed according to
  2. Terraform 0.11.11 installed and runs on Linux
  3. Terraform AliCloud provider version 1.29
  4. Terraform Kubernetes provider version 1.5
  5. Docker image(s) is pushed to registry already
  6. A domain name is being managed in Alibaba Cloud DNS (e.g.

Target Environment

Our target infrastructure includes:

  1. 1 Multi-AZ Kubernetes cluster in 2 Availability Zones (Max. 3 zones supported)
  2. 3 Kubernetes Master Nodes across 2 Availability Zones with 2 Server Load Balancer instances
  3. 3 Kubernetes Worker Nodes across 2 Availability Zones
  4. 1 NAT Gateway instance for downloading Docker image(s) from Docker Hub
  5. 1 Server Load Balancer (SLB) instance for Nginx Ingress Controller
  6. 1 Kubernetes Service serves sample web application connecting to Alibaba Cloud ApsaraDB RDS for MySQL (RDS)
  7. 1 Alibaba Cloud DNS record will be bind to the Kubernetes Service

Our target architecture is illustrated in the diagram below:

Image for post
Image for post

Terraform — Infrastructure as Code

Terraform allow us to describe the target environment, and then manage the lifecycle of the environment. In this case, Terraform files are modularized into multiple files for easier management in which variables are externalized to each “config” files.

Before Provisioning

In the, update the Alibaba Cloud Access Key and Secret.

In, update the Region and Availability Zone information, you may check out the Region ID at, Zone ID is typically appending –zone name to Region ID, e.g. Hong Kong Zone C is having Region ID cn-hongkong, Zone ID is cn-hongkong-c, Singapore Zone C is ap-southeast1c.

Make sure following files exist and empty:

  1. ~/.kube/cluster-ca-cert.pem
  2. ~/.kube/client-key.pem
  3. ~/.kube/client-cert.pem

This is critical for Terraform to proceed with Kubernetes provider after cluster provisioned.

Start Provisioning

Execute or command “terraform apply –auto-approve”

Create VPC and Vswitches

Create NAT Gateway and EIP instance and associate to the VPC

Create RDS instance

Create ACK cluster

Deploy application on ACK with Horizontal Pod Autoscaler enabled and expose the deployment to the Internet

Bind a DNS A record to the Server Load balancer which exposes the application to the Internet

After Provisioning

The output of the Terraform should look like following screenshot:

Image for post
Image for post

If the local machine that runs the Terraform has Kubernetes client installed, i.e. kubectl, the ~/.kube/config is downloaded, you may try connect to the Kubernetes cluster directly for further actions or tasks such as create Ingress which is not yet supported by Terraform Kubernetes provider.

Finally, the web application should be up and running as shown below.

Image for post
Image for post

Troubleshooting Potential Issues

Terraform is not able to repair, fix or retry in case of timeout of the provisioning processes. In addition, it is possible that metadata of Terraform may be corrupted when applying changes to the Terraform managed stack. Therefore, it is better to wrap up the provisioning process or even the Terraform command in a shell script to handle exceptions.


In this post, I have shown how Terraform can integrate resources on Alibaba Cloud with an application provisioned on ACK cluster. You can extend it to stack lifecycle management processes of your Alibaba Cloud resources.

To learn more about Kubernetes on Alibaba Cloud, visit


Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store