Monitoring: Guidance and datacap (#459)

* adding daily data cap

Signed-off-by: Gordonby <gordon.byers@microsoft.com>

* data cap final tweak and subscriptionResourceId changes

Signed-off-by: Gordonby <gordon.byers@microsoft.com>

* spinbutton

Signed-off-by: Gordonby <gordon.byers@microsoft.com>

* deployTab

Signed-off-by: Gordonby <gordon.byers@microsoft.com>

* accessibility

Signed-off-by: Gordonby <gordon.byers@microsoft.com>

* Update AppDeploy_AzureVote.yml

Signed-off-by: Gordonby <gordon.byers@microsoft.com>

.github/workflows/AppDeploy_AzureVote.yml

@@ -46,7 +46,7 @@ on:
         default: false
         required: false
       HELMPACKAGEURI:
-        default: "https://github.com/Gordonby/minihelm/raw/main/samples/AzureVote-0.9.82.tgz" #"https://github.com/Gordonby/minihelm/raw/main/samples/AzureVote-0.9.8.tgz"
+        default: "https://github.com/Gordonby/minihelm/raw/main/samples/AzureVote-0.9.8.tgz"
         required: false
         type: string
         description: "The location of the Helm package"

bicep/aksmetricalerts.bicep

@@ -720,7 +720,7 @@ resource PV_usage_violates_the_configured_threshold_for_clustername_CI_21 'micro
 }
 
 
-resource Daily_data_cap_breached_for_workspace_logworkspacename_CIQ_1_name_resource 'microsoft.insights/scheduledqueryrules@2021-02-01-preview' = {
+resource Daily_law_datacap 'Microsoft.Insights/scheduledQueryRules@2022-06-15' = {
   name: 'Daily data cap breached for workspace ${logAnalyticsWorkspaceName} CIQ-1'
   location: logAnalyticsWorkspaceLocation
   properties: {

bicep/aksnetcontrib.bicep

@@ -10,7 +10,7 @@ param user_identity_principalId string
 ])
 param rbacAssignmentScope string = 'Subnet'
 
-var networkContributorRole = resourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')
+var networkContributorRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')
 
 var existingAksSubnetName = !empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/')[10] : ''
 var existingAksVnetName = !empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/')[8] : ''

bicep/appgw.bicep

@@ -145,7 +145,7 @@ resource appgw 'Microsoft.Network/applicationGateways@2020-07-01' = if (!empty(u
 }
 
 param agicPrincipleId string
-var contributor = resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
+var contributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
 // https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template#new-service-principal
 resource appGwAGICContrib 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
   scope: appgw
@@ -157,7 +157,7 @@ resource appGwAGICContrib 'Microsoft.Authorization/roleAssignments@2020-04-01-pr
   }
 }
 
-var reader = resourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
+var reader = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
 resource appGwAGICRGReader 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
   scope: resourceGroup()
   name: guid(resourceGroup().id, appgwName, 'rgread')

bicep/dnsZone.bicep

@@ -11,7 +11,7 @@ resource privateDns 'Microsoft.Network/privateDnsZones@2020-06-01' existing = if
   name: dnsZoneName
 }
 
-var DNSZoneContributor = resourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')
+var DNSZoneContributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')
 resource dnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (!isPrivate) {
   scope: dns
   name: guid(dns.id, principalId, DNSZoneContributor)
@@ -22,7 +22,7 @@ resource dnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-prev
   }
 }
 
-var PrivateDNSZoneContributor = resourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')
+var PrivateDNSZoneContributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')
 resource privateDnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (isPrivate) {
   scope: privateDns
   name: guid(privateDns.id, principalId, PrivateDNSZoneContributor)

bicep/keyvaultrbac.bicep

@@ -39,14 +39,14 @@ param rbacCertOfficerUsers array = []
 @description('An array of User IDs')
 param rbacAdminUsers array = []
 
-var keyVaultAdministratorRole = resourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')
-var keyVaultContributorRole = resourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')
-var keyVaultSecretsUserRole = resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
-var keyVaultSecretsOfficerRole = resourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')
-var keyVaultCertsOfficerRole = resourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')
-var keyVaultCryptoUserRole = resourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')
-var keyVaultCryptoOfficerRole = resourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')
-var keyVaultCryptoServiceEncrpytionRole = resourceId('Microsoft.Authorization/roleDefinitions','e147488a-f6f5-4113-8e2d-b22465e65bf6')
+var keyVaultAdministratorRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')
+var keyVaultContributorRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')
+var keyVaultSecretsUserRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
+var keyVaultSecretsOfficerRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')
+var keyVaultCertsOfficerRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')
+var keyVaultCryptoUserRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')
+var keyVaultCryptoOfficerRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')
+var keyVaultCryptoServiceEncrpytionRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions','e147488a-f6f5-4113-8e2d-b22465e65bf6')
 
 resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = {
   name: keyVaultName

bicep/main.bicep

@@ -466,7 +466,7 @@ module acrPool 'acragentpool.bicep' = if (custom_vnet && (!empty(registries_sku)
   }
 }
 
-var AcrPullRole = resourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
+var AcrPullRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
 var KubeletObjectId = any(aks.properties.identityProfile.kubeletidentity).objectId
 
 resource aks_acr_pull 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!empty(registries_sku)) {
@@ -479,7 +479,7 @@ resource aks_acr_pull 'Microsoft.Authorization/roleAssignments@2022-04-01' = if
   }
 }
 
-var AcrPushRole = resourceId('Microsoft.Authorization/roleDefinitions', '8311e382-0749-4cb8-b61a-304f252e45ec')
+var AcrPushRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8311e382-0749-4cb8-b61a-304f252e45ec')
 
 @description('The principal ID of the service principal to assign the push role to the ACR')
 param acrPushRolePrincipalId string = ''
@@ -754,7 +754,7 @@ resource appgw 'Microsoft.Network/applicationGateways@2021-02-01' = if (deployAp
   properties: appgwProperties
 }
 
-var contributor = resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
+var contributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
 // https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template#new-service-principal
 // AGIC's identity requires "Contributor" permission over Application Gateway.
 resource appGwAGICContrib 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (ingressApplicationGateway && deployAppGw) {
@@ -768,7 +768,7 @@ resource appGwAGICContrib 'Microsoft.Authorization/roleAssignments@2022-04-01' =
 }
 
 // AGIC's identity requires "Reader" permission over Application Gateway's resource group.
-var reader = resourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
+var reader = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
 resource appGwAGICRGReader 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (ingressApplicationGateway && deployAppGw) {
   scope: resourceGroup()
   name: guid(aks.id, 'Agic', reader)
@@ -780,7 +780,7 @@ resource appGwAGICRGReader 'Microsoft.Authorization/roleAssignments@2022-04-01'
 }
 
 // AGIC's identity requires "Managed Identity Operator" permission over the user assigned identity of Application Gateway.
-var managedIdentityOperator = resourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')
+var managedIdentityOperator = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')
 resource appGwAGICMIOp 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (ingressApplicationGateway &&  deployAppGw) {
   scope: appGwIdentity
   name: guid(aks.id, 'Agic', managedIdentityOperator)
@@ -1350,7 +1350,7 @@ param automatedDeployment bool = false
 @description('The principal ID to assign the AKS admin role.')
 param adminPrincipalId string = ''
 // for AAD Integrated Cluster wusing 'enableAzureRBAC', add Cluster admin to the current user!
-var buildInAKSRBACClusterAdmin = resourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b')
+var buildInAKSRBACClusterAdmin = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b')
 resource aks_admin_role_assignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (enableAzureRBAC && !empty(adminPrincipalId)) {
   scope: aks // Use when specifying a scope that is different than the deployment scope
   name: guid(aks.id, 'aksadmin', buildInAKSRBACClusterAdmin)
@@ -1482,20 +1482,27 @@ module aksmetricalerts './aksmetricalerts.bicep' = if (createLaw) {
 @description('The Log Analytics retention period')
 param retentionInDays int = 30
 
+@description('The Log Analytics daily data cap (GB) (0=no limit)')
+param logDataCap int = 0
+
 var aks_law_name = 'log-${resourceName}'
 
 var createLaw = (omsagent || deployAppGw || azureFirewalls || CreateNetworkSecurityGroups || defenderForContainers)
 
-resource aks_law 'Microsoft.OperationalInsights/workspaces@2021-06-01' = if (createLaw) {
+resource aks_law 'Microsoft.OperationalInsights/workspaces@2022-10-01' = if (createLaw) {
   name: aks_law_name
   location: location
-  properties: {
-    retentionInDays: retentionInDays
-  }
+  properties : union({
+      retentionInDays: retentionInDays
+    },
+    logDataCap>0 ? { workspaceCapping: {
+      dailyQuotaGb: logDataCap
+    }} : {}
+  )
 }
 
 //This role assignment enables AKS->LA Fast Alerting experience
-var MonitoringMetricsPublisherRole = resourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
+var MonitoringMetricsPublisherRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
 resource FastAlertingRole_Aks_Law 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (omsagent) {
   scope: aks
   name: guid(aks.id, 'omsagent', MonitoringMetricsPublisherRole)

bicep/networksubnetrbac.bicep

@@ -2,7 +2,7 @@ param vnetName string
 param subnetName string
 param servicePrincipalId string
 
-var networkContributorRole = resourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')
+var networkContributorRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')
 
 resource subnet 'Microsoft.Network/virtualNetworks/subnets@2022-01-01' existing = {
   name: '${vnetName}/${subnetName}'

helper/src/components/addonsTab.js

@@ -1,6 +1,6 @@
 /* eslint-disable import/no-anonymous-default-export */
 import React from 'react';
-import { TextField, Link, Separator, Dropdown, Slider, Stack, Text, Label, ChoiceGroup, Checkbox, MessageBar, MessageBarType } from '@fluentui/react';
+import { TextField, Link, Separator, Dropdown, Slider, Stack, Text, Label, ChoiceGroup, Checkbox, MessageBar, MessageBarType, SpinButton } from '@fluentui/react';
 import { adv_stackstyle, hasError, getError } from './common'
 
 
@@ -208,6 +208,9 @@ export default function ({ tabValues, updateFn, featureFlag, invalidArray }) {
             <Stack.Item align="start">
                 <Label >Cluster Monitoring requirements</Label>
                 <MessageBar>Observing your clusters health is critical to smooth operations, select the managed Azure Monitor for Containers option, or the open source CNCF Prometheus/Grafana solution</MessageBar>
+                { addons.monitor === "aci" &&
+                    <MessageBar messageBarType={MessageBarType.info}>For sending logs to a central subscription workspace, use <Link target="_target" href="https://learn.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings-policy">Azure Policy</Link> to configure AKS DiagnosticSettings.</MessageBar>
+                }
                 <ChoiceGroup
                     styles={{ root: { marginLeft: '50px' } }}
                     selectedKey={addons.monitor}
@@ -244,6 +247,17 @@ export default function ({ tabValues, updateFn, featureFlag, invalidArray }) {
                         ]}
                     />
 
+                    <SpinButton
+                        label="Daily data cap (GB)"
+                        value={addons.logDataCap}
+                        onChange={(ev, v) => updateFn("logDataCap", v)}
+                        min={0}
+                        step={1}
+                        incrementButtonAriaLabel="Increase value by 1"
+                        decrementButtonAriaLabel="Decrease value by 1"
+                        styles={{ root: { marginTop: '15px'}}}
+                    />
+
                     <Checkbox styles={{ root: { marginTop: '10px'}}} checked={addons.createAksMetricAlerts} onChange={(ev, v) => updateFn("createAksMetricAlerts", v)} label={<Text>Create recommended metric alerts, enable you to monitor your system resource when it's running on peak capacity or hitting failure rates (<Link target="_target" href="https://azure.microsoft.com/en-us/updates/ci-recommended-alerts/">docs</Link>) </Text>} />
 
                 </Stack.Item>

helper/src/components/deployTab.js

@@ -66,7 +66,11 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
         ...(defaults.net.privateLinkSubnetAddressPrefix !== net.privateLinkSubnetAddressPrefix && {privateLinkSubnetAddressPrefix: net.privateLinkSubnetAddressPrefix}),
     }),
     ...(deploy.enableTelemetry !== defaults.deploy.enableTelemetry && {enableTelemetry: deploy.enableTelemetry }),
-    ...(addons.monitor === "aci" && { omsagent: true, retentionInDays: addons.retentionInDays, ...( addons.createAksMetricAlerts !== defaults.addons.createAksMetricAlerts && {createAksMetricAlerts: addons.createAksMetricAlerts }) }),
+    ...(addons.monitor === "aci" && {
+        omsagent: true, retentionInDays: addons.retentionInDays,
+        ...( addons.logDataCap !== defaults.addons.logDataCap && {logDataCap: addons.logDataCap }),
+        ...( addons.createAksMetricAlerts !== defaults.addons.createAksMetricAlerts && {createAksMetricAlerts: addons.createAksMetricAlerts })
+       }),
     ...(addons.networkPolicy !== "none" && { networkPolicy: addons.networkPolicy }),
     ...(defaults.addons.openServiceMeshAddon !== addons.openServiceMeshAddon && {openServiceMeshAddon: addons.openServiceMeshAddon }),
     ...(addons.azurepolicy !== "none" && { azurepolicy: addons.azurepolicy }),

helper/src/components/portalnav.js

@@ -44,14 +44,14 @@ function Header({ presets, setPresets, selectedPreset, featureFlag }) {
 
         <div style={{ display: "inline-block", padding: "11px 12px 0px" }}>
           <Link className="navbar-brand no-outline" >
-            <Image src="aks.svg" height="33px" />
+            <Image src="aks.svg" height="33px" alt='aks logo' />
           </Link>
           <Text nowrap variant="xLarge" className={titleClass} >AKS Construction <span style={{ "color": "red" }}>Helper</span></Text>
           <Text className={titleClass} style={{ "marginTop": "6px", "marginLeft": "20px" }}>Documentation and CI/CD samples are in the <a href="https://github.com/Azure/AKS-Construction" target="_blank" rel="noopener noreferrer">GitHub Repository</a> and at the <a href="https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/app-platform/aks/landing-zone-accelerator" target="_blank" rel="noopener noreferrer">AKS Landing Zone Accelerator</a> docs</Text>
         </div>
         <div style={{ display: "inline-block", float: "right" }}>
 
-          <CommandBarButton iconProps={{ iconName: presets[selectedPreset].icon }} menuProps={{
+          <CommandBarButton aria-label='Preset scenario' iconProps={{ iconName: presets[selectedPreset].icon }} menuProps={{
             items: Object.keys(presets).map(p => {
               return {
                 key: p,

helper/src/config.json

@@ -55,6 +55,7 @@
             "DefenderForContainers" : false
         },
         "addons": {
+            "logDataCap": 0,
             "acrUntaggedRetentionPolicy": 30,
             "acrUntaggedRetentionPolicyEnabled": false,
             "enableACRTrustPolicy": false,

samples/shared-acr/acr-rbac.bicep

@@ -14,7 +14,7 @@ resource aks 'Microsoft.ContainerService/managedClusters@2021-10-01' existing =
 }
 
 //Create the RBAC
-var AcrPullRole = resourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
+var AcrPullRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
 var KubeletObjectId = any(aks.properties.identityProfile.kubeletidentity).objectId
 
 resource aks_acr_pull 'Microsoft.Authorization/roleAssignments@2022-04-01' = {