Monitoring: Guidance and datacap (#459)

* adding daily data cap

Signed-off-by: Gordonby <gordon.byers@microsoft.com>

* data cap final tweak and subscriptionResourceId changes

Signed-off-by: Gordonby <gordon.byers@microsoft.com>

* spinbutton

Signed-off-by: Gordonby <gordon.byers@microsoft.com>

* deployTab

Signed-off-by: Gordonby <gordon.byers@microsoft.com>

* accessibility

Signed-off-by: Gordonby <gordon.byers@microsoft.com>

* Update AppDeploy_AzureVote.yml

Signed-off-by: Gordonby <gordon.byers@microsoft.com>
This commit is contained in:
Gordon Byers 2022-11-17 14:33:44 +00:00 коммит произвёл GitHub
Родитель 29b96b1885
Коммит 1abbb2c4ef
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
13 изменённых файлов: 58 добавлений и 32 удалений

2
.github/workflows/AppDeploy_AzureVote.yml поставляемый
Просмотреть файл

@ -46,7 +46,7 @@ on:
default: false
required: false
HELMPACKAGEURI:
default: "https://github.com/Gordonby/minihelm/raw/main/samples/AzureVote-0.9.82.tgz" #"https://github.com/Gordonby/minihelm/raw/main/samples/AzureVote-0.9.8.tgz"
default: "https://github.com/Gordonby/minihelm/raw/main/samples/AzureVote-0.9.8.tgz"
required: false
type: string
description: "The location of the Helm package"

Просмотреть файл

@ -720,7 +720,7 @@ resource PV_usage_violates_the_configured_threshold_for_clustername_CI_21 'micro
}
resource Daily_data_cap_breached_for_workspace_logworkspacename_CIQ_1_name_resource 'microsoft.insights/scheduledqueryrules@2021-02-01-preview' = {
resource Daily_law_datacap 'Microsoft.Insights/scheduledQueryRules@2022-06-15' = {
name: 'Daily data cap breached for workspace ${logAnalyticsWorkspaceName} CIQ-1'
location: logAnalyticsWorkspaceLocation
properties: {

Просмотреть файл

@ -10,7 +10,7 @@ param user_identity_principalId string
])
param rbacAssignmentScope string = 'Subnet'
var networkContributorRole = resourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')
var networkContributorRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')
var existingAksSubnetName = !empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/')[10] : ''
var existingAksVnetName = !empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/')[8] : ''

Просмотреть файл

@ -145,7 +145,7 @@ resource appgw 'Microsoft.Network/applicationGateways@2020-07-01' = if (!empty(u
}
param agicPrincipleId string
var contributor = resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
var contributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
// https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template#new-service-principal
resource appGwAGICContrib 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
scope: appgw
@ -157,7 +157,7 @@ resource appGwAGICContrib 'Microsoft.Authorization/roleAssignments@2020-04-01-pr
}
}
var reader = resourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
var reader = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
resource appGwAGICRGReader 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
scope: resourceGroup()
name: guid(resourceGroup().id, appgwName, 'rgread')

Просмотреть файл

@ -11,7 +11,7 @@ resource privateDns 'Microsoft.Network/privateDnsZones@2020-06-01' existing = if
name: dnsZoneName
}
var DNSZoneContributor = resourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')
var DNSZoneContributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')
resource dnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (!isPrivate) {
scope: dns
name: guid(dns.id, principalId, DNSZoneContributor)
@ -22,7 +22,7 @@ resource dnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-prev
}
}
var PrivateDNSZoneContributor = resourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')
var PrivateDNSZoneContributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')
resource privateDnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (isPrivate) {
scope: privateDns
name: guid(privateDns.id, principalId, PrivateDNSZoneContributor)

Просмотреть файл

@ -39,14 +39,14 @@ param rbacCertOfficerUsers array = []
@description('An array of User IDs')
param rbacAdminUsers array = []
var keyVaultAdministratorRole = resourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')
var keyVaultContributorRole = resourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')
var keyVaultSecretsUserRole = resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
var keyVaultSecretsOfficerRole = resourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')
var keyVaultCertsOfficerRole = resourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')
var keyVaultCryptoUserRole = resourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')
var keyVaultCryptoOfficerRole = resourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')
var keyVaultCryptoServiceEncrpytionRole = resourceId('Microsoft.Authorization/roleDefinitions','e147488a-f6f5-4113-8e2d-b22465e65bf6')
var keyVaultAdministratorRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')
var keyVaultContributorRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')
var keyVaultSecretsUserRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
var keyVaultSecretsOfficerRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')
var keyVaultCertsOfficerRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')
var keyVaultCryptoUserRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')
var keyVaultCryptoOfficerRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')
var keyVaultCryptoServiceEncrpytionRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions','e147488a-f6f5-4113-8e2d-b22465e65bf6')
resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = {
name: keyVaultName

Просмотреть файл

@ -466,7 +466,7 @@ module acrPool 'acragentpool.bicep' = if (custom_vnet && (!empty(registries_sku)
}
}
var AcrPullRole = resourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
var AcrPullRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
var KubeletObjectId = any(aks.properties.identityProfile.kubeletidentity).objectId
resource aks_acr_pull 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!empty(registries_sku)) {
@ -479,7 +479,7 @@ resource aks_acr_pull 'Microsoft.Authorization/roleAssignments@2022-04-01' = if
}
}
var AcrPushRole = resourceId('Microsoft.Authorization/roleDefinitions', '8311e382-0749-4cb8-b61a-304f252e45ec')
var AcrPushRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8311e382-0749-4cb8-b61a-304f252e45ec')
@description('The principal ID of the service principal to assign the push role to the ACR')
param acrPushRolePrincipalId string = ''
@ -754,7 +754,7 @@ resource appgw 'Microsoft.Network/applicationGateways@2021-02-01' = if (deployAp
properties: appgwProperties
}
var contributor = resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
var contributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
// https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template#new-service-principal
// AGIC's identity requires "Contributor" permission over Application Gateway.
resource appGwAGICContrib 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (ingressApplicationGateway && deployAppGw) {
@ -768,7 +768,7 @@ resource appGwAGICContrib 'Microsoft.Authorization/roleAssignments@2022-04-01' =
}
// AGIC's identity requires "Reader" permission over Application Gateway's resource group.
var reader = resourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
var reader = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
resource appGwAGICRGReader 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (ingressApplicationGateway && deployAppGw) {
scope: resourceGroup()
name: guid(aks.id, 'Agic', reader)
@ -780,7 +780,7 @@ resource appGwAGICRGReader 'Microsoft.Authorization/roleAssignments@2022-04-01'
}
// AGIC's identity requires "Managed Identity Operator" permission over the user assigned identity of Application Gateway.
var managedIdentityOperator = resourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')
var managedIdentityOperator = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')
resource appGwAGICMIOp 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (ingressApplicationGateway && deployAppGw) {
scope: appGwIdentity
name: guid(aks.id, 'Agic', managedIdentityOperator)
@ -1350,7 +1350,7 @@ param automatedDeployment bool = false
@description('The principal ID to assign the AKS admin role.')
param adminPrincipalId string = ''
// for AAD Integrated Cluster wusing 'enableAzureRBAC', add Cluster admin to the current user!
var buildInAKSRBACClusterAdmin = resourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b')
var buildInAKSRBACClusterAdmin = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b')
resource aks_admin_role_assignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (enableAzureRBAC && !empty(adminPrincipalId)) {
scope: aks // Use when specifying a scope that is different than the deployment scope
name: guid(aks.id, 'aksadmin', buildInAKSRBACClusterAdmin)
@ -1482,20 +1482,27 @@ module aksmetricalerts './aksmetricalerts.bicep' = if (createLaw) {
@description('The Log Analytics retention period')
param retentionInDays int = 30
@description('The Log Analytics daily data cap (GB) (0=no limit)')
param logDataCap int = 0
var aks_law_name = 'log-${resourceName}'
var createLaw = (omsagent || deployAppGw || azureFirewalls || CreateNetworkSecurityGroups || defenderForContainers)
resource aks_law 'Microsoft.OperationalInsights/workspaces@2021-06-01' = if (createLaw) {
resource aks_law 'Microsoft.OperationalInsights/workspaces@2022-10-01' = if (createLaw) {
name: aks_law_name
location: location
properties: {
properties : union({
retentionInDays: retentionInDays
}
},
logDataCap>0 ? { workspaceCapping: {
dailyQuotaGb: logDataCap
}} : {}
)
}
//This role assignment enables AKS->LA Fast Alerting experience
var MonitoringMetricsPublisherRole = resourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
var MonitoringMetricsPublisherRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
resource FastAlertingRole_Aks_Law 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (omsagent) {
scope: aks
name: guid(aks.id, 'omsagent', MonitoringMetricsPublisherRole)

Просмотреть файл

@ -2,7 +2,7 @@ param vnetName string
param subnetName string
param servicePrincipalId string
var networkContributorRole = resourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')
var networkContributorRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')
resource subnet 'Microsoft.Network/virtualNetworks/subnets@2022-01-01' existing = {
name: '${vnetName}/${subnetName}'

Просмотреть файл

@ -1,6 +1,6 @@
/* eslint-disable import/no-anonymous-default-export */
import React from 'react';
import { TextField, Link, Separator, Dropdown, Slider, Stack, Text, Label, ChoiceGroup, Checkbox, MessageBar, MessageBarType } from '@fluentui/react';
import { TextField, Link, Separator, Dropdown, Slider, Stack, Text, Label, ChoiceGroup, Checkbox, MessageBar, MessageBarType, SpinButton } from '@fluentui/react';
import { adv_stackstyle, hasError, getError } from './common'
@ -208,6 +208,9 @@ export default function ({ tabValues, updateFn, featureFlag, invalidArray }) {
<Stack.Item align="start">
<Label >Cluster Monitoring requirements</Label>
<MessageBar>Observing your clusters health is critical to smooth operations, select the managed Azure Monitor for Containers option, or the open source CNCF Prometheus/Grafana solution</MessageBar>
{ addons.monitor === "aci" &&
<MessageBar messageBarType={MessageBarType.info}>For sending logs to a central subscription workspace, use <Link target="_target" href="https://learn.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings-policy">Azure Policy</Link> to configure AKS DiagnosticSettings.</MessageBar>
}
<ChoiceGroup
styles={{ root: { marginLeft: '50px' } }}
selectedKey={addons.monitor}
@ -244,6 +247,17 @@ export default function ({ tabValues, updateFn, featureFlag, invalidArray }) {
]}
/>
<SpinButton
label="Daily data cap (GB)"
value={addons.logDataCap}
onChange={(ev, v) => updateFn("logDataCap", v)}
min={0}
step={1}
incrementButtonAriaLabel="Increase value by 1"
decrementButtonAriaLabel="Decrease value by 1"
styles={{ root: { marginTop: '15px'}}}
/>
<Checkbox styles={{ root: { marginTop: '10px'}}} checked={addons.createAksMetricAlerts} onChange={(ev, v) => updateFn("createAksMetricAlerts", v)} label={<Text>Create recommended metric alerts, enable you to monitor your system resource when it's running on peak capacity or hitting failure rates (<Link target="_target" href="https://azure.microsoft.com/en-us/updates/ci-recommended-alerts/">docs</Link>) </Text>} />
</Stack.Item>

Просмотреть файл

@ -66,7 +66,11 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
...(defaults.net.privateLinkSubnetAddressPrefix !== net.privateLinkSubnetAddressPrefix && {privateLinkSubnetAddressPrefix: net.privateLinkSubnetAddressPrefix}),
}),
...(deploy.enableTelemetry !== defaults.deploy.enableTelemetry && {enableTelemetry: deploy.enableTelemetry }),
...(addons.monitor === "aci" && { omsagent: true, retentionInDays: addons.retentionInDays, ...( addons.createAksMetricAlerts !== defaults.addons.createAksMetricAlerts && {createAksMetricAlerts: addons.createAksMetricAlerts }) }),
...(addons.monitor === "aci" && {
omsagent: true, retentionInDays: addons.retentionInDays,
...( addons.logDataCap !== defaults.addons.logDataCap && {logDataCap: addons.logDataCap }),
...( addons.createAksMetricAlerts !== defaults.addons.createAksMetricAlerts && {createAksMetricAlerts: addons.createAksMetricAlerts })
}),
...(addons.networkPolicy !== "none" && { networkPolicy: addons.networkPolicy }),
...(defaults.addons.openServiceMeshAddon !== addons.openServiceMeshAddon && {openServiceMeshAddon: addons.openServiceMeshAddon }),
...(addons.azurepolicy !== "none" && { azurepolicy: addons.azurepolicy }),

Просмотреть файл

@ -44,14 +44,14 @@ function Header({ presets, setPresets, selectedPreset, featureFlag }) {
<div style={{ display: "inline-block", padding: "11px 12px 0px" }}>
<Link className="navbar-brand no-outline" >
<Image src="aks.svg" height="33px" />
<Image src="aks.svg" height="33px" alt='aks logo' />
</Link>
<Text nowrap variant="xLarge" className={titleClass} >AKS Construction <span style={{ "color": "red" }}>Helper</span></Text>
<Text className={titleClass} style={{ "marginTop": "6px", "marginLeft": "20px" }}>Documentation and CI/CD samples are in the <a href="https://github.com/Azure/AKS-Construction" target="_blank" rel="noopener noreferrer">GitHub Repository</a> and at the <a href="https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/app-platform/aks/landing-zone-accelerator" target="_blank" rel="noopener noreferrer">AKS Landing Zone Accelerator</a> docs</Text>
</div>
<div style={{ display: "inline-block", float: "right" }}>
<CommandBarButton iconProps={{ iconName: presets[selectedPreset].icon }} menuProps={{
<CommandBarButton aria-label='Preset scenario' iconProps={{ iconName: presets[selectedPreset].icon }} menuProps={{
items: Object.keys(presets).map(p => {
return {
key: p,

Просмотреть файл

@ -55,6 +55,7 @@
"DefenderForContainers" : false
},
"addons": {
"logDataCap": 0,
"acrUntaggedRetentionPolicy": 30,
"acrUntaggedRetentionPolicyEnabled": false,
"enableACRTrustPolicy": false,

Просмотреть файл

@ -14,7 +14,7 @@ resource aks 'Microsoft.ContainerService/managedClusters@2021-10-01' existing =
}
//Create the RBAC
var AcrPullRole = resourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
var AcrPullRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
var KubeletObjectId = any(aks.properties.identityProfile.kubeletidentity).objectId
resource aks_acr_pull 'Microsoft.Authorization/roleAssignments@2022-04-01' = {