Monitoring: Guidance and datacap (#459)
* adding daily data cap Signed-off-by: Gordonby <gordon.byers@microsoft.com> * data cap final tweak and subscriptionResourceId changes Signed-off-by: Gordonby <gordon.byers@microsoft.com> * spinbutton Signed-off-by: Gordonby <gordon.byers@microsoft.com> * deployTab Signed-off-by: Gordonby <gordon.byers@microsoft.com> * accessibility Signed-off-by: Gordonby <gordon.byers@microsoft.com> * Update AppDeploy_AzureVote.yml Signed-off-by: Gordonby <gordon.byers@microsoft.com>
This commit is contained in:
Родитель
29b96b1885
Коммит
1abbb2c4ef
|
@ -46,7 +46,7 @@ on:
|
|||
default: false
|
||||
required: false
|
||||
HELMPACKAGEURI:
|
||||
default: "https://github.com/Gordonby/minihelm/raw/main/samples/AzureVote-0.9.82.tgz" #"https://github.com/Gordonby/minihelm/raw/main/samples/AzureVote-0.9.8.tgz"
|
||||
default: "https://github.com/Gordonby/minihelm/raw/main/samples/AzureVote-0.9.8.tgz"
|
||||
required: false
|
||||
type: string
|
||||
description: "The location of the Helm package"
|
||||
|
|
|
@ -720,7 +720,7 @@ resource PV_usage_violates_the_configured_threshold_for_clustername_CI_21 'micro
|
|||
}
|
||||
|
||||
|
||||
resource Daily_data_cap_breached_for_workspace_logworkspacename_CIQ_1_name_resource 'microsoft.insights/scheduledqueryrules@2021-02-01-preview' = {
|
||||
resource Daily_law_datacap 'Microsoft.Insights/scheduledQueryRules@2022-06-15' = {
|
||||
name: 'Daily data cap breached for workspace ${logAnalyticsWorkspaceName} CIQ-1'
|
||||
location: logAnalyticsWorkspaceLocation
|
||||
properties: {
|
||||
|
|
|
@ -10,7 +10,7 @@ param user_identity_principalId string
|
|||
])
|
||||
param rbacAssignmentScope string = 'Subnet'
|
||||
|
||||
var networkContributorRole = resourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')
|
||||
var networkContributorRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')
|
||||
|
||||
var existingAksSubnetName = !empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/')[10] : ''
|
||||
var existingAksVnetName = !empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/')[8] : ''
|
||||
|
|
|
@ -145,7 +145,7 @@ resource appgw 'Microsoft.Network/applicationGateways@2020-07-01' = if (!empty(u
|
|||
}
|
||||
|
||||
param agicPrincipleId string
|
||||
var contributor = resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
|
||||
var contributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
|
||||
// https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template#new-service-principal
|
||||
resource appGwAGICContrib 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
|
||||
scope: appgw
|
||||
|
@ -157,7 +157,7 @@ resource appGwAGICContrib 'Microsoft.Authorization/roleAssignments@2020-04-01-pr
|
|||
}
|
||||
}
|
||||
|
||||
var reader = resourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
|
||||
var reader = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
|
||||
resource appGwAGICRGReader 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
|
||||
scope: resourceGroup()
|
||||
name: guid(resourceGroup().id, appgwName, 'rgread')
|
||||
|
|
|
@ -11,7 +11,7 @@ resource privateDns 'Microsoft.Network/privateDnsZones@2020-06-01' existing = if
|
|||
name: dnsZoneName
|
||||
}
|
||||
|
||||
var DNSZoneContributor = resourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')
|
||||
var DNSZoneContributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')
|
||||
resource dnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (!isPrivate) {
|
||||
scope: dns
|
||||
name: guid(dns.id, principalId, DNSZoneContributor)
|
||||
|
@ -22,7 +22,7 @@ resource dnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-prev
|
|||
}
|
||||
}
|
||||
|
||||
var PrivateDNSZoneContributor = resourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')
|
||||
var PrivateDNSZoneContributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')
|
||||
resource privateDnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (isPrivate) {
|
||||
scope: privateDns
|
||||
name: guid(privateDns.id, principalId, PrivateDNSZoneContributor)
|
||||
|
|
|
@ -39,14 +39,14 @@ param rbacCertOfficerUsers array = []
|
|||
@description('An array of User IDs')
|
||||
param rbacAdminUsers array = []
|
||||
|
||||
var keyVaultAdministratorRole = resourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')
|
||||
var keyVaultContributorRole = resourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')
|
||||
var keyVaultSecretsUserRole = resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
|
||||
var keyVaultSecretsOfficerRole = resourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')
|
||||
var keyVaultCertsOfficerRole = resourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')
|
||||
var keyVaultCryptoUserRole = resourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')
|
||||
var keyVaultCryptoOfficerRole = resourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')
|
||||
var keyVaultCryptoServiceEncrpytionRole = resourceId('Microsoft.Authorization/roleDefinitions','e147488a-f6f5-4113-8e2d-b22465e65bf6')
|
||||
var keyVaultAdministratorRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')
|
||||
var keyVaultContributorRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f25e0fa2-a7c8-4377-a976-54943a77a395')
|
||||
var keyVaultSecretsUserRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
|
||||
var keyVaultSecretsOfficerRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7')
|
||||
var keyVaultCertsOfficerRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985')
|
||||
var keyVaultCryptoUserRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424')
|
||||
var keyVaultCryptoOfficerRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')
|
||||
var keyVaultCryptoServiceEncrpytionRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions','e147488a-f6f5-4113-8e2d-b22465e65bf6')
|
||||
|
||||
resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = {
|
||||
name: keyVaultName
|
||||
|
|
|
@ -466,7 +466,7 @@ module acrPool 'acragentpool.bicep' = if (custom_vnet && (!empty(registries_sku)
|
|||
}
|
||||
}
|
||||
|
||||
var AcrPullRole = resourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
|
||||
var AcrPullRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
|
||||
var KubeletObjectId = any(aks.properties.identityProfile.kubeletidentity).objectId
|
||||
|
||||
resource aks_acr_pull 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!empty(registries_sku)) {
|
||||
|
@ -479,7 +479,7 @@ resource aks_acr_pull 'Microsoft.Authorization/roleAssignments@2022-04-01' = if
|
|||
}
|
||||
}
|
||||
|
||||
var AcrPushRole = resourceId('Microsoft.Authorization/roleDefinitions', '8311e382-0749-4cb8-b61a-304f252e45ec')
|
||||
var AcrPushRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8311e382-0749-4cb8-b61a-304f252e45ec')
|
||||
|
||||
@description('The principal ID of the service principal to assign the push role to the ACR')
|
||||
param acrPushRolePrincipalId string = ''
|
||||
|
@ -754,7 +754,7 @@ resource appgw 'Microsoft.Network/applicationGateways@2021-02-01' = if (deployAp
|
|||
properties: appgwProperties
|
||||
}
|
||||
|
||||
var contributor = resourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
|
||||
var contributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
|
||||
// https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template#new-service-principal
|
||||
// AGIC's identity requires "Contributor" permission over Application Gateway.
|
||||
resource appGwAGICContrib 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (ingressApplicationGateway && deployAppGw) {
|
||||
|
@ -768,7 +768,7 @@ resource appGwAGICContrib 'Microsoft.Authorization/roleAssignments@2022-04-01' =
|
|||
}
|
||||
|
||||
// AGIC's identity requires "Reader" permission over Application Gateway's resource group.
|
||||
var reader = resourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
|
||||
var reader = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
|
||||
resource appGwAGICRGReader 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (ingressApplicationGateway && deployAppGw) {
|
||||
scope: resourceGroup()
|
||||
name: guid(aks.id, 'Agic', reader)
|
||||
|
@ -780,7 +780,7 @@ resource appGwAGICRGReader 'Microsoft.Authorization/roleAssignments@2022-04-01'
|
|||
}
|
||||
|
||||
// AGIC's identity requires "Managed Identity Operator" permission over the user assigned identity of Application Gateway.
|
||||
var managedIdentityOperator = resourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')
|
||||
var managedIdentityOperator = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')
|
||||
resource appGwAGICMIOp 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (ingressApplicationGateway && deployAppGw) {
|
||||
scope: appGwIdentity
|
||||
name: guid(aks.id, 'Agic', managedIdentityOperator)
|
||||
|
@ -1350,7 +1350,7 @@ param automatedDeployment bool = false
|
|||
@description('The principal ID to assign the AKS admin role.')
|
||||
param adminPrincipalId string = ''
|
||||
// for AAD Integrated Cluster wusing 'enableAzureRBAC', add Cluster admin to the current user!
|
||||
var buildInAKSRBACClusterAdmin = resourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b')
|
||||
var buildInAKSRBACClusterAdmin = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b')
|
||||
resource aks_admin_role_assignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (enableAzureRBAC && !empty(adminPrincipalId)) {
|
||||
scope: aks // Use when specifying a scope that is different than the deployment scope
|
||||
name: guid(aks.id, 'aksadmin', buildInAKSRBACClusterAdmin)
|
||||
|
@ -1482,20 +1482,27 @@ module aksmetricalerts './aksmetricalerts.bicep' = if (createLaw) {
|
|||
@description('The Log Analytics retention period')
|
||||
param retentionInDays int = 30
|
||||
|
||||
@description('The Log Analytics daily data cap (GB) (0=no limit)')
|
||||
param logDataCap int = 0
|
||||
|
||||
var aks_law_name = 'log-${resourceName}'
|
||||
|
||||
var createLaw = (omsagent || deployAppGw || azureFirewalls || CreateNetworkSecurityGroups || defenderForContainers)
|
||||
|
||||
resource aks_law 'Microsoft.OperationalInsights/workspaces@2021-06-01' = if (createLaw) {
|
||||
resource aks_law 'Microsoft.OperationalInsights/workspaces@2022-10-01' = if (createLaw) {
|
||||
name: aks_law_name
|
||||
location: location
|
||||
properties: {
|
||||
properties : union({
|
||||
retentionInDays: retentionInDays
|
||||
}
|
||||
},
|
||||
logDataCap>0 ? { workspaceCapping: {
|
||||
dailyQuotaGb: logDataCap
|
||||
}} : {}
|
||||
)
|
||||
}
|
||||
|
||||
//This role assignment enables AKS->LA Fast Alerting experience
|
||||
var MonitoringMetricsPublisherRole = resourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
|
||||
var MonitoringMetricsPublisherRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
|
||||
resource FastAlertingRole_Aks_Law 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (omsagent) {
|
||||
scope: aks
|
||||
name: guid(aks.id, 'omsagent', MonitoringMetricsPublisherRole)
|
||||
|
|
|
@ -2,7 +2,7 @@ param vnetName string
|
|||
param subnetName string
|
||||
param servicePrincipalId string
|
||||
|
||||
var networkContributorRole = resourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')
|
||||
var networkContributorRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')
|
||||
|
||||
resource subnet 'Microsoft.Network/virtualNetworks/subnets@2022-01-01' existing = {
|
||||
name: '${vnetName}/${subnetName}'
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
/* eslint-disable import/no-anonymous-default-export */
|
||||
import React from 'react';
|
||||
import { TextField, Link, Separator, Dropdown, Slider, Stack, Text, Label, ChoiceGroup, Checkbox, MessageBar, MessageBarType } from '@fluentui/react';
|
||||
import { TextField, Link, Separator, Dropdown, Slider, Stack, Text, Label, ChoiceGroup, Checkbox, MessageBar, MessageBarType, SpinButton } from '@fluentui/react';
|
||||
import { adv_stackstyle, hasError, getError } from './common'
|
||||
|
||||
|
||||
|
@ -208,6 +208,9 @@ export default function ({ tabValues, updateFn, featureFlag, invalidArray }) {
|
|||
<Stack.Item align="start">
|
||||
<Label >Cluster Monitoring requirements</Label>
|
||||
<MessageBar>Observing your clusters health is critical to smooth operations, select the managed Azure Monitor for Containers option, or the open source CNCF Prometheus/Grafana solution</MessageBar>
|
||||
{ addons.monitor === "aci" &&
|
||||
<MessageBar messageBarType={MessageBarType.info}>For sending logs to a central subscription workspace, use <Link target="_target" href="https://learn.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings-policy">Azure Policy</Link> to configure AKS DiagnosticSettings.</MessageBar>
|
||||
}
|
||||
<ChoiceGroup
|
||||
styles={{ root: { marginLeft: '50px' } }}
|
||||
selectedKey={addons.monitor}
|
||||
|
@ -244,6 +247,17 @@ export default function ({ tabValues, updateFn, featureFlag, invalidArray }) {
|
|||
]}
|
||||
/>
|
||||
|
||||
<SpinButton
|
||||
label="Daily data cap (GB)"
|
||||
value={addons.logDataCap}
|
||||
onChange={(ev, v) => updateFn("logDataCap", v)}
|
||||
min={0}
|
||||
step={1}
|
||||
incrementButtonAriaLabel="Increase value by 1"
|
||||
decrementButtonAriaLabel="Decrease value by 1"
|
||||
styles={{ root: { marginTop: '15px'}}}
|
||||
/>
|
||||
|
||||
<Checkbox styles={{ root: { marginTop: '10px'}}} checked={addons.createAksMetricAlerts} onChange={(ev, v) => updateFn("createAksMetricAlerts", v)} label={<Text>Create recommended metric alerts, enable you to monitor your system resource when it's running on peak capacity or hitting failure rates (<Link target="_target" href="https://azure.microsoft.com/en-us/updates/ci-recommended-alerts/">docs</Link>) </Text>} />
|
||||
|
||||
</Stack.Item>
|
||||
|
|
|
@ -66,7 +66,11 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray,
|
|||
...(defaults.net.privateLinkSubnetAddressPrefix !== net.privateLinkSubnetAddressPrefix && {privateLinkSubnetAddressPrefix: net.privateLinkSubnetAddressPrefix}),
|
||||
}),
|
||||
...(deploy.enableTelemetry !== defaults.deploy.enableTelemetry && {enableTelemetry: deploy.enableTelemetry }),
|
||||
...(addons.monitor === "aci" && { omsagent: true, retentionInDays: addons.retentionInDays, ...( addons.createAksMetricAlerts !== defaults.addons.createAksMetricAlerts && {createAksMetricAlerts: addons.createAksMetricAlerts }) }),
|
||||
...(addons.monitor === "aci" && {
|
||||
omsagent: true, retentionInDays: addons.retentionInDays,
|
||||
...( addons.logDataCap !== defaults.addons.logDataCap && {logDataCap: addons.logDataCap }),
|
||||
...( addons.createAksMetricAlerts !== defaults.addons.createAksMetricAlerts && {createAksMetricAlerts: addons.createAksMetricAlerts })
|
||||
}),
|
||||
...(addons.networkPolicy !== "none" && { networkPolicy: addons.networkPolicy }),
|
||||
...(defaults.addons.openServiceMeshAddon !== addons.openServiceMeshAddon && {openServiceMeshAddon: addons.openServiceMeshAddon }),
|
||||
...(addons.azurepolicy !== "none" && { azurepolicy: addons.azurepolicy }),
|
||||
|
|
|
@ -44,14 +44,14 @@ function Header({ presets, setPresets, selectedPreset, featureFlag }) {
|
|||
|
||||
<div style={{ display: "inline-block", padding: "11px 12px 0px" }}>
|
||||
<Link className="navbar-brand no-outline" >
|
||||
<Image src="aks.svg" height="33px" />
|
||||
<Image src="aks.svg" height="33px" alt='aks logo' />
|
||||
</Link>
|
||||
<Text nowrap variant="xLarge" className={titleClass} >AKS Construction <span style={{ "color": "red" }}>Helper</span></Text>
|
||||
<Text className={titleClass} style={{ "marginTop": "6px", "marginLeft": "20px" }}>Documentation and CI/CD samples are in the <a href="https://github.com/Azure/AKS-Construction" target="_blank" rel="noopener noreferrer">GitHub Repository</a> and at the <a href="https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/app-platform/aks/landing-zone-accelerator" target="_blank" rel="noopener noreferrer">AKS Landing Zone Accelerator</a> docs</Text>
|
||||
</div>
|
||||
<div style={{ display: "inline-block", float: "right" }}>
|
||||
|
||||
<CommandBarButton iconProps={{ iconName: presets[selectedPreset].icon }} menuProps={{
|
||||
<CommandBarButton aria-label='Preset scenario' iconProps={{ iconName: presets[selectedPreset].icon }} menuProps={{
|
||||
items: Object.keys(presets).map(p => {
|
||||
return {
|
||||
key: p,
|
||||
|
|
|
@ -55,6 +55,7 @@
|
|||
"DefenderForContainers" : false
|
||||
},
|
||||
"addons": {
|
||||
"logDataCap": 0,
|
||||
"acrUntaggedRetentionPolicy": 30,
|
||||
"acrUntaggedRetentionPolicyEnabled": false,
|
||||
"enableACRTrustPolicy": false,
|
||||
|
|
|
@ -14,7 +14,7 @@ resource aks 'Microsoft.ContainerService/managedClusters@2021-10-01' existing =
|
|||
}
|
||||
|
||||
//Create the RBAC
|
||||
var AcrPullRole = resourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
|
||||
var AcrPullRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
|
||||
var KubeletObjectId = any(aks.properties.identityProfile.kubeletidentity).objectId
|
||||
|
||||
resource aks_acr_pull 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
|
||||
|
|
Загрузка…
Ссылка в новой задаче