Bicep refactor (#470)
* deployment names + LAW sku * bumping acr import * deployment name limit * better string trimming. * descriptive managed id name * bumping k8s version * api version bumps * linter warnings * ContainerLogV2 parent * adding v2configmap to gitignore * requestRoutingRule priority
This commit is contained in:
Родитель
0f2054ba5b
Коммит
b3f609b5a6
|
@ -8,3 +8,4 @@ bicep/main.json
|
|||
helper/localsite.html
|
||||
helper/prodsite.html
|
||||
helper/build/**
|
||||
container-azm-ms-agentconfig.yaml
|
||||
|
|
|
@ -2,7 +2,7 @@ param location string = resourceGroup().location
|
|||
param acrName string
|
||||
param acrPoolSubnetId string = ''
|
||||
|
||||
resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' existing = {
|
||||
resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing = {
|
||||
name: acrName
|
||||
}
|
||||
|
||||
|
|
|
@ -59,8 +59,8 @@ resource userNodepool 'Microsoft.ContainerService/managedClusters/agentPools@202
|
|||
mode: 'User'
|
||||
vmSize: agentVMSize
|
||||
count: agentCount
|
||||
minCount: autoScale ? agentCount : json('null')
|
||||
maxCount: autoScale ? agentCountMax : json('null')
|
||||
minCount: autoScale ? agentCount : null
|
||||
maxCount: autoScale ? agentCountMax : null
|
||||
enableAutoScaling: autoScale
|
||||
availabilityZones: !empty(availabilityZones) ? availabilityZones : null
|
||||
osDiskType: osDiskType
|
||||
|
@ -69,7 +69,7 @@ resource userNodepool 'Microsoft.ContainerService/managedClusters/agentPools@202
|
|||
osType: osType
|
||||
maxPods: maxPods
|
||||
type: 'VirtualMachineScaleSets'
|
||||
vnetSubnetID: !empty(subnetId) ? subnetId : json('null')
|
||||
vnetSubnetID: !empty(subnetId) ? subnetId : null
|
||||
upgradeSettings: {
|
||||
maxSurge: '33%'
|
||||
}
|
||||
|
|
|
@ -15,15 +15,15 @@ var networkContributorRole = subscriptionResourceId('Microsoft.Authorization/rol
|
|||
var existingAksSubnetName = !empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/')[10] : ''
|
||||
var existingAksVnetName = !empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/')[8] : ''
|
||||
|
||||
resource existingvnet 'Microsoft.Network/virtualNetworks@2021-02-01' existing = {
|
||||
resource existingvnet 'Microsoft.Network/virtualNetworks@2022-07-01' existing = {
|
||||
name: existingAksVnetName
|
||||
}
|
||||
resource existingAksSubnet 'Microsoft.Network/virtualNetworks/subnets@2020-08-01' existing = {
|
||||
resource existingAksSubnet 'Microsoft.Network/virtualNetworks/subnets@2022-07-01' existing = {
|
||||
parent: existingvnet
|
||||
name: existingAksSubnetName
|
||||
}
|
||||
|
||||
resource subnetRbac 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (rbacAssignmentScope == 'subnet') {
|
||||
resource subnetRbac 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (rbacAssignmentScope == 'subnet') {
|
||||
name: guid(user_identity_principalId, networkContributorRole, existingAksSubnetName)
|
||||
scope: existingAksSubnet
|
||||
properties: {
|
||||
|
@ -33,7 +33,7 @@ resource subnetRbac 'Microsoft.Authorization/roleAssignments@2020-04-01-preview'
|
|||
}
|
||||
}
|
||||
|
||||
resource existingVnetRbac 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (rbacAssignmentScope != 'subnet') {
|
||||
resource existingVnetRbac 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (rbacAssignmentScope != 'subnet') {
|
||||
name: guid(user_identity_principalId, networkContributorRole, existingAksVnetName)
|
||||
scope: existingvnet
|
||||
properties: {
|
||||
|
|
|
@ -25,7 +25,7 @@ resource appgwpip 'Microsoft.Network/publicIPAddresses@2020-07-01' = {
|
|||
var frontendPublicIpConfig = {
|
||||
properties: {
|
||||
publicIPAddress: {
|
||||
id: '${appgwpip.id}'
|
||||
id: appgwpip.id
|
||||
}
|
||||
}
|
||||
name: 'appGatewayFrontendIP'
|
||||
|
|
|
@ -1,9 +1,13 @@
|
|||
|
||||
{
|
||||
"analyzers": {
|
||||
"core": {
|
||||
"enabled": true,
|
||||
"verbose": false,
|
||||
"rules": {
|
||||
"use-recent-api-versions" : {
|
||||
"level": "warning"
|
||||
},
|
||||
"no-hardcoded-location" : {
|
||||
"level": "error"
|
||||
},
|
||||
|
|
|
@ -12,7 +12,7 @@ resource privateDns 'Microsoft.Network/privateDnsZones@2020-06-01' existing = if
|
|||
}
|
||||
|
||||
var DNSZoneContributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')
|
||||
resource dnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (!isPrivate) {
|
||||
resource dnsContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!isPrivate) {
|
||||
scope: dns
|
||||
name: guid(dns.id, principalId, DNSZoneContributor)
|
||||
properties: {
|
||||
|
@ -23,7 +23,7 @@ resource dnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-prev
|
|||
}
|
||||
|
||||
var PrivateDNSZoneContributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')
|
||||
resource privateDnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (isPrivate) {
|
||||
resource privateDnsContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (isPrivate) {
|
||||
scope: privateDns
|
||||
name: guid(privateDns.id, principalId, PrivateDNSZoneContributor)
|
||||
properties: {
|
||||
|
|
|
@ -15,7 +15,7 @@ var dnsZoneName = !empty(dnsZoneId) ? split(dnsZoneId, '/')[8] : ''
|
|||
var isDnsZonePrivate = !empty(dnsZoneId) ? split(dnsZoneId, '/')[7] == 'privateDnsZones' : false
|
||||
|
||||
module dnsZone './dnsZone.bicep' = if (!empty(dnsZoneId)) {
|
||||
name: 'dns-${dnsZoneName}'
|
||||
name: take('${deployment().name}-dns-${dnsZoneName}',64)
|
||||
scope: resourceGroup(dnsZoneRg)
|
||||
params: {
|
||||
dnsZoneName: dnsZoneName
|
||||
|
|
|
@ -25,7 +25,7 @@ var managementIpConfig = {
|
|||
}
|
||||
}
|
||||
|
||||
resource fw_pip 'Microsoft.Network/publicIPAddresses@2021-03-01' = {
|
||||
resource fw_pip 'Microsoft.Network/publicIPAddresses@2022-07-01' = {
|
||||
name: firewallPublicIpName
|
||||
location: location
|
||||
sku: {
|
||||
|
@ -38,7 +38,7 @@ resource fw_pip 'Microsoft.Network/publicIPAddresses@2021-03-01' = {
|
|||
}
|
||||
}
|
||||
|
||||
resource fwManagementIp_pip 'Microsoft.Network/publicIPAddresses@2021-03-01' = if(fwSku=='Basic') {
|
||||
resource fwManagementIp_pip 'Microsoft.Network/publicIPAddresses@2022-07-01' = if(fwSku=='Basic') {
|
||||
name: firewallManagementPublicIpName
|
||||
location: location
|
||||
sku: {
|
||||
|
|
|
@ -21,14 +21,13 @@ param keyVaultIPAllowlist array = []
|
|||
|
||||
param logAnalyticsWorkspaceId string = ''
|
||||
|
||||
var akvRawName = 'kv-${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}'
|
||||
var akvName = length(akvRawName) > 24 ? substring(akvRawName, 0, 24) : akvRawName
|
||||
var akvName = take('kv-${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}',24)
|
||||
|
||||
var kvIPRules = [for kvIp in keyVaultIPAllowlist: {
|
||||
value: kvIp
|
||||
}]
|
||||
|
||||
resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
|
||||
resource kv 'Microsoft.KeyVault/vaults@2022-07-01' = {
|
||||
name: akvName
|
||||
location: location
|
||||
properties: {
|
||||
|
@ -52,7 +51,7 @@ resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
|
|||
enabledForDiskEncryption: false
|
||||
enabledForTemplateDeployment: false
|
||||
enableSoftDelete: keyVaultSoftDelete
|
||||
enablePurgeProtection: keyVaultPurgeProtection ? true : json('null')
|
||||
enablePurgeProtection: keyVaultPurgeProtection ? true : null
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
param keyVaultName string
|
||||
|
||||
resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = {
|
||||
resource kv 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
|
||||
name: keyVaultName
|
||||
}
|
||||
|
||||
resource kvKmsKey 'Microsoft.KeyVault/vaults/keys@2021-11-01-preview' = {
|
||||
resource kvKmsKey 'Microsoft.KeyVault/vaults/keys@2022-07-01' = {
|
||||
name: 'kmskey'
|
||||
parent: kv
|
||||
properties: {
|
||||
|
|
|
@ -48,7 +48,7 @@ var keyVaultCryptoUserRole = subscriptionResourceId('Microsoft.Authorization/rol
|
|||
var keyVaultCryptoOfficerRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')
|
||||
var keyVaultCryptoServiceEncrpytionRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions','e147488a-f6f5-4113-8e2d-b22465e65bf6')
|
||||
|
||||
resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = {
|
||||
resource kv 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
|
||||
name: keyVaultName
|
||||
}
|
||||
|
||||
|
|
|
@ -40,7 +40,7 @@ param byoAGWSubnetId string = ''
|
|||
|
||||
//--- Custom, BYO networking and PrivateApiZones requires BYO AKS User Identity
|
||||
var createAksUai = custom_vnet || !empty(byoAKSSubnetId) || !empty(dnsApiPrivateZoneId) || keyVaultKmsCreateAndPrereqs || !empty(keyVaultKmsByoKeyId)
|
||||
resource aksUai 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = if (createAksUai) {
|
||||
resource aksUai 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = if (createAksUai) {
|
||||
name: 'id-aks-${resourceName}'
|
||||
location: location
|
||||
}
|
||||
|
@ -49,7 +49,7 @@ resource aksUai 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-pre
|
|||
var existingAksVnetRG = !empty(byoAKSSubnetId) ? (length(split(byoAKSSubnetId, '/')) > 4 ? split(byoAKSSubnetId, '/')[4] : '') : ''
|
||||
|
||||
module aksnetcontrib './aksnetcontrib.bicep' = if (!empty(byoAKSSubnetId) && createAksUai) {
|
||||
name: 'addAksNetContributor'
|
||||
name: take('${deployment().name}-addAksNetContributor',64)
|
||||
scope: resourceGroup(existingAksVnetRG)
|
||||
params: {
|
||||
byoAKSSubnetId: byoAKSSubnetId
|
||||
|
@ -115,7 +115,7 @@ param CreateNetworkSecurityGroups bool = false
|
|||
param CreateNetworkSecurityGroupFlowLogs bool = false
|
||||
|
||||
module network './network.bicep' = if (custom_vnet) {
|
||||
name: 'network'
|
||||
name: take('${deployment().name}-network',64)
|
||||
params: {
|
||||
resourceName: resourceName
|
||||
location: location
|
||||
|
@ -166,7 +166,7 @@ param dnsZoneId string = ''
|
|||
var isDnsZonePrivate = !empty(dnsZoneId) ? split(dnsZoneId, '/')[7] == 'privateDnsZones' : false
|
||||
|
||||
module dnsZone './dnsZoneRbac.bicep' = if (!empty(dnsZoneId)) {
|
||||
name: 'addDnsContributor'
|
||||
name: take('${deployment().name}-addDnsContributor',64)
|
||||
params: {
|
||||
dnsZoneId: dnsZoneId
|
||||
vnetId: isDnsZonePrivate ? (!empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/subnets')[0] : (custom_vnet ? network.outputs.vnetId : '')) : ''
|
||||
|
@ -202,7 +202,7 @@ param keyVaultAksCSIPollInterval string = '2m'
|
|||
|
||||
@description('Creates a KeyVault for application secrets (eg. CSI)')
|
||||
module kv 'keyvault.bicep' = if(keyVaultCreate) {
|
||||
name: 'keyvaultApps'
|
||||
name: take('${deployment().name}-keyvaultApps',64)
|
||||
params: {
|
||||
resourceName: resourceName
|
||||
keyVaultPurgeProtection: keyVaultPurgeProtection
|
||||
|
@ -224,7 +224,7 @@ var rbacSecretUserSps = union([deployAppGw && appgwKVIntegration ? appGwIdentity
|
|||
|
||||
@description('A seperate module is used for RBAC to avoid delaying the KeyVault creation and causing a circular reference.')
|
||||
module kvRbac 'keyvaultrbac.bicep' = if (keyVaultCreate) {
|
||||
name: 'KeyVaultAppsRbac'
|
||||
name: take('${deployment().name}-KeyVaultAppsRbac',64)
|
||||
params: {
|
||||
keyVaultName: keyVaultCreate ? kv.outputs.keyVaultName : ''
|
||||
|
||||
|
@ -266,14 +266,14 @@ var kmsRbacWaitSeconds=30
|
|||
@description('This indicates if the deploying user has provided their PrincipalId in order for the key to be created')
|
||||
var keyVaultKmsCreateAndPrereqs = keyVaultKmsCreate && !empty(keyVaultKmsOfficerRolePrincipalId) && privateLinks == false
|
||||
|
||||
resource kvKmsByo 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = if(!empty(keyVaultKmsByoName)) {
|
||||
resource kvKmsByo 'Microsoft.KeyVault/vaults@2022-07-01' existing = if(!empty(keyVaultKmsByoName)) {
|
||||
name: keyVaultKmsByoName
|
||||
scope: resourceGroup(keyVaultKmsByoRG)
|
||||
}
|
||||
|
||||
@description('Creates a new Key vault for a new KMS Key')
|
||||
module kvKms 'keyvault.bicep' = if(keyVaultKmsCreateAndPrereqs) {
|
||||
name: 'keyvaultKms-${resourceName}'
|
||||
name: take('${deployment().name}-keyvaultKms-${resourceName}',64)
|
||||
params: {
|
||||
resourceName: 'kms${resourceName}'
|
||||
keyVaultPurgeProtection: keyVaultPurgeProtection
|
||||
|
@ -285,7 +285,7 @@ module kvKms 'keyvault.bicep' = if(keyVaultKmsCreateAndPrereqs) {
|
|||
}
|
||||
|
||||
module kvKmsCreatedRbac 'keyvaultrbac.bicep' = if(keyVaultKmsCreateAndPrereqs) {
|
||||
name: 'keyvaultKmsRbacs-${resourceName}'
|
||||
name: take('${deployment().name}-keyvaultKmsRbacs-${resourceName}',64)
|
||||
params: {
|
||||
keyVaultName: keyVaultKmsCreate ? kvKms.outputs.keyVaultName : ''
|
||||
//We can't create a kms kv and key and do privatelink. Private Link is a BYO scenario
|
||||
|
@ -308,7 +308,7 @@ module kvKmsCreatedRbac 'keyvaultrbac.bicep' = if(keyVaultKmsCreateAndPrereqs) {
|
|||
}
|
||||
|
||||
module kvKmsByoRbac 'keyvaultrbac.bicep' = if(!empty(keyVaultKmsByoKeyId)) {
|
||||
name: 'keyvaultKmsByoRbacs-${resourceName}'
|
||||
name: take('${deployment().name}-keyvaultKmsByoRbacs-${resourceName}',64)
|
||||
scope: resourceGroup(keyVaultKmsByoRG)
|
||||
params: {
|
||||
keyVaultName: kvKmsByo.name
|
||||
|
@ -325,7 +325,7 @@ module kvKmsByoRbac 'keyvaultrbac.bicep' = if(!empty(keyVaultKmsByoKeyId)) {
|
|||
|
||||
@description('It can take time for the RBAC to propagate, this delays the deployment to avoid this problem')
|
||||
module waitForKmsRbac 'br/public:deployment-scripts/wait:1.0.1' = if(keyVaultKmsCreateAndPrereqs && kmsRbacWaitSeconds>0) {
|
||||
name: 'keyvaultKmsRbac-waits-${resourceName}'
|
||||
name: take('${deployment().name}-keyvaultKmsRbac-waits-${resourceName}',64)
|
||||
params: {
|
||||
waitSeconds: kmsRbacWaitSeconds
|
||||
location: location
|
||||
|
@ -337,7 +337,7 @@ module waitForKmsRbac 'br/public:deployment-scripts/wait:1.0.1' = if(keyVaultKms
|
|||
|
||||
@description('Adding a key to the keyvault... We can only do this for public key vaults')
|
||||
module kvKmsKey 'keyvaultkey.bicep' = if(keyVaultKmsCreateAndPrereqs) {
|
||||
name: 'keyvaultKmsKeys-${resourceName}'
|
||||
name: take('${deployment().name}-keyvaultKmsKeys-${resourceName}',64)
|
||||
params: {
|
||||
keyVaultName: keyVaultKmsCreateAndPrereqs ? kvKms.outputs.keyVaultName : ''
|
||||
}
|
||||
|
@ -393,7 +393,7 @@ param acrUntaggedRetentionPolicy int = 30
|
|||
|
||||
var acrName = 'cr${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}'
|
||||
|
||||
resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = if (!empty(registries_sku)) {
|
||||
resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = if (!empty(registries_sku)) {
|
||||
name: acrName
|
||||
location: location
|
||||
sku: {
|
||||
|
@ -409,7 +409,7 @@ resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = if (!
|
|||
retentionPolicy: acrUntaggedRetentionPolicyEnabled ? {
|
||||
status: 'enabled'
|
||||
days: acrUntaggedRetentionPolicy
|
||||
} : json('null')
|
||||
} : null
|
||||
}
|
||||
publicNetworkAccess: privateLinks /* && empty(acrIPWhitelist)*/ ? 'Disabled' : 'Enabled'
|
||||
zoneRedundancy: acrZoneRedundancyEnabled
|
||||
|
@ -459,7 +459,7 @@ resource acrDiags 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = i
|
|||
|
||||
//resource acrPool 'Microsoft.ContainerRegistry/registries/agentPools@2019-06-01-preview' = if (custom_vnet && (!empty(registries_sku)) && privateLinks && acrPrivatePool) {
|
||||
module acrPool 'acragentpool.bicep' = if (custom_vnet && (!empty(registries_sku)) && privateLinks && acrPrivatePool) {
|
||||
name: 'acrprivatepool'
|
||||
name: take('${deployment().name}-acrprivatepool',64)
|
||||
params: {
|
||||
acrName: acr.name
|
||||
acrPoolSubnetId: custom_vnet ? network.outputs.acrPoolSubnetId : ''
|
||||
|
@ -498,12 +498,13 @@ resource aks_acr_push 'Microsoft.Authorization/roleAssignments@2022-04-01' = if
|
|||
|
||||
param imageNames array = []
|
||||
|
||||
module acrImport 'br/public:deployment-scripts/import-acr:2.0.1' = if (!empty(registries_sku) && !empty(imageNames)) {
|
||||
name: 'testAcrImportMulti'
|
||||
module acrImport 'br/public:deployment-scripts/import-acr:3.0.1' = if (!empty(registries_sku) && !empty(imageNames)) {
|
||||
name: take('${deployment().name}-AcrImport',64)
|
||||
params: {
|
||||
acrName: acr.name
|
||||
location: location
|
||||
images: imageNames
|
||||
managedIdentityName: 'id-acrImport-${resourceName}-${location}'
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -539,7 +540,7 @@ param certManagerFW bool = false
|
|||
param azureFirewallSku string = 'Standard'
|
||||
|
||||
module firewall './firewall.bicep' = if (azureFirewalls && custom_vnet) {
|
||||
name: 'firewall'
|
||||
name: take('${deployment().name}-firewall',64)
|
||||
params: {
|
||||
resourceName: resourceName
|
||||
location: location
|
||||
|
@ -596,7 +597,7 @@ var appGWenableWafFirewall = appGWsku=='Standard_v2' ? false : appGWenableFirewa
|
|||
// If integrating App Gateway with KeyVault, create a Identity App Gateway will use to access keyvault
|
||||
// 'identity' is always created (adding: "|| deployAppGw") until this is fixed:
|
||||
// https://github.com/Azure/bicep/issues/387#issuecomment-885671296
|
||||
resource appGwIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = if (deployAppGw) {
|
||||
resource appGwIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = if (deployAppGw) {
|
||||
name: 'id-appgw-${resourceName}'
|
||||
location: location
|
||||
}
|
||||
|
@ -604,7 +605,7 @@ resource appGwIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11
|
|||
var appgwName = 'agw-${resourceName}'
|
||||
var appgwResourceId = deployAppGw ? resourceId('Microsoft.Network/applicationGateways', '${appgwName}') : ''
|
||||
|
||||
resource appgwpip 'Microsoft.Network/publicIPAddresses@2021-02-01' = if (deployAppGw) {
|
||||
resource appgwpip 'Microsoft.Network/publicIPAddresses@2022-07-01' = if (deployAppGw) {
|
||||
name: 'pip-agw-${resourceName}'
|
||||
location: location
|
||||
sku: {
|
||||
|
@ -722,6 +723,7 @@ var appgwProperties = union({
|
|||
name: 'appGwRoutingRuleName'
|
||||
properties: {
|
||||
ruleType: 'Basic'
|
||||
priority: '1'
|
||||
httpListener: {
|
||||
id: '${appgwResourceId}/httpListeners/hlisten'
|
||||
}
|
||||
|
@ -742,7 +744,7 @@ var appgwProperties = union({
|
|||
} : {})
|
||||
|
||||
// 'identity' is always set until this is fixed: https://github.com/Azure/bicep/issues/387#issuecomment-885671296
|
||||
resource appgw 'Microsoft.Network/applicationGateways@2021-02-01' = if (deployAppGw) {
|
||||
resource appgw 'Microsoft.Network/applicationGateways@2022-07-01' = if (deployAppGw) {
|
||||
name: appgwName
|
||||
location: location
|
||||
zones: !empty(availabilityZones) ? availabilityZones : []
|
||||
|
@ -1113,7 +1115,7 @@ var systemPoolBase = {
|
|||
osType: 'Linux'
|
||||
maxPods: 30
|
||||
type: 'VirtualMachineScaleSets'
|
||||
vnetSubnetID: !empty(aksSubnetId) ? aksSubnetId : json('null')
|
||||
vnetSubnetID: !empty(aksSubnetId) ? aksSubnetId : null
|
||||
upgradeSettings: {
|
||||
maxSurge: '33%'
|
||||
}
|
||||
|
@ -1280,7 +1282,7 @@ defenderForContainers && createLaw ? azureDefenderSecurityProfile : {},
|
|||
keyVaultKmsCreateAndPrereqs || !empty(keyVaultKmsByoKeyId) ? azureKeyVaultKms : {}
|
||||
)
|
||||
|
||||
resource aks 'Microsoft.ContainerService/managedClusters@2022-10-02-preview' = {
|
||||
resource aks 'Microsoft.ContainerService/managedClusters@2022-11-02-preview' = {
|
||||
name: 'aks-${resourceName}'
|
||||
location: location
|
||||
properties: aksProperties
|
||||
|
@ -1345,7 +1347,7 @@ output aksResourceId string = aks.id
|
|||
@description('Not giving Rbac at the vnet level when using private dns results in ReconcilePrivateDNS. Therefore we need to upgrade the scope when private dns is being used, because it wants to set up the dns->vnet integration.')
|
||||
var uaiNetworkScopeRbac = enablePrivateCluster && !empty(dnsApiPrivateZoneId) ? 'Vnet' : 'Subnet'
|
||||
module privateDnsZoneRbac './dnsZoneRbac.bicep' = if (enablePrivateCluster && !empty(dnsApiPrivateZoneId) && createAksUai) {
|
||||
name: 'addPrivateK8sApiDnsContributor'
|
||||
name: take('${deployment().name}-addPrivateK8sApiDnsContributor',64)
|
||||
params: {
|
||||
vnetId: ''
|
||||
dnsZoneId: dnsApiPrivateZoneId
|
||||
|
@ -1356,7 +1358,7 @@ module privateDnsZoneRbac './dnsZoneRbac.bicep' = if (enablePrivateCluster && !e
|
|||
var policySetBaseline = '/providers/Microsoft.Authorization/policySetDefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d'
|
||||
var policySetRestrictive = '/providers/Microsoft.Authorization/policySetDefinitions/42b8ef37-b724-4e24-bbc8-7a7708edfe00'
|
||||
|
||||
resource aks_policies 'Microsoft.Authorization/policyAssignments@2020-09-01' = if (!empty(azurepolicy)) {
|
||||
resource aks_policies 'Microsoft.Authorization/policyAssignments@2022-06-01' = if (!empty(azurepolicy)) {
|
||||
name: '${resourceName}-${azurePolicyInitiative}'
|
||||
location: location
|
||||
properties: {
|
||||
|
@ -1401,7 +1403,7 @@ resource aks_admin_role_assignment 'Microsoft.Authorization/roleAssignments@2022
|
|||
|
||||
param fluxGitOpsAddon bool = false
|
||||
|
||||
resource fluxAddon 'Microsoft.KubernetesConfiguration/extensions@2022-04-02-preview' = if(fluxGitOpsAddon) {
|
||||
resource fluxAddon 'Microsoft.KubernetesConfiguration/extensions@2022-11-01' = if(fluxGitOpsAddon) {
|
||||
name: 'flux'
|
||||
scope: aks
|
||||
properties: {
|
||||
|
@ -1424,7 +1426,7 @@ param daprAddon bool = false
|
|||
@description('Enable high availability (HA) mode for the Dapr control plane')
|
||||
param daprAddonHA bool = false
|
||||
|
||||
resource daprExtension 'Microsoft.KubernetesConfiguration/extensions@2022-04-02-preview' = if(daprAddon) {
|
||||
resource daprExtension 'Microsoft.KubernetesConfiguration/extensions@2022-11-01' = if(daprAddon) {
|
||||
name: 'dapr'
|
||||
scope: aks
|
||||
properties: {
|
||||
|
@ -1502,7 +1504,7 @@ var AlertFrequencyLookup = {
|
|||
var AlertFrequency = AlertFrequencyLookup[AksMetricAlertMetricFrequencyModel]
|
||||
|
||||
module aksmetricalerts './aksmetricalerts.bicep' = if (createLaw) {
|
||||
name: 'aksmetricalerts'
|
||||
name: take('${deployment().name}-aksmetricalerts',64)
|
||||
scope: resourceGroup()
|
||||
params: {
|
||||
clusterName: aks.name
|
||||
|
@ -1532,6 +1534,9 @@ resource aks_law 'Microsoft.OperationalInsights/workspaces@2022-10-01' = if (cre
|
|||
location: location
|
||||
properties : union({
|
||||
retentionInDays: retentionInDays
|
||||
sku: {
|
||||
name: 'PerGB2018'
|
||||
}
|
||||
},
|
||||
logDataCap>0 ? { workspaceCapping: {
|
||||
dailyQuotaGb: logDataCap
|
||||
|
@ -1541,7 +1546,8 @@ resource aks_law 'Microsoft.OperationalInsights/workspaces@2022-10-01' = if (cre
|
|||
|
||||
|
||||
resource containerLogsV2_Basiclogs 'Microsoft.OperationalInsights/workspaces/tables@2022-10-01' = if(containerLogsV2BasicLogs){
|
||||
name: '${aks_law_name}/ContainerLogV2'
|
||||
name: 'ContainerLogV2'
|
||||
parent: aks_law
|
||||
properties: {
|
||||
plan: 'Basic'
|
||||
}
|
||||
|
|
|
@ -96,7 +96,7 @@ var fw_subnet = {
|
|||
|
||||
/// ---- Firewall VNET config
|
||||
module calcAzFwIp './calcAzFwIp.bicep' = if (azureFirewalls) {
|
||||
name: 'calcAzFwIp'
|
||||
name: take('${deployment().name}-calcAzFwIp',64)
|
||||
params: {
|
||||
vnetFirewallSubnetAddressPrefix: vnetFirewallSubnetAddressPrefix
|
||||
}
|
||||
|
@ -174,7 +174,7 @@ var subnets = union(
|
|||
output debugSubnets array = subnets
|
||||
|
||||
var vnetName = 'vnet-${resourceName}'
|
||||
resource vnet 'Microsoft.Network/virtualNetworks@2021-02-01' = {
|
||||
resource vnet 'Microsoft.Network/virtualNetworks@2022-07-01' = {
|
||||
name: vnetName
|
||||
location: location
|
||||
properties: {
|
||||
|
@ -196,7 +196,7 @@ output appGwSubnetId string = resourceId('Microsoft.Network/virtualNetworks/subn
|
|||
output privateLinkSubnetId string = resourceId('Microsoft.Network/virtualNetworks/subnets', vnet.name, private_link_subnet_name)
|
||||
|
||||
module aks_vnet_con 'networksubnetrbac.bicep' = if (!empty(aksPrincipleId)) {
|
||||
name: '${resourceName}-subnetRbac'
|
||||
name: take('${deployment().name}-subnetRbac',64)
|
||||
params: {
|
||||
servicePrincipalId: aksPrincipleId
|
||||
subnetName: aks_subnet_name
|
||||
|
@ -328,7 +328,7 @@ var publicIpAddressName = 'pip-${bastionHostName}'
|
|||
])
|
||||
param bastionSku string = 'Standard'
|
||||
|
||||
resource bastionPip 'Microsoft.Network/publicIPAddresses@2021-03-01' = if(bastion) {
|
||||
resource bastionPip 'Microsoft.Network/publicIPAddresses@2022-07-01' = if(bastion) {
|
||||
name: publicIpAddressName
|
||||
location: location
|
||||
sku: {
|
||||
|
@ -371,8 +371,7 @@ resource log 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = if
|
|||
|
||||
param CreateNsgFlowLogs bool = false
|
||||
|
||||
var flowLogStorageRawName = replace(toLower('stflow${resourceName}${uniqueString(resourceGroup().id, resourceName)}'),'-','')
|
||||
var flowLogStorageName = length(flowLogStorageRawName) > 24 ? substring(flowLogStorageRawName, 0, 24) : flowLogStorageRawName
|
||||
var flowLogStorageName = take(replace(toLower('stflow${resourceName}${uniqueString(resourceGroup().id, resourceName)}'),'-',''),24)
|
||||
resource flowLogStor 'Microsoft.Storage/storageAccounts@2021-08-01' = if(CreateNsgFlowLogs && networkSecurityGroups) {
|
||||
name: flowLogStorageName
|
||||
kind: 'StorageV2'
|
||||
|
@ -387,7 +386,7 @@ resource flowLogStor 'Microsoft.Storage/storageAccounts@2021-08-01' = if(CreateN
|
|||
|
||||
//NSG's
|
||||
module nsgAks 'nsg.bicep' = if(networkSecurityGroups) {
|
||||
name: 'nsgAks'
|
||||
name: take('${deployment().name}-nsgAks',64)
|
||||
params: {
|
||||
location: location
|
||||
resourceName: '${aks_subnet_name}-${resourceName}'
|
||||
|
@ -402,7 +401,7 @@ module nsgAks 'nsg.bicep' = if(networkSecurityGroups) {
|
|||
}
|
||||
|
||||
module nsgAcrPool 'nsg.bicep' = if(acrPrivatePool && networkSecurityGroups) {
|
||||
name: 'nsgAcrPool'
|
||||
name: take('${deployment().name}-nsgAcrPool',64)
|
||||
params: {
|
||||
location: location
|
||||
resourceName: '${acrpool_subnet_name}-${resourceName}'
|
||||
|
@ -417,7 +416,7 @@ module nsgAcrPool 'nsg.bicep' = if(acrPrivatePool && networkSecurityGroups) {
|
|||
}
|
||||
|
||||
module nsgAppGw 'nsg.bicep' = if(ingressApplicationGateway && networkSecurityGroups) {
|
||||
name: 'nsgAppGw'
|
||||
name: take('${deployment().name}-nsgAppGw',64)
|
||||
params: {
|
||||
location: location
|
||||
resourceName: '${appgw_subnet_name}-${resourceName}'
|
||||
|
@ -438,7 +437,7 @@ module nsgAppGw 'nsg.bicep' = if(ingressApplicationGateway && networkSecurityGro
|
|||
}
|
||||
|
||||
module nsgBastion 'nsg.bicep' = if(bastion && networkSecurityGroups) {
|
||||
name: 'nsgBastion'
|
||||
name: take('${deployment().name}-nsgBastion',64)
|
||||
params: {
|
||||
location: location
|
||||
resourceName: '${bastion_subnet_name}-${resourceName}'
|
||||
|
@ -459,7 +458,7 @@ module nsgBastion 'nsg.bicep' = if(bastion && networkSecurityGroups) {
|
|||
}
|
||||
|
||||
module nsgPrivateLinks 'nsg.bicep' = if(privateLinks && networkSecurityGroups) {
|
||||
name: 'nsgPrivateLinks'
|
||||
name: take('${deployment().name}-nsgPrivateLinks',64)
|
||||
params: {
|
||||
location: location
|
||||
resourceName: '${private_link_subnet_name}-${resourceName}'
|
||||
|
|
|
@ -19,7 +19,8 @@ resource networkWatcher 'Microsoft.Network/networkWatchers@2022-01-01' = {
|
|||
}
|
||||
|
||||
resource nsgFlowLogs 'Microsoft.Network/networkWatchers/flowLogs@2021-05-01' = {
|
||||
name: '${networkWatcher.name}/${name}'
|
||||
name: name
|
||||
parent: networkWatcher
|
||||
location: location
|
||||
properties: {
|
||||
targetResourceId: nsgId
|
||||
|
|
|
@ -14,7 +14,7 @@ output nsgId string = nsg.id
|
|||
|
||||
param ruleInAllowGwManagement bool = false
|
||||
param ruleInGwManagementPort string = '443,65200-65535'
|
||||
resource ruleAppGwManagement 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInAllowGwManagement) {
|
||||
resource ruleAppGwManagement 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInAllowGwManagement) {
|
||||
parent: nsg
|
||||
name: 'Allow_AppGatewayManagement'
|
||||
properties: {
|
||||
|
@ -30,7 +30,7 @@ resource ruleAppGwManagement 'Microsoft.Network/networkSecurityGroups/securityRu
|
|||
}
|
||||
|
||||
param ruleInAllowAzureLoadBalancer bool = false
|
||||
resource ruleAzureLoadBalancer 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if (ruleInAllowAzureLoadBalancer) {
|
||||
resource ruleAzureLoadBalancer 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if (ruleInAllowAzureLoadBalancer) {
|
||||
parent: nsg
|
||||
name: 'Allow_AzureLoadBalancer'
|
||||
properties: {
|
||||
|
@ -50,7 +50,7 @@ resource ruleAzureLoadBalancer 'Microsoft.Network/networkSecurityGroups/security
|
|||
}
|
||||
|
||||
param ruleInDenyInternet bool = false
|
||||
resource ruleDenyInternet 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInDenyInternet) {
|
||||
resource ruleDenyInternet 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInDenyInternet) {
|
||||
parent: nsg
|
||||
name: 'Deny_AllInboundInternet'
|
||||
properties: {
|
||||
|
@ -71,7 +71,7 @@ resource ruleDenyInternet 'Microsoft.Network/networkSecurityGroups/securityRules
|
|||
}
|
||||
|
||||
param ruleInAllowInternetHttp bool = false
|
||||
resource ruleInternetHttp 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInAllowInternetHttp) {
|
||||
resource ruleInternetHttp 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInAllowInternetHttp) {
|
||||
parent: nsg
|
||||
name: 'Allow_Internet_Http'
|
||||
properties: {
|
||||
|
@ -92,7 +92,7 @@ resource ruleInternetHttp 'Microsoft.Network/networkSecurityGroups/securityRules
|
|||
}
|
||||
|
||||
param ruleInAllowInternetHttps bool = false
|
||||
resource ruleInternetHttps 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInAllowInternetHttps) {
|
||||
resource ruleInternetHttps 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInAllowInternetHttps) {
|
||||
parent: nsg
|
||||
name: 'Allow_Internet_Https'
|
||||
properties: {
|
||||
|
@ -113,7 +113,7 @@ resource ruleInternetHttps 'Microsoft.Network/networkSecurityGroups/securityRule
|
|||
}
|
||||
|
||||
param ruleInAllowBastionHostComms bool = false
|
||||
resource ruleBastionHost 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInAllowBastionHostComms) {
|
||||
resource ruleBastionHost 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInAllowBastionHostComms) {
|
||||
parent: nsg
|
||||
name: 'Allow_Bastion_Host_Communication'
|
||||
properties: {
|
||||
|
@ -135,7 +135,7 @@ resource ruleBastionHost 'Microsoft.Network/networkSecurityGroups/securityRules@
|
|||
}
|
||||
|
||||
param ruleOutAllowBastionComms bool = false
|
||||
resource ruleBastionEgressSshRdp 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleOutAllowBastionComms) {
|
||||
resource ruleBastionEgressSshRdp 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleOutAllowBastionComms) {
|
||||
parent: nsg
|
||||
name: 'Allow_SshRdp_Outbound'
|
||||
properties: {
|
||||
|
@ -156,7 +156,7 @@ resource ruleBastionEgressSshRdp 'Microsoft.Network/networkSecurityGroups/securi
|
|||
}
|
||||
}
|
||||
|
||||
resource ruleBastionEgressAzure 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleOutAllowBastionComms) {
|
||||
resource ruleBastionEgressAzure 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleOutAllowBastionComms) {
|
||||
parent: nsg
|
||||
name: 'Allow_Azure_Cloud_Outbound'
|
||||
properties: {
|
||||
|
@ -176,7 +176,7 @@ resource ruleBastionEgressAzure 'Microsoft.Network/networkSecurityGroups/securit
|
|||
}
|
||||
}
|
||||
|
||||
resource ruleBastionEgressBastionComms 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleOutAllowBastionComms) {
|
||||
resource ruleBastionEgressBastionComms 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleOutAllowBastionComms) {
|
||||
parent: nsg
|
||||
name: 'Allow_Bastion_Communication'
|
||||
properties: {
|
||||
|
@ -197,7 +197,7 @@ resource ruleBastionEgressBastionComms 'Microsoft.Network/networkSecurityGroups/
|
|||
}
|
||||
}
|
||||
|
||||
resource ruleBastionEgressSessionInfo 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleOutAllowBastionComms) {
|
||||
resource ruleBastionEgressSessionInfo 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleOutAllowBastionComms) {
|
||||
parent: nsg
|
||||
name: 'Allow_Get_Session_Info'
|
||||
properties: {
|
||||
|
@ -218,7 +218,7 @@ resource ruleBastionEgressSessionInfo 'Microsoft.Network/networkSecurityGroups/s
|
|||
}
|
||||
|
||||
param ruleInDenySsh bool = false
|
||||
resource ruleSshIngressDeny 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInDenySsh) {
|
||||
resource ruleSshIngressDeny 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInDenySsh) {
|
||||
parent: nsg
|
||||
name: 'DenySshInbound'
|
||||
properties: {
|
||||
|
@ -260,7 +260,7 @@ resource nsgDiags 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = i
|
|||
param FlowLogStorageAccountId string = ''
|
||||
param FlowLogTrafficAnalytics bool = !empty(FlowLogStorageAccountId)
|
||||
module nsgFlow 'networkwatcherflowlog.bicep' = if(!empty(FlowLogStorageAccountId)) {
|
||||
name: 'flow-${nsgName}'
|
||||
name: take('${deployment().name}-flow-${nsgName}',64)
|
||||
scope: resourceGroup('NetworkWatcherRG')
|
||||
params: {
|
||||
location:location
|
||||
|
|
Загрузка…
Ссылка в новой задаче