* deployment names + LAW sku

* bumping acr import

* deployment name limit

* better string trimming.

* descriptive managed id name

* bumping k8s version

* api version bumps

* linter warnings

* ContainerLogV2 parent

* adding v2configmap to gitignore

* requestRoutingRule priority
This commit is contained in:
Gordon Byers 2023-03-16 10:37:07 +00:00 коммит произвёл GitHub
Родитель 0f2054ba5b
Коммит b3f609b5a6
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
16 изменённых файлов: 84 добавлений и 74 удалений

1
.gitignore поставляемый
Просмотреть файл

@ -8,3 +8,4 @@ bicep/main.json
helper/localsite.html
helper/prodsite.html
helper/build/**
container-azm-ms-agentconfig.yaml

Просмотреть файл

@ -2,7 +2,7 @@ param location string = resourceGroup().location
param acrName string
param acrPoolSubnetId string = ''
resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' existing = {
resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing = {
name: acrName
}

Просмотреть файл

@ -59,8 +59,8 @@ resource userNodepool 'Microsoft.ContainerService/managedClusters/agentPools@202
mode: 'User'
vmSize: agentVMSize
count: agentCount
minCount: autoScale ? agentCount : json('null')
maxCount: autoScale ? agentCountMax : json('null')
minCount: autoScale ? agentCount : null
maxCount: autoScale ? agentCountMax : null
enableAutoScaling: autoScale
availabilityZones: !empty(availabilityZones) ? availabilityZones : null
osDiskType: osDiskType
@ -69,7 +69,7 @@ resource userNodepool 'Microsoft.ContainerService/managedClusters/agentPools@202
osType: osType
maxPods: maxPods
type: 'VirtualMachineScaleSets'
vnetSubnetID: !empty(subnetId) ? subnetId : json('null')
vnetSubnetID: !empty(subnetId) ? subnetId : null
upgradeSettings: {
maxSurge: '33%'
}

Просмотреть файл

@ -15,15 +15,15 @@ var networkContributorRole = subscriptionResourceId('Microsoft.Authorization/rol
var existingAksSubnetName = !empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/')[10] : ''
var existingAksVnetName = !empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/')[8] : ''
resource existingvnet 'Microsoft.Network/virtualNetworks@2021-02-01' existing = {
resource existingvnet 'Microsoft.Network/virtualNetworks@2022-07-01' existing = {
name: existingAksVnetName
}
resource existingAksSubnet 'Microsoft.Network/virtualNetworks/subnets@2020-08-01' existing = {
resource existingAksSubnet 'Microsoft.Network/virtualNetworks/subnets@2022-07-01' existing = {
parent: existingvnet
name: existingAksSubnetName
}
resource subnetRbac 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (rbacAssignmentScope == 'subnet') {
resource subnetRbac 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (rbacAssignmentScope == 'subnet') {
name: guid(user_identity_principalId, networkContributorRole, existingAksSubnetName)
scope: existingAksSubnet
properties: {
@ -33,7 +33,7 @@ resource subnetRbac 'Microsoft.Authorization/roleAssignments@2020-04-01-preview'
}
}
resource existingVnetRbac 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (rbacAssignmentScope != 'subnet') {
resource existingVnetRbac 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (rbacAssignmentScope != 'subnet') {
name: guid(user_identity_principalId, networkContributorRole, existingAksVnetName)
scope: existingvnet
properties: {

Просмотреть файл

@ -25,7 +25,7 @@ resource appgwpip 'Microsoft.Network/publicIPAddresses@2020-07-01' = {
var frontendPublicIpConfig = {
properties: {
publicIPAddress: {
id: '${appgwpip.id}'
id: appgwpip.id
}
}
name: 'appGatewayFrontendIP'

Просмотреть файл

@ -1,9 +1,13 @@
{
"analyzers": {
"core": {
"enabled": true,
"verbose": false,
"rules": {
"use-recent-api-versions" : {
"level": "warning"
},
"no-hardcoded-location" : {
"level": "error"
},

Просмотреть файл

@ -12,7 +12,7 @@ resource privateDns 'Microsoft.Network/privateDnsZones@2020-06-01' existing = if
}
var DNSZoneContributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')
resource dnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (!isPrivate) {
resource dnsContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!isPrivate) {
scope: dns
name: guid(dns.id, principalId, DNSZoneContributor)
properties: {
@ -23,7 +23,7 @@ resource dnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-prev
}
var PrivateDNSZoneContributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')
resource privateDnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (isPrivate) {
resource privateDnsContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (isPrivate) {
scope: privateDns
name: guid(privateDns.id, principalId, PrivateDNSZoneContributor)
properties: {

Просмотреть файл

@ -15,7 +15,7 @@ var dnsZoneName = !empty(dnsZoneId) ? split(dnsZoneId, '/')[8] : ''
var isDnsZonePrivate = !empty(dnsZoneId) ? split(dnsZoneId, '/')[7] == 'privateDnsZones' : false
module dnsZone './dnsZone.bicep' = if (!empty(dnsZoneId)) {
name: 'dns-${dnsZoneName}'
name: take('${deployment().name}-dns-${dnsZoneName}',64)
scope: resourceGroup(dnsZoneRg)
params: {
dnsZoneName: dnsZoneName

Просмотреть файл

@ -25,7 +25,7 @@ var managementIpConfig = {
}
}
resource fw_pip 'Microsoft.Network/publicIPAddresses@2021-03-01' = {
resource fw_pip 'Microsoft.Network/publicIPAddresses@2022-07-01' = {
name: firewallPublicIpName
location: location
sku: {
@ -38,7 +38,7 @@ resource fw_pip 'Microsoft.Network/publicIPAddresses@2021-03-01' = {
}
}
resource fwManagementIp_pip 'Microsoft.Network/publicIPAddresses@2021-03-01' = if(fwSku=='Basic') {
resource fwManagementIp_pip 'Microsoft.Network/publicIPAddresses@2022-07-01' = if(fwSku=='Basic') {
name: firewallManagementPublicIpName
location: location
sku: {

Просмотреть файл

@ -21,14 +21,13 @@ param keyVaultIPAllowlist array = []
param logAnalyticsWorkspaceId string = ''
var akvRawName = 'kv-${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}'
var akvName = length(akvRawName) > 24 ? substring(akvRawName, 0, 24) : akvRawName
var akvName = take('kv-${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}',24)
var kvIPRules = [for kvIp in keyVaultIPAllowlist: {
value: kvIp
}]
resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
resource kv 'Microsoft.KeyVault/vaults@2022-07-01' = {
name: akvName
location: location
properties: {
@ -52,7 +51,7 @@ resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' = {
enabledForDiskEncryption: false
enabledForTemplateDeployment: false
enableSoftDelete: keyVaultSoftDelete
enablePurgeProtection: keyVaultPurgeProtection ? true : json('null')
enablePurgeProtection: keyVaultPurgeProtection ? true : null
}
}

Просмотреть файл

@ -1,10 +1,10 @@
param keyVaultName string
resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = {
resource kv 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
name: keyVaultName
}
resource kvKmsKey 'Microsoft.KeyVault/vaults/keys@2021-11-01-preview' = {
resource kvKmsKey 'Microsoft.KeyVault/vaults/keys@2022-07-01' = {
name: 'kmskey'
parent: kv
properties: {

Просмотреть файл

@ -48,7 +48,7 @@ var keyVaultCryptoUserRole = subscriptionResourceId('Microsoft.Authorization/rol
var keyVaultCryptoOfficerRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603')
var keyVaultCryptoServiceEncrpytionRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions','e147488a-f6f5-4113-8e2d-b22465e65bf6')
resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = {
resource kv 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
name: keyVaultName
}

Просмотреть файл

@ -40,7 +40,7 @@ param byoAGWSubnetId string = ''
//--- Custom, BYO networking and PrivateApiZones requires BYO AKS User Identity
var createAksUai = custom_vnet || !empty(byoAKSSubnetId) || !empty(dnsApiPrivateZoneId) || keyVaultKmsCreateAndPrereqs || !empty(keyVaultKmsByoKeyId)
resource aksUai 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = if (createAksUai) {
resource aksUai 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = if (createAksUai) {
name: 'id-aks-${resourceName}'
location: location
}
@ -49,7 +49,7 @@ resource aksUai 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-pre
var existingAksVnetRG = !empty(byoAKSSubnetId) ? (length(split(byoAKSSubnetId, '/')) > 4 ? split(byoAKSSubnetId, '/')[4] : '') : ''
module aksnetcontrib './aksnetcontrib.bicep' = if (!empty(byoAKSSubnetId) && createAksUai) {
name: 'addAksNetContributor'
name: take('${deployment().name}-addAksNetContributor',64)
scope: resourceGroup(existingAksVnetRG)
params: {
byoAKSSubnetId: byoAKSSubnetId
@ -115,7 +115,7 @@ param CreateNetworkSecurityGroups bool = false
param CreateNetworkSecurityGroupFlowLogs bool = false
module network './network.bicep' = if (custom_vnet) {
name: 'network'
name: take('${deployment().name}-network',64)
params: {
resourceName: resourceName
location: location
@ -166,7 +166,7 @@ param dnsZoneId string = ''
var isDnsZonePrivate = !empty(dnsZoneId) ? split(dnsZoneId, '/')[7] == 'privateDnsZones' : false
module dnsZone './dnsZoneRbac.bicep' = if (!empty(dnsZoneId)) {
name: 'addDnsContributor'
name: take('${deployment().name}-addDnsContributor',64)
params: {
dnsZoneId: dnsZoneId
vnetId: isDnsZonePrivate ? (!empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/subnets')[0] : (custom_vnet ? network.outputs.vnetId : '')) : ''
@ -202,7 +202,7 @@ param keyVaultAksCSIPollInterval string = '2m'
@description('Creates a KeyVault for application secrets (eg. CSI)')
module kv 'keyvault.bicep' = if(keyVaultCreate) {
name: 'keyvaultApps'
name: take('${deployment().name}-keyvaultApps',64)
params: {
resourceName: resourceName
keyVaultPurgeProtection: keyVaultPurgeProtection
@ -224,7 +224,7 @@ var rbacSecretUserSps = union([deployAppGw && appgwKVIntegration ? appGwIdentity
@description('A seperate module is used for RBAC to avoid delaying the KeyVault creation and causing a circular reference.')
module kvRbac 'keyvaultrbac.bicep' = if (keyVaultCreate) {
name: 'KeyVaultAppsRbac'
name: take('${deployment().name}-KeyVaultAppsRbac',64)
params: {
keyVaultName: keyVaultCreate ? kv.outputs.keyVaultName : ''
@ -266,14 +266,14 @@ var kmsRbacWaitSeconds=30
@description('This indicates if the deploying user has provided their PrincipalId in order for the key to be created')
var keyVaultKmsCreateAndPrereqs = keyVaultKmsCreate && !empty(keyVaultKmsOfficerRolePrincipalId) && privateLinks == false
resource kvKmsByo 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = if(!empty(keyVaultKmsByoName)) {
resource kvKmsByo 'Microsoft.KeyVault/vaults@2022-07-01' existing = if(!empty(keyVaultKmsByoName)) {
name: keyVaultKmsByoName
scope: resourceGroup(keyVaultKmsByoRG)
}
@description('Creates a new Key vault for a new KMS Key')
module kvKms 'keyvault.bicep' = if(keyVaultKmsCreateAndPrereqs) {
name: 'keyvaultKms-${resourceName}'
name: take('${deployment().name}-keyvaultKms-${resourceName}',64)
params: {
resourceName: 'kms${resourceName}'
keyVaultPurgeProtection: keyVaultPurgeProtection
@ -285,7 +285,7 @@ module kvKms 'keyvault.bicep' = if(keyVaultKmsCreateAndPrereqs) {
}
module kvKmsCreatedRbac 'keyvaultrbac.bicep' = if(keyVaultKmsCreateAndPrereqs) {
name: 'keyvaultKmsRbacs-${resourceName}'
name: take('${deployment().name}-keyvaultKmsRbacs-${resourceName}',64)
params: {
keyVaultName: keyVaultKmsCreate ? kvKms.outputs.keyVaultName : ''
//We can't create a kms kv and key and do privatelink. Private Link is a BYO scenario
@ -308,7 +308,7 @@ module kvKmsCreatedRbac 'keyvaultrbac.bicep' = if(keyVaultKmsCreateAndPrereqs) {
}
module kvKmsByoRbac 'keyvaultrbac.bicep' = if(!empty(keyVaultKmsByoKeyId)) {
name: 'keyvaultKmsByoRbacs-${resourceName}'
name: take('${deployment().name}-keyvaultKmsByoRbacs-${resourceName}',64)
scope: resourceGroup(keyVaultKmsByoRG)
params: {
keyVaultName: kvKmsByo.name
@ -325,7 +325,7 @@ module kvKmsByoRbac 'keyvaultrbac.bicep' = if(!empty(keyVaultKmsByoKeyId)) {
@description('It can take time for the RBAC to propagate, this delays the deployment to avoid this problem')
module waitForKmsRbac 'br/public:deployment-scripts/wait:1.0.1' = if(keyVaultKmsCreateAndPrereqs && kmsRbacWaitSeconds>0) {
name: 'keyvaultKmsRbac-waits-${resourceName}'
name: take('${deployment().name}-keyvaultKmsRbac-waits-${resourceName}',64)
params: {
waitSeconds: kmsRbacWaitSeconds
location: location
@ -337,7 +337,7 @@ module waitForKmsRbac 'br/public:deployment-scripts/wait:1.0.1' = if(keyVaultKms
@description('Adding a key to the keyvault... We can only do this for public key vaults')
module kvKmsKey 'keyvaultkey.bicep' = if(keyVaultKmsCreateAndPrereqs) {
name: 'keyvaultKmsKeys-${resourceName}'
name: take('${deployment().name}-keyvaultKmsKeys-${resourceName}',64)
params: {
keyVaultName: keyVaultKmsCreateAndPrereqs ? kvKms.outputs.keyVaultName : ''
}
@ -393,7 +393,7 @@ param acrUntaggedRetentionPolicy int = 30
var acrName = 'cr${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}'
resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = if (!empty(registries_sku)) {
resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = if (!empty(registries_sku)) {
name: acrName
location: location
sku: {
@ -409,7 +409,7 @@ resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = if (!
retentionPolicy: acrUntaggedRetentionPolicyEnabled ? {
status: 'enabled'
days: acrUntaggedRetentionPolicy
} : json('null')
} : null
}
publicNetworkAccess: privateLinks /* && empty(acrIPWhitelist)*/ ? 'Disabled' : 'Enabled'
zoneRedundancy: acrZoneRedundancyEnabled
@ -459,7 +459,7 @@ resource acrDiags 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = i
//resource acrPool 'Microsoft.ContainerRegistry/registries/agentPools@2019-06-01-preview' = if (custom_vnet && (!empty(registries_sku)) && privateLinks && acrPrivatePool) {
module acrPool 'acragentpool.bicep' = if (custom_vnet && (!empty(registries_sku)) && privateLinks && acrPrivatePool) {
name: 'acrprivatepool'
name: take('${deployment().name}-acrprivatepool',64)
params: {
acrName: acr.name
acrPoolSubnetId: custom_vnet ? network.outputs.acrPoolSubnetId : ''
@ -498,12 +498,13 @@ resource aks_acr_push 'Microsoft.Authorization/roleAssignments@2022-04-01' = if
param imageNames array = []
module acrImport 'br/public:deployment-scripts/import-acr:2.0.1' = if (!empty(registries_sku) && !empty(imageNames)) {
name: 'testAcrImportMulti'
module acrImport 'br/public:deployment-scripts/import-acr:3.0.1' = if (!empty(registries_sku) && !empty(imageNames)) {
name: take('${deployment().name}-AcrImport',64)
params: {
acrName: acr.name
location: location
images: imageNames
managedIdentityName: 'id-acrImport-${resourceName}-${location}'
}
}
@ -539,7 +540,7 @@ param certManagerFW bool = false
param azureFirewallSku string = 'Standard'
module firewall './firewall.bicep' = if (azureFirewalls && custom_vnet) {
name: 'firewall'
name: take('${deployment().name}-firewall',64)
params: {
resourceName: resourceName
location: location
@ -596,7 +597,7 @@ var appGWenableWafFirewall = appGWsku=='Standard_v2' ? false : appGWenableFirewa
// If integrating App Gateway with KeyVault, create a Identity App Gateway will use to access keyvault
// 'identity' is always created (adding: "|| deployAppGw") until this is fixed:
// https://github.com/Azure/bicep/issues/387#issuecomment-885671296
resource appGwIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = if (deployAppGw) {
resource appGwIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = if (deployAppGw) {
name: 'id-appgw-${resourceName}'
location: location
}
@ -604,7 +605,7 @@ resource appGwIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11
var appgwName = 'agw-${resourceName}'
var appgwResourceId = deployAppGw ? resourceId('Microsoft.Network/applicationGateways', '${appgwName}') : ''
resource appgwpip 'Microsoft.Network/publicIPAddresses@2021-02-01' = if (deployAppGw) {
resource appgwpip 'Microsoft.Network/publicIPAddresses@2022-07-01' = if (deployAppGw) {
name: 'pip-agw-${resourceName}'
location: location
sku: {
@ -722,6 +723,7 @@ var appgwProperties = union({
name: 'appGwRoutingRuleName'
properties: {
ruleType: 'Basic'
priority: '1'
httpListener: {
id: '${appgwResourceId}/httpListeners/hlisten'
}
@ -742,7 +744,7 @@ var appgwProperties = union({
} : {})
// 'identity' is always set until this is fixed: https://github.com/Azure/bicep/issues/387#issuecomment-885671296
resource appgw 'Microsoft.Network/applicationGateways@2021-02-01' = if (deployAppGw) {
resource appgw 'Microsoft.Network/applicationGateways@2022-07-01' = if (deployAppGw) {
name: appgwName
location: location
zones: !empty(availabilityZones) ? availabilityZones : []
@ -1113,7 +1115,7 @@ var systemPoolBase = {
osType: 'Linux'
maxPods: 30
type: 'VirtualMachineScaleSets'
vnetSubnetID: !empty(aksSubnetId) ? aksSubnetId : json('null')
vnetSubnetID: !empty(aksSubnetId) ? aksSubnetId : null
upgradeSettings: {
maxSurge: '33%'
}
@ -1280,7 +1282,7 @@ defenderForContainers && createLaw ? azureDefenderSecurityProfile : {},
keyVaultKmsCreateAndPrereqs || !empty(keyVaultKmsByoKeyId) ? azureKeyVaultKms : {}
)
resource aks 'Microsoft.ContainerService/managedClusters@2022-10-02-preview' = {
resource aks 'Microsoft.ContainerService/managedClusters@2022-11-02-preview' = {
name: 'aks-${resourceName}'
location: location
properties: aksProperties
@ -1345,7 +1347,7 @@ output aksResourceId string = aks.id
@description('Not giving Rbac at the vnet level when using private dns results in ReconcilePrivateDNS. Therefore we need to upgrade the scope when private dns is being used, because it wants to set up the dns->vnet integration.')
var uaiNetworkScopeRbac = enablePrivateCluster && !empty(dnsApiPrivateZoneId) ? 'Vnet' : 'Subnet'
module privateDnsZoneRbac './dnsZoneRbac.bicep' = if (enablePrivateCluster && !empty(dnsApiPrivateZoneId) && createAksUai) {
name: 'addPrivateK8sApiDnsContributor'
name: take('${deployment().name}-addPrivateK8sApiDnsContributor',64)
params: {
vnetId: ''
dnsZoneId: dnsApiPrivateZoneId
@ -1356,7 +1358,7 @@ module privateDnsZoneRbac './dnsZoneRbac.bicep' = if (enablePrivateCluster && !e
var policySetBaseline = '/providers/Microsoft.Authorization/policySetDefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d'
var policySetRestrictive = '/providers/Microsoft.Authorization/policySetDefinitions/42b8ef37-b724-4e24-bbc8-7a7708edfe00'
resource aks_policies 'Microsoft.Authorization/policyAssignments@2020-09-01' = if (!empty(azurepolicy)) {
resource aks_policies 'Microsoft.Authorization/policyAssignments@2022-06-01' = if (!empty(azurepolicy)) {
name: '${resourceName}-${azurePolicyInitiative}'
location: location
properties: {
@ -1401,7 +1403,7 @@ resource aks_admin_role_assignment 'Microsoft.Authorization/roleAssignments@2022
param fluxGitOpsAddon bool = false
resource fluxAddon 'Microsoft.KubernetesConfiguration/extensions@2022-04-02-preview' = if(fluxGitOpsAddon) {
resource fluxAddon 'Microsoft.KubernetesConfiguration/extensions@2022-11-01' = if(fluxGitOpsAddon) {
name: 'flux'
scope: aks
properties: {
@ -1424,7 +1426,7 @@ param daprAddon bool = false
@description('Enable high availability (HA) mode for the Dapr control plane')
param daprAddonHA bool = false
resource daprExtension 'Microsoft.KubernetesConfiguration/extensions@2022-04-02-preview' = if(daprAddon) {
resource daprExtension 'Microsoft.KubernetesConfiguration/extensions@2022-11-01' = if(daprAddon) {
name: 'dapr'
scope: aks
properties: {
@ -1502,7 +1504,7 @@ var AlertFrequencyLookup = {
var AlertFrequency = AlertFrequencyLookup[AksMetricAlertMetricFrequencyModel]
module aksmetricalerts './aksmetricalerts.bicep' = if (createLaw) {
name: 'aksmetricalerts'
name: take('${deployment().name}-aksmetricalerts',64)
scope: resourceGroup()
params: {
clusterName: aks.name
@ -1532,6 +1534,9 @@ resource aks_law 'Microsoft.OperationalInsights/workspaces@2022-10-01' = if (cre
location: location
properties : union({
retentionInDays: retentionInDays
sku: {
name: 'PerGB2018'
}
},
logDataCap>0 ? { workspaceCapping: {
dailyQuotaGb: logDataCap
@ -1541,7 +1546,8 @@ resource aks_law 'Microsoft.OperationalInsights/workspaces@2022-10-01' = if (cre
resource containerLogsV2_Basiclogs 'Microsoft.OperationalInsights/workspaces/tables@2022-10-01' = if(containerLogsV2BasicLogs){
name: '${aks_law_name}/ContainerLogV2'
name: 'ContainerLogV2'
parent: aks_law
properties: {
plan: 'Basic'
}

Просмотреть файл

@ -96,7 +96,7 @@ var fw_subnet = {
/// ---- Firewall VNET config
module calcAzFwIp './calcAzFwIp.bicep' = if (azureFirewalls) {
name: 'calcAzFwIp'
name: take('${deployment().name}-calcAzFwIp',64)
params: {
vnetFirewallSubnetAddressPrefix: vnetFirewallSubnetAddressPrefix
}
@ -174,7 +174,7 @@ var subnets = union(
output debugSubnets array = subnets
var vnetName = 'vnet-${resourceName}'
resource vnet 'Microsoft.Network/virtualNetworks@2021-02-01' = {
resource vnet 'Microsoft.Network/virtualNetworks@2022-07-01' = {
name: vnetName
location: location
properties: {
@ -196,7 +196,7 @@ output appGwSubnetId string = resourceId('Microsoft.Network/virtualNetworks/subn
output privateLinkSubnetId string = resourceId('Microsoft.Network/virtualNetworks/subnets', vnet.name, private_link_subnet_name)
module aks_vnet_con 'networksubnetrbac.bicep' = if (!empty(aksPrincipleId)) {
name: '${resourceName}-subnetRbac'
name: take('${deployment().name}-subnetRbac',64)
params: {
servicePrincipalId: aksPrincipleId
subnetName: aks_subnet_name
@ -328,7 +328,7 @@ var publicIpAddressName = 'pip-${bastionHostName}'
])
param bastionSku string = 'Standard'
resource bastionPip 'Microsoft.Network/publicIPAddresses@2021-03-01' = if(bastion) {
resource bastionPip 'Microsoft.Network/publicIPAddresses@2022-07-01' = if(bastion) {
name: publicIpAddressName
location: location
sku: {
@ -371,8 +371,7 @@ resource log 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = if
param CreateNsgFlowLogs bool = false
var flowLogStorageRawName = replace(toLower('stflow${resourceName}${uniqueString(resourceGroup().id, resourceName)}'),'-','')
var flowLogStorageName = length(flowLogStorageRawName) > 24 ? substring(flowLogStorageRawName, 0, 24) : flowLogStorageRawName
var flowLogStorageName = take(replace(toLower('stflow${resourceName}${uniqueString(resourceGroup().id, resourceName)}'),'-',''),24)
resource flowLogStor 'Microsoft.Storage/storageAccounts@2021-08-01' = if(CreateNsgFlowLogs && networkSecurityGroups) {
name: flowLogStorageName
kind: 'StorageV2'
@ -387,7 +386,7 @@ resource flowLogStor 'Microsoft.Storage/storageAccounts@2021-08-01' = if(CreateN
//NSG's
module nsgAks 'nsg.bicep' = if(networkSecurityGroups) {
name: 'nsgAks'
name: take('${deployment().name}-nsgAks',64)
params: {
location: location
resourceName: '${aks_subnet_name}-${resourceName}'
@ -402,7 +401,7 @@ module nsgAks 'nsg.bicep' = if(networkSecurityGroups) {
}
module nsgAcrPool 'nsg.bicep' = if(acrPrivatePool && networkSecurityGroups) {
name: 'nsgAcrPool'
name: take('${deployment().name}-nsgAcrPool',64)
params: {
location: location
resourceName: '${acrpool_subnet_name}-${resourceName}'
@ -417,7 +416,7 @@ module nsgAcrPool 'nsg.bicep' = if(acrPrivatePool && networkSecurityGroups) {
}
module nsgAppGw 'nsg.bicep' = if(ingressApplicationGateway && networkSecurityGroups) {
name: 'nsgAppGw'
name: take('${deployment().name}-nsgAppGw',64)
params: {
location: location
resourceName: '${appgw_subnet_name}-${resourceName}'
@ -438,7 +437,7 @@ module nsgAppGw 'nsg.bicep' = if(ingressApplicationGateway && networkSecurityGro
}
module nsgBastion 'nsg.bicep' = if(bastion && networkSecurityGroups) {
name: 'nsgBastion'
name: take('${deployment().name}-nsgBastion',64)
params: {
location: location
resourceName: '${bastion_subnet_name}-${resourceName}'
@ -459,7 +458,7 @@ module nsgBastion 'nsg.bicep' = if(bastion && networkSecurityGroups) {
}
module nsgPrivateLinks 'nsg.bicep' = if(privateLinks && networkSecurityGroups) {
name: 'nsgPrivateLinks'
name: take('${deployment().name}-nsgPrivateLinks',64)
params: {
location: location
resourceName: '${private_link_subnet_name}-${resourceName}'

Просмотреть файл

@ -19,7 +19,8 @@ resource networkWatcher 'Microsoft.Network/networkWatchers@2022-01-01' = {
}
resource nsgFlowLogs 'Microsoft.Network/networkWatchers/flowLogs@2021-05-01' = {
name: '${networkWatcher.name}/${name}'
name: name
parent: networkWatcher
location: location
properties: {
targetResourceId: nsgId

Просмотреть файл

@ -14,7 +14,7 @@ output nsgId string = nsg.id
param ruleInAllowGwManagement bool = false
param ruleInGwManagementPort string = '443,65200-65535'
resource ruleAppGwManagement 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInAllowGwManagement) {
resource ruleAppGwManagement 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInAllowGwManagement) {
parent: nsg
name: 'Allow_AppGatewayManagement'
properties: {
@ -30,7 +30,7 @@ resource ruleAppGwManagement 'Microsoft.Network/networkSecurityGroups/securityRu
}
param ruleInAllowAzureLoadBalancer bool = false
resource ruleAzureLoadBalancer 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if (ruleInAllowAzureLoadBalancer) {
resource ruleAzureLoadBalancer 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if (ruleInAllowAzureLoadBalancer) {
parent: nsg
name: 'Allow_AzureLoadBalancer'
properties: {
@ -50,7 +50,7 @@ resource ruleAzureLoadBalancer 'Microsoft.Network/networkSecurityGroups/security
}
param ruleInDenyInternet bool = false
resource ruleDenyInternet 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInDenyInternet) {
resource ruleDenyInternet 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInDenyInternet) {
parent: nsg
name: 'Deny_AllInboundInternet'
properties: {
@ -71,7 +71,7 @@ resource ruleDenyInternet 'Microsoft.Network/networkSecurityGroups/securityRules
}
param ruleInAllowInternetHttp bool = false
resource ruleInternetHttp 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInAllowInternetHttp) {
resource ruleInternetHttp 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInAllowInternetHttp) {
parent: nsg
name: 'Allow_Internet_Http'
properties: {
@ -92,7 +92,7 @@ resource ruleInternetHttp 'Microsoft.Network/networkSecurityGroups/securityRules
}
param ruleInAllowInternetHttps bool = false
resource ruleInternetHttps 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInAllowInternetHttps) {
resource ruleInternetHttps 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInAllowInternetHttps) {
parent: nsg
name: 'Allow_Internet_Https'
properties: {
@ -113,7 +113,7 @@ resource ruleInternetHttps 'Microsoft.Network/networkSecurityGroups/securityRule
}
param ruleInAllowBastionHostComms bool = false
resource ruleBastionHost 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInAllowBastionHostComms) {
resource ruleBastionHost 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInAllowBastionHostComms) {
parent: nsg
name: 'Allow_Bastion_Host_Communication'
properties: {
@ -135,7 +135,7 @@ resource ruleBastionHost 'Microsoft.Network/networkSecurityGroups/securityRules@
}
param ruleOutAllowBastionComms bool = false
resource ruleBastionEgressSshRdp 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleOutAllowBastionComms) {
resource ruleBastionEgressSshRdp 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleOutAllowBastionComms) {
parent: nsg
name: 'Allow_SshRdp_Outbound'
properties: {
@ -156,7 +156,7 @@ resource ruleBastionEgressSshRdp 'Microsoft.Network/networkSecurityGroups/securi
}
}
resource ruleBastionEgressAzure 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleOutAllowBastionComms) {
resource ruleBastionEgressAzure 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleOutAllowBastionComms) {
parent: nsg
name: 'Allow_Azure_Cloud_Outbound'
properties: {
@ -176,7 +176,7 @@ resource ruleBastionEgressAzure 'Microsoft.Network/networkSecurityGroups/securit
}
}
resource ruleBastionEgressBastionComms 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleOutAllowBastionComms) {
resource ruleBastionEgressBastionComms 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleOutAllowBastionComms) {
parent: nsg
name: 'Allow_Bastion_Communication'
properties: {
@ -197,7 +197,7 @@ resource ruleBastionEgressBastionComms 'Microsoft.Network/networkSecurityGroups/
}
}
resource ruleBastionEgressSessionInfo 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleOutAllowBastionComms) {
resource ruleBastionEgressSessionInfo 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleOutAllowBastionComms) {
parent: nsg
name: 'Allow_Get_Session_Info'
properties: {
@ -218,7 +218,7 @@ resource ruleBastionEgressSessionInfo 'Microsoft.Network/networkSecurityGroups/s
}
param ruleInDenySsh bool = false
resource ruleSshIngressDeny 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInDenySsh) {
resource ruleSshIngressDeny 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInDenySsh) {
parent: nsg
name: 'DenySshInbound'
properties: {
@ -260,7 +260,7 @@ resource nsgDiags 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = i
param FlowLogStorageAccountId string = ''
param FlowLogTrafficAnalytics bool = !empty(FlowLogStorageAccountId)
module nsgFlow 'networkwatcherflowlog.bicep' = if(!empty(FlowLogStorageAccountId)) {
name: 'flow-${nsgName}'
name: take('${deployment().name}-flow-${nsgName}',64)
scope: resourceGroup('NetworkWatcherRG')
params: {
location:location