diff --git a/.gitignore b/.gitignore index a17bfd999..20050abeb 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ bicep/main.json helper/localsite.html helper/prodsite.html helper/build/** +container-azm-ms-agentconfig.yaml diff --git a/bicep/acragentpool.bicep b/bicep/acragentpool.bicep index 4bba2c434..2b45b0e65 100644 --- a/bicep/acragentpool.bicep +++ b/bicep/acragentpool.bicep @@ -2,7 +2,7 @@ param location string = resourceGroup().location param acrName string param acrPoolSubnetId string = '' -resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' existing = { +resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing = { name: acrName } diff --git a/bicep/aksagentpool.bicep b/bicep/aksagentpool.bicep index 100992aaf..fae38e2f1 100644 --- a/bicep/aksagentpool.bicep +++ b/bicep/aksagentpool.bicep @@ -59,8 +59,8 @@ resource userNodepool 'Microsoft.ContainerService/managedClusters/agentPools@202 mode: 'User' vmSize: agentVMSize count: agentCount - minCount: autoScale ? agentCount : json('null') - maxCount: autoScale ? agentCountMax : json('null') + minCount: autoScale ? agentCount : null + maxCount: autoScale ? agentCountMax : null enableAutoScaling: autoScale availabilityZones: !empty(availabilityZones) ? availabilityZones : null osDiskType: osDiskType @@ -69,7 +69,7 @@ resource userNodepool 'Microsoft.ContainerService/managedClusters/agentPools@202 osType: osType maxPods: maxPods type: 'VirtualMachineScaleSets' - vnetSubnetID: !empty(subnetId) ? subnetId : json('null') + vnetSubnetID: !empty(subnetId) ? subnetId : null upgradeSettings: { maxSurge: '33%' } diff --git a/bicep/aksnetcontrib.bicep b/bicep/aksnetcontrib.bicep index bae871c89..488318c24 100644 --- a/bicep/aksnetcontrib.bicep +++ b/bicep/aksnetcontrib.bicep @@ -15,15 +15,15 @@ var networkContributorRole = subscriptionResourceId('Microsoft.Authorization/rol var existingAksSubnetName = !empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/')[10] : '' var existingAksVnetName = !empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/')[8] : '' -resource existingvnet 'Microsoft.Network/virtualNetworks@2021-02-01' existing = { +resource existingvnet 'Microsoft.Network/virtualNetworks@2022-07-01' existing = { name: existingAksVnetName } -resource existingAksSubnet 'Microsoft.Network/virtualNetworks/subnets@2020-08-01' existing = { +resource existingAksSubnet 'Microsoft.Network/virtualNetworks/subnets@2022-07-01' existing = { parent: existingvnet name: existingAksSubnetName } -resource subnetRbac 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (rbacAssignmentScope == 'subnet') { +resource subnetRbac 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (rbacAssignmentScope == 'subnet') { name: guid(user_identity_principalId, networkContributorRole, existingAksSubnetName) scope: existingAksSubnet properties: { @@ -33,7 +33,7 @@ resource subnetRbac 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' } } -resource existingVnetRbac 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (rbacAssignmentScope != 'subnet') { +resource existingVnetRbac 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (rbacAssignmentScope != 'subnet') { name: guid(user_identity_principalId, networkContributorRole, existingAksVnetName) scope: existingvnet properties: { diff --git a/bicep/appgw.bicep b/bicep/appgw.bicep index 82c0e2a25..41de07ee7 100644 --- a/bicep/appgw.bicep +++ b/bicep/appgw.bicep @@ -25,7 +25,7 @@ resource appgwpip 'Microsoft.Network/publicIPAddresses@2020-07-01' = { var frontendPublicIpConfig = { properties: { publicIPAddress: { - id: '${appgwpip.id}' + id: appgwpip.id } } name: 'appGatewayFrontendIP' diff --git a/bicep/bicepconfig.json b/bicep/bicepconfig.json index a4efe8882..eac32d5e8 100644 --- a/bicep/bicepconfig.json +++ b/bicep/bicepconfig.json @@ -1,9 +1,13 @@ + { "analyzers": { "core": { "enabled": true, "verbose": false, "rules": { + "use-recent-api-versions" : { + "level": "warning" + }, "no-hardcoded-location" : { "level": "error" }, diff --git a/bicep/dnsZone.bicep b/bicep/dnsZone.bicep index 2f678304c..82cc6547c 100644 --- a/bicep/dnsZone.bicep +++ b/bicep/dnsZone.bicep @@ -12,7 +12,7 @@ resource privateDns 'Microsoft.Network/privateDnsZones@2020-06-01' existing = if } var DNSZoneContributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') -resource dnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (!isPrivate) { +resource dnsContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!isPrivate) { scope: dns name: guid(dns.id, principalId, DNSZoneContributor) properties: { @@ -23,7 +23,7 @@ resource dnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-prev } var PrivateDNSZoneContributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') -resource privateDnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (isPrivate) { +resource privateDnsContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (isPrivate) { scope: privateDns name: guid(privateDns.id, principalId, PrivateDNSZoneContributor) properties: { diff --git a/bicep/dnsZoneRbac.bicep b/bicep/dnsZoneRbac.bicep index 47336eeb0..4713c56e1 100644 --- a/bicep/dnsZoneRbac.bicep +++ b/bicep/dnsZoneRbac.bicep @@ -15,7 +15,7 @@ var dnsZoneName = !empty(dnsZoneId) ? split(dnsZoneId, '/')[8] : '' var isDnsZonePrivate = !empty(dnsZoneId) ? split(dnsZoneId, '/')[7] == 'privateDnsZones' : false module dnsZone './dnsZone.bicep' = if (!empty(dnsZoneId)) { - name: 'dns-${dnsZoneName}' + name: take('${deployment().name}-dns-${dnsZoneName}',64) scope: resourceGroup(dnsZoneRg) params: { dnsZoneName: dnsZoneName diff --git a/bicep/firewall.bicep b/bicep/firewall.bicep index 2fd934ce6..b2bf15bed 100644 --- a/bicep/firewall.bicep +++ b/bicep/firewall.bicep @@ -25,7 +25,7 @@ var managementIpConfig = { } } -resource fw_pip 'Microsoft.Network/publicIPAddresses@2021-03-01' = { +resource fw_pip 'Microsoft.Network/publicIPAddresses@2022-07-01' = { name: firewallPublicIpName location: location sku: { @@ -38,7 +38,7 @@ resource fw_pip 'Microsoft.Network/publicIPAddresses@2021-03-01' = { } } -resource fwManagementIp_pip 'Microsoft.Network/publicIPAddresses@2021-03-01' = if(fwSku=='Basic') { +resource fwManagementIp_pip 'Microsoft.Network/publicIPAddresses@2022-07-01' = if(fwSku=='Basic') { name: firewallManagementPublicIpName location: location sku: { diff --git a/bicep/keyvault.bicep b/bicep/keyvault.bicep index 3a6283f3d..2ba5b82aa 100644 --- a/bicep/keyvault.bicep +++ b/bicep/keyvault.bicep @@ -21,14 +21,13 @@ param keyVaultIPAllowlist array = [] param logAnalyticsWorkspaceId string = '' -var akvRawName = 'kv-${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}' -var akvName = length(akvRawName) > 24 ? substring(akvRawName, 0, 24) : akvRawName +var akvName = take('kv-${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}',24) var kvIPRules = [for kvIp in keyVaultIPAllowlist: { value: kvIp }] -resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' = { +resource kv 'Microsoft.KeyVault/vaults@2022-07-01' = { name: akvName location: location properties: { @@ -52,7 +51,7 @@ resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' = { enabledForDiskEncryption: false enabledForTemplateDeployment: false enableSoftDelete: keyVaultSoftDelete - enablePurgeProtection: keyVaultPurgeProtection ? true : json('null') + enablePurgeProtection: keyVaultPurgeProtection ? true : null } } diff --git a/bicep/keyvaultkey.bicep b/bicep/keyvaultkey.bicep index f00bf6701..c564cfbba 100644 --- a/bicep/keyvaultkey.bicep +++ b/bicep/keyvaultkey.bicep @@ -1,10 +1,10 @@ param keyVaultName string -resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = { +resource kv 'Microsoft.KeyVault/vaults@2022-07-01' existing = { name: keyVaultName } -resource kvKmsKey 'Microsoft.KeyVault/vaults/keys@2021-11-01-preview' = { +resource kvKmsKey 'Microsoft.KeyVault/vaults/keys@2022-07-01' = { name: 'kmskey' parent: kv properties: { diff --git a/bicep/keyvaultrbac.bicep b/bicep/keyvaultrbac.bicep index 6ef65dd1e..eeae10120 100644 --- a/bicep/keyvaultrbac.bicep +++ b/bicep/keyvaultrbac.bicep @@ -48,7 +48,7 @@ var keyVaultCryptoUserRole = subscriptionResourceId('Microsoft.Authorization/rol var keyVaultCryptoOfficerRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') var keyVaultCryptoServiceEncrpytionRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions','e147488a-f6f5-4113-8e2d-b22465e65bf6') -resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = { +resource kv 'Microsoft.KeyVault/vaults@2022-07-01' existing = { name: keyVaultName } diff --git a/bicep/main.bicep b/bicep/main.bicep index 4a0427cfa..f355b116c 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -40,7 +40,7 @@ param byoAGWSubnetId string = '' //--- Custom, BYO networking and PrivateApiZones requires BYO AKS User Identity var createAksUai = custom_vnet || !empty(byoAKSSubnetId) || !empty(dnsApiPrivateZoneId) || keyVaultKmsCreateAndPrereqs || !empty(keyVaultKmsByoKeyId) -resource aksUai 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = if (createAksUai) { +resource aksUai 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = if (createAksUai) { name: 'id-aks-${resourceName}' location: location } @@ -49,7 +49,7 @@ resource aksUai 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-pre var existingAksVnetRG = !empty(byoAKSSubnetId) ? (length(split(byoAKSSubnetId, '/')) > 4 ? split(byoAKSSubnetId, '/')[4] : '') : '' module aksnetcontrib './aksnetcontrib.bicep' = if (!empty(byoAKSSubnetId) && createAksUai) { - name: 'addAksNetContributor' + name: take('${deployment().name}-addAksNetContributor',64) scope: resourceGroup(existingAksVnetRG) params: { byoAKSSubnetId: byoAKSSubnetId @@ -115,7 +115,7 @@ param CreateNetworkSecurityGroups bool = false param CreateNetworkSecurityGroupFlowLogs bool = false module network './network.bicep' = if (custom_vnet) { - name: 'network' + name: take('${deployment().name}-network',64) params: { resourceName: resourceName location: location @@ -166,7 +166,7 @@ param dnsZoneId string = '' var isDnsZonePrivate = !empty(dnsZoneId) ? split(dnsZoneId, '/')[7] == 'privateDnsZones' : false module dnsZone './dnsZoneRbac.bicep' = if (!empty(dnsZoneId)) { - name: 'addDnsContributor' + name: take('${deployment().name}-addDnsContributor',64) params: { dnsZoneId: dnsZoneId vnetId: isDnsZonePrivate ? (!empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/subnets')[0] : (custom_vnet ? network.outputs.vnetId : '')) : '' @@ -202,7 +202,7 @@ param keyVaultAksCSIPollInterval string = '2m' @description('Creates a KeyVault for application secrets (eg. CSI)') module kv 'keyvault.bicep' = if(keyVaultCreate) { - name: 'keyvaultApps' + name: take('${deployment().name}-keyvaultApps',64) params: { resourceName: resourceName keyVaultPurgeProtection: keyVaultPurgeProtection @@ -224,7 +224,7 @@ var rbacSecretUserSps = union([deployAppGw && appgwKVIntegration ? appGwIdentity @description('A seperate module is used for RBAC to avoid delaying the KeyVault creation and causing a circular reference.') module kvRbac 'keyvaultrbac.bicep' = if (keyVaultCreate) { - name: 'KeyVaultAppsRbac' + name: take('${deployment().name}-KeyVaultAppsRbac',64) params: { keyVaultName: keyVaultCreate ? kv.outputs.keyVaultName : '' @@ -266,14 +266,14 @@ var kmsRbacWaitSeconds=30 @description('This indicates if the deploying user has provided their PrincipalId in order for the key to be created') var keyVaultKmsCreateAndPrereqs = keyVaultKmsCreate && !empty(keyVaultKmsOfficerRolePrincipalId) && privateLinks == false -resource kvKmsByo 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = if(!empty(keyVaultKmsByoName)) { +resource kvKmsByo 'Microsoft.KeyVault/vaults@2022-07-01' existing = if(!empty(keyVaultKmsByoName)) { name: keyVaultKmsByoName scope: resourceGroup(keyVaultKmsByoRG) } @description('Creates a new Key vault for a new KMS Key') module kvKms 'keyvault.bicep' = if(keyVaultKmsCreateAndPrereqs) { - name: 'keyvaultKms-${resourceName}' + name: take('${deployment().name}-keyvaultKms-${resourceName}',64) params: { resourceName: 'kms${resourceName}' keyVaultPurgeProtection: keyVaultPurgeProtection @@ -285,7 +285,7 @@ module kvKms 'keyvault.bicep' = if(keyVaultKmsCreateAndPrereqs) { } module kvKmsCreatedRbac 'keyvaultrbac.bicep' = if(keyVaultKmsCreateAndPrereqs) { - name: 'keyvaultKmsRbacs-${resourceName}' + name: take('${deployment().name}-keyvaultKmsRbacs-${resourceName}',64) params: { keyVaultName: keyVaultKmsCreate ? kvKms.outputs.keyVaultName : '' //We can't create a kms kv and key and do privatelink. Private Link is a BYO scenario @@ -308,7 +308,7 @@ module kvKmsCreatedRbac 'keyvaultrbac.bicep' = if(keyVaultKmsCreateAndPrereqs) { } module kvKmsByoRbac 'keyvaultrbac.bicep' = if(!empty(keyVaultKmsByoKeyId)) { - name: 'keyvaultKmsByoRbacs-${resourceName}' + name: take('${deployment().name}-keyvaultKmsByoRbacs-${resourceName}',64) scope: resourceGroup(keyVaultKmsByoRG) params: { keyVaultName: kvKmsByo.name @@ -325,7 +325,7 @@ module kvKmsByoRbac 'keyvaultrbac.bicep' = if(!empty(keyVaultKmsByoKeyId)) { @description('It can take time for the RBAC to propagate, this delays the deployment to avoid this problem') module waitForKmsRbac 'br/public:deployment-scripts/wait:1.0.1' = if(keyVaultKmsCreateAndPrereqs && kmsRbacWaitSeconds>0) { - name: 'keyvaultKmsRbac-waits-${resourceName}' + name: take('${deployment().name}-keyvaultKmsRbac-waits-${resourceName}',64) params: { waitSeconds: kmsRbacWaitSeconds location: location @@ -337,7 +337,7 @@ module waitForKmsRbac 'br/public:deployment-scripts/wait:1.0.1' = if(keyVaultKms @description('Adding a key to the keyvault... We can only do this for public key vaults') module kvKmsKey 'keyvaultkey.bicep' = if(keyVaultKmsCreateAndPrereqs) { - name: 'keyvaultKmsKeys-${resourceName}' + name: take('${deployment().name}-keyvaultKmsKeys-${resourceName}',64) params: { keyVaultName: keyVaultKmsCreateAndPrereqs ? kvKms.outputs.keyVaultName : '' } @@ -393,7 +393,7 @@ param acrUntaggedRetentionPolicy int = 30 var acrName = 'cr${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}' -resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = if (!empty(registries_sku)) { +resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = if (!empty(registries_sku)) { name: acrName location: location sku: { @@ -409,7 +409,7 @@ resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = if (! retentionPolicy: acrUntaggedRetentionPolicyEnabled ? { status: 'enabled' days: acrUntaggedRetentionPolicy - } : json('null') + } : null } publicNetworkAccess: privateLinks /* && empty(acrIPWhitelist)*/ ? 'Disabled' : 'Enabled' zoneRedundancy: acrZoneRedundancyEnabled @@ -459,7 +459,7 @@ resource acrDiags 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = i //resource acrPool 'Microsoft.ContainerRegistry/registries/agentPools@2019-06-01-preview' = if (custom_vnet && (!empty(registries_sku)) && privateLinks && acrPrivatePool) { module acrPool 'acragentpool.bicep' = if (custom_vnet && (!empty(registries_sku)) && privateLinks && acrPrivatePool) { - name: 'acrprivatepool' + name: take('${deployment().name}-acrprivatepool',64) params: { acrName: acr.name acrPoolSubnetId: custom_vnet ? network.outputs.acrPoolSubnetId : '' @@ -498,12 +498,13 @@ resource aks_acr_push 'Microsoft.Authorization/roleAssignments@2022-04-01' = if param imageNames array = [] -module acrImport 'br/public:deployment-scripts/import-acr:2.0.1' = if (!empty(registries_sku) && !empty(imageNames)) { - name: 'testAcrImportMulti' +module acrImport 'br/public:deployment-scripts/import-acr:3.0.1' = if (!empty(registries_sku) && !empty(imageNames)) { + name: take('${deployment().name}-AcrImport',64) params: { acrName: acr.name location: location images: imageNames + managedIdentityName: 'id-acrImport-${resourceName}-${location}' } } @@ -539,7 +540,7 @@ param certManagerFW bool = false param azureFirewallSku string = 'Standard' module firewall './firewall.bicep' = if (azureFirewalls && custom_vnet) { - name: 'firewall' + name: take('${deployment().name}-firewall',64) params: { resourceName: resourceName location: location @@ -596,7 +597,7 @@ var appGWenableWafFirewall = appGWsku=='Standard_v2' ? false : appGWenableFirewa // If integrating App Gateway with KeyVault, create a Identity App Gateway will use to access keyvault // 'identity' is always created (adding: "|| deployAppGw") until this is fixed: // https://github.com/Azure/bicep/issues/387#issuecomment-885671296 -resource appGwIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = if (deployAppGw) { +resource appGwIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = if (deployAppGw) { name: 'id-appgw-${resourceName}' location: location } @@ -604,7 +605,7 @@ resource appGwIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11 var appgwName = 'agw-${resourceName}' var appgwResourceId = deployAppGw ? resourceId('Microsoft.Network/applicationGateways', '${appgwName}') : '' -resource appgwpip 'Microsoft.Network/publicIPAddresses@2021-02-01' = if (deployAppGw) { +resource appgwpip 'Microsoft.Network/publicIPAddresses@2022-07-01' = if (deployAppGw) { name: 'pip-agw-${resourceName}' location: location sku: { @@ -722,6 +723,7 @@ var appgwProperties = union({ name: 'appGwRoutingRuleName' properties: { ruleType: 'Basic' + priority: '1' httpListener: { id: '${appgwResourceId}/httpListeners/hlisten' } @@ -742,7 +744,7 @@ var appgwProperties = union({ } : {}) // 'identity' is always set until this is fixed: https://github.com/Azure/bicep/issues/387#issuecomment-885671296 -resource appgw 'Microsoft.Network/applicationGateways@2021-02-01' = if (deployAppGw) { +resource appgw 'Microsoft.Network/applicationGateways@2022-07-01' = if (deployAppGw) { name: appgwName location: location zones: !empty(availabilityZones) ? availabilityZones : [] @@ -1113,7 +1115,7 @@ var systemPoolBase = { osType: 'Linux' maxPods: 30 type: 'VirtualMachineScaleSets' - vnetSubnetID: !empty(aksSubnetId) ? aksSubnetId : json('null') + vnetSubnetID: !empty(aksSubnetId) ? aksSubnetId : null upgradeSettings: { maxSurge: '33%' } @@ -1280,7 +1282,7 @@ defenderForContainers && createLaw ? azureDefenderSecurityProfile : {}, keyVaultKmsCreateAndPrereqs || !empty(keyVaultKmsByoKeyId) ? azureKeyVaultKms : {} ) -resource aks 'Microsoft.ContainerService/managedClusters@2022-10-02-preview' = { +resource aks 'Microsoft.ContainerService/managedClusters@2022-11-02-preview' = { name: 'aks-${resourceName}' location: location properties: aksProperties @@ -1345,7 +1347,7 @@ output aksResourceId string = aks.id @description('Not giving Rbac at the vnet level when using private dns results in ReconcilePrivateDNS. Therefore we need to upgrade the scope when private dns is being used, because it wants to set up the dns->vnet integration.') var uaiNetworkScopeRbac = enablePrivateCluster && !empty(dnsApiPrivateZoneId) ? 'Vnet' : 'Subnet' module privateDnsZoneRbac './dnsZoneRbac.bicep' = if (enablePrivateCluster && !empty(dnsApiPrivateZoneId) && createAksUai) { - name: 'addPrivateK8sApiDnsContributor' + name: take('${deployment().name}-addPrivateK8sApiDnsContributor',64) params: { vnetId: '' dnsZoneId: dnsApiPrivateZoneId @@ -1356,7 +1358,7 @@ module privateDnsZoneRbac './dnsZoneRbac.bicep' = if (enablePrivateCluster && !e var policySetBaseline = '/providers/Microsoft.Authorization/policySetDefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d' var policySetRestrictive = '/providers/Microsoft.Authorization/policySetDefinitions/42b8ef37-b724-4e24-bbc8-7a7708edfe00' -resource aks_policies 'Microsoft.Authorization/policyAssignments@2020-09-01' = if (!empty(azurepolicy)) { +resource aks_policies 'Microsoft.Authorization/policyAssignments@2022-06-01' = if (!empty(azurepolicy)) { name: '${resourceName}-${azurePolicyInitiative}' location: location properties: { @@ -1401,7 +1403,7 @@ resource aks_admin_role_assignment 'Microsoft.Authorization/roleAssignments@2022 param fluxGitOpsAddon bool = false -resource fluxAddon 'Microsoft.KubernetesConfiguration/extensions@2022-04-02-preview' = if(fluxGitOpsAddon) { +resource fluxAddon 'Microsoft.KubernetesConfiguration/extensions@2022-11-01' = if(fluxGitOpsAddon) { name: 'flux' scope: aks properties: { @@ -1424,7 +1426,7 @@ param daprAddon bool = false @description('Enable high availability (HA) mode for the Dapr control plane') param daprAddonHA bool = false -resource daprExtension 'Microsoft.KubernetesConfiguration/extensions@2022-04-02-preview' = if(daprAddon) { +resource daprExtension 'Microsoft.KubernetesConfiguration/extensions@2022-11-01' = if(daprAddon) { name: 'dapr' scope: aks properties: { @@ -1502,7 +1504,7 @@ var AlertFrequencyLookup = { var AlertFrequency = AlertFrequencyLookup[AksMetricAlertMetricFrequencyModel] module aksmetricalerts './aksmetricalerts.bicep' = if (createLaw) { - name: 'aksmetricalerts' + name: take('${deployment().name}-aksmetricalerts',64) scope: resourceGroup() params: { clusterName: aks.name @@ -1532,6 +1534,9 @@ resource aks_law 'Microsoft.OperationalInsights/workspaces@2022-10-01' = if (cre location: location properties : union({ retentionInDays: retentionInDays + sku: { + name: 'PerGB2018' + } }, logDataCap>0 ? { workspaceCapping: { dailyQuotaGb: logDataCap @@ -1541,7 +1546,8 @@ resource aks_law 'Microsoft.OperationalInsights/workspaces@2022-10-01' = if (cre resource containerLogsV2_Basiclogs 'Microsoft.OperationalInsights/workspaces/tables@2022-10-01' = if(containerLogsV2BasicLogs){ - name: '${aks_law_name}/ContainerLogV2' + name: 'ContainerLogV2' + parent: aks_law properties: { plan: 'Basic' } diff --git a/bicep/network.bicep b/bicep/network.bicep index 0ec70091a..252f715b3 100644 --- a/bicep/network.bicep +++ b/bicep/network.bicep @@ -96,7 +96,7 @@ var fw_subnet = { /// ---- Firewall VNET config module calcAzFwIp './calcAzFwIp.bicep' = if (azureFirewalls) { - name: 'calcAzFwIp' + name: take('${deployment().name}-calcAzFwIp',64) params: { vnetFirewallSubnetAddressPrefix: vnetFirewallSubnetAddressPrefix } @@ -174,7 +174,7 @@ var subnets = union( output debugSubnets array = subnets var vnetName = 'vnet-${resourceName}' -resource vnet 'Microsoft.Network/virtualNetworks@2021-02-01' = { +resource vnet 'Microsoft.Network/virtualNetworks@2022-07-01' = { name: vnetName location: location properties: { @@ -196,7 +196,7 @@ output appGwSubnetId string = resourceId('Microsoft.Network/virtualNetworks/subn output privateLinkSubnetId string = resourceId('Microsoft.Network/virtualNetworks/subnets', vnet.name, private_link_subnet_name) module aks_vnet_con 'networksubnetrbac.bicep' = if (!empty(aksPrincipleId)) { - name: '${resourceName}-subnetRbac' + name: take('${deployment().name}-subnetRbac',64) params: { servicePrincipalId: aksPrincipleId subnetName: aks_subnet_name @@ -328,7 +328,7 @@ var publicIpAddressName = 'pip-${bastionHostName}' ]) param bastionSku string = 'Standard' -resource bastionPip 'Microsoft.Network/publicIPAddresses@2021-03-01' = if(bastion) { +resource bastionPip 'Microsoft.Network/publicIPAddresses@2022-07-01' = if(bastion) { name: publicIpAddressName location: location sku: { @@ -371,8 +371,7 @@ resource log 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = if param CreateNsgFlowLogs bool = false -var flowLogStorageRawName = replace(toLower('stflow${resourceName}${uniqueString(resourceGroup().id, resourceName)}'),'-','') -var flowLogStorageName = length(flowLogStorageRawName) > 24 ? substring(flowLogStorageRawName, 0, 24) : flowLogStorageRawName +var flowLogStorageName = take(replace(toLower('stflow${resourceName}${uniqueString(resourceGroup().id, resourceName)}'),'-',''),24) resource flowLogStor 'Microsoft.Storage/storageAccounts@2021-08-01' = if(CreateNsgFlowLogs && networkSecurityGroups) { name: flowLogStorageName kind: 'StorageV2' @@ -387,7 +386,7 @@ resource flowLogStor 'Microsoft.Storage/storageAccounts@2021-08-01' = if(CreateN //NSG's module nsgAks 'nsg.bicep' = if(networkSecurityGroups) { - name: 'nsgAks' + name: take('${deployment().name}-nsgAks',64) params: { location: location resourceName: '${aks_subnet_name}-${resourceName}' @@ -402,7 +401,7 @@ module nsgAks 'nsg.bicep' = if(networkSecurityGroups) { } module nsgAcrPool 'nsg.bicep' = if(acrPrivatePool && networkSecurityGroups) { - name: 'nsgAcrPool' + name: take('${deployment().name}-nsgAcrPool',64) params: { location: location resourceName: '${acrpool_subnet_name}-${resourceName}' @@ -417,7 +416,7 @@ module nsgAcrPool 'nsg.bicep' = if(acrPrivatePool && networkSecurityGroups) { } module nsgAppGw 'nsg.bicep' = if(ingressApplicationGateway && networkSecurityGroups) { - name: 'nsgAppGw' + name: take('${deployment().name}-nsgAppGw',64) params: { location: location resourceName: '${appgw_subnet_name}-${resourceName}' @@ -438,7 +437,7 @@ module nsgAppGw 'nsg.bicep' = if(ingressApplicationGateway && networkSecurityGro } module nsgBastion 'nsg.bicep' = if(bastion && networkSecurityGroups) { - name: 'nsgBastion' + name: take('${deployment().name}-nsgBastion',64) params: { location: location resourceName: '${bastion_subnet_name}-${resourceName}' @@ -459,7 +458,7 @@ module nsgBastion 'nsg.bicep' = if(bastion && networkSecurityGroups) { } module nsgPrivateLinks 'nsg.bicep' = if(privateLinks && networkSecurityGroups) { - name: 'nsgPrivateLinks' + name: take('${deployment().name}-nsgPrivateLinks',64) params: { location: location resourceName: '${private_link_subnet_name}-${resourceName}' diff --git a/bicep/networkwatcherflowlog.bicep b/bicep/networkwatcherflowlog.bicep index 8c77e80d9..c8b1e018a 100644 --- a/bicep/networkwatcherflowlog.bicep +++ b/bicep/networkwatcherflowlog.bicep @@ -19,7 +19,8 @@ resource networkWatcher 'Microsoft.Network/networkWatchers@2022-01-01' = { } resource nsgFlowLogs 'Microsoft.Network/networkWatchers/flowLogs@2021-05-01' = { - name: '${networkWatcher.name}/${name}' + name: name + parent: networkWatcher location: location properties: { targetResourceId: nsgId diff --git a/bicep/nsg.bicep b/bicep/nsg.bicep index e90e57f5d..b5501ea02 100644 --- a/bicep/nsg.bicep +++ b/bicep/nsg.bicep @@ -14,7 +14,7 @@ output nsgId string = nsg.id param ruleInAllowGwManagement bool = false param ruleInGwManagementPort string = '443,65200-65535' -resource ruleAppGwManagement 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInAllowGwManagement) { +resource ruleAppGwManagement 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInAllowGwManagement) { parent: nsg name: 'Allow_AppGatewayManagement' properties: { @@ -30,7 +30,7 @@ resource ruleAppGwManagement 'Microsoft.Network/networkSecurityGroups/securityRu } param ruleInAllowAzureLoadBalancer bool = false -resource ruleAzureLoadBalancer 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if (ruleInAllowAzureLoadBalancer) { +resource ruleAzureLoadBalancer 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if (ruleInAllowAzureLoadBalancer) { parent: nsg name: 'Allow_AzureLoadBalancer' properties: { @@ -50,7 +50,7 @@ resource ruleAzureLoadBalancer 'Microsoft.Network/networkSecurityGroups/security } param ruleInDenyInternet bool = false -resource ruleDenyInternet 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInDenyInternet) { +resource ruleDenyInternet 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInDenyInternet) { parent: nsg name: 'Deny_AllInboundInternet' properties: { @@ -71,7 +71,7 @@ resource ruleDenyInternet 'Microsoft.Network/networkSecurityGroups/securityRules } param ruleInAllowInternetHttp bool = false -resource ruleInternetHttp 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInAllowInternetHttp) { +resource ruleInternetHttp 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInAllowInternetHttp) { parent: nsg name: 'Allow_Internet_Http' properties: { @@ -92,7 +92,7 @@ resource ruleInternetHttp 'Microsoft.Network/networkSecurityGroups/securityRules } param ruleInAllowInternetHttps bool = false -resource ruleInternetHttps 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInAllowInternetHttps) { +resource ruleInternetHttps 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInAllowInternetHttps) { parent: nsg name: 'Allow_Internet_Https' properties: { @@ -113,7 +113,7 @@ resource ruleInternetHttps 'Microsoft.Network/networkSecurityGroups/securityRule } param ruleInAllowBastionHostComms bool = false -resource ruleBastionHost 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInAllowBastionHostComms) { +resource ruleBastionHost 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInAllowBastionHostComms) { parent: nsg name: 'Allow_Bastion_Host_Communication' properties: { @@ -135,7 +135,7 @@ resource ruleBastionHost 'Microsoft.Network/networkSecurityGroups/securityRules@ } param ruleOutAllowBastionComms bool = false -resource ruleBastionEgressSshRdp 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleOutAllowBastionComms) { +resource ruleBastionEgressSshRdp 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleOutAllowBastionComms) { parent: nsg name: 'Allow_SshRdp_Outbound' properties: { @@ -156,7 +156,7 @@ resource ruleBastionEgressSshRdp 'Microsoft.Network/networkSecurityGroups/securi } } -resource ruleBastionEgressAzure 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleOutAllowBastionComms) { +resource ruleBastionEgressAzure 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleOutAllowBastionComms) { parent: nsg name: 'Allow_Azure_Cloud_Outbound' properties: { @@ -176,7 +176,7 @@ resource ruleBastionEgressAzure 'Microsoft.Network/networkSecurityGroups/securit } } -resource ruleBastionEgressBastionComms 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleOutAllowBastionComms) { +resource ruleBastionEgressBastionComms 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleOutAllowBastionComms) { parent: nsg name: 'Allow_Bastion_Communication' properties: { @@ -197,7 +197,7 @@ resource ruleBastionEgressBastionComms 'Microsoft.Network/networkSecurityGroups/ } } -resource ruleBastionEgressSessionInfo 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleOutAllowBastionComms) { +resource ruleBastionEgressSessionInfo 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleOutAllowBastionComms) { parent: nsg name: 'Allow_Get_Session_Info' properties: { @@ -218,7 +218,7 @@ resource ruleBastionEgressSessionInfo 'Microsoft.Network/networkSecurityGroups/s } param ruleInDenySsh bool = false -resource ruleSshIngressDeny 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInDenySsh) { +resource ruleSshIngressDeny 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInDenySsh) { parent: nsg name: 'DenySshInbound' properties: { @@ -260,7 +260,7 @@ resource nsgDiags 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = i param FlowLogStorageAccountId string = '' param FlowLogTrafficAnalytics bool = !empty(FlowLogStorageAccountId) module nsgFlow 'networkwatcherflowlog.bicep' = if(!empty(FlowLogStorageAccountId)) { - name: 'flow-${nsgName}' + name: take('${deployment().name}-flow-${nsgName}',64) scope: resourceGroup('NetworkWatcherRG') params: { location:location