From 31ecc684e1b6c40b701e1aec523ef6330f3fac2b Mon Sep 17 00:00:00 2001 From: Gordon Byers Date: Thu, 24 Nov 2022 14:25:38 +0000 Subject: [PATCH 01/11] deployment names + LAW sku --- bicep/dnsZoneRbac.bicep | 2 +- bicep/main.bicep | 33 ++++++++++++++++++--------------- bicep/network.bicep | 14 +++++++------- bicep/nsg.bicep | 2 +- 4 files changed, 27 insertions(+), 24 deletions(-) diff --git a/bicep/dnsZoneRbac.bicep b/bicep/dnsZoneRbac.bicep index 47336eeb0..903760d48 100644 --- a/bicep/dnsZoneRbac.bicep +++ b/bicep/dnsZoneRbac.bicep @@ -15,7 +15,7 @@ var dnsZoneName = !empty(dnsZoneId) ? split(dnsZoneId, '/')[8] : '' var isDnsZonePrivate = !empty(dnsZoneId) ? split(dnsZoneId, '/')[7] == 'privateDnsZones' : false module dnsZone './dnsZone.bicep' = if (!empty(dnsZoneId)) { - name: 'dns-${dnsZoneName}' + name: '${deployment().name}-dns-${dnsZoneName}' scope: resourceGroup(dnsZoneRg) params: { dnsZoneName: dnsZoneName diff --git a/bicep/main.bicep b/bicep/main.bicep index 674fe2886..2fd6a3f2a 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -49,7 +49,7 @@ resource aksUai 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = var existingAksVnetRG = !empty(byoAKSSubnetId) ? (length(split(byoAKSSubnetId, '/')) > 4 ? split(byoAKSSubnetId, '/')[4] : '') : '' module aksnetcontrib './aksnetcontrib.bicep' = if (!empty(byoAKSSubnetId) && createAksUai) { - name: 'addAksNetContributor' + name: '${deployment().name}-addAksNetContributor' scope: resourceGroup(existingAksVnetRG) params: { byoAKSSubnetId: byoAKSSubnetId @@ -115,7 +115,7 @@ param CreateNetworkSecurityGroups bool = false param CreateNetworkSecurityGroupFlowLogs bool = false module network './network.bicep' = if (custom_vnet) { - name: 'network' + name: '${deployment().name}-network' params: { resourceName: resourceName location: location @@ -165,7 +165,7 @@ param dnsZoneId string = '' var isDnsZonePrivate = !empty(dnsZoneId) ? split(dnsZoneId, '/')[7] == 'privateDnsZones' : false module dnsZone './dnsZoneRbac.bicep' = if (!empty(dnsZoneId)) { - name: 'addDnsContributor' + name: '${deployment().name}-addDnsContributor' params: { dnsZoneId: dnsZoneId vnetId: isDnsZonePrivate ? (!empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/subnets')[0] : (custom_vnet ? network.outputs.vnetId : '')) : '' @@ -201,7 +201,7 @@ param keyVaultAksCSIPollInterval string = '2m' @description('Creates a KeyVault for application secrets (eg. CSI)') module kv 'keyvault.bicep' = if(keyVaultCreate) { - name: 'keyvaultApps' + name: '${deployment().name}-keyvaultApps' params: { resourceName: resourceName keyVaultPurgeProtection: keyVaultPurgeProtection @@ -223,7 +223,7 @@ var rbacSecretUserSps = union([deployAppGw && appgwKVIntegration ? appGwIdentity @description('A seperate module is used for RBAC to avoid delaying the KeyVault creation and causing a circular reference.') module kvRbac 'keyvaultrbac.bicep' = if (keyVaultCreate) { - name: 'KeyVaultAppsRbac' + name: '${deployment().name}-KeyVaultAppsRbac' params: { keyVaultName: keyVaultCreate ? kv.outputs.keyVaultName : '' @@ -272,7 +272,7 @@ resource kvKmsByo 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = if(! @description('Creates a new Key vault for a new KMS Key') module kvKms 'keyvault.bicep' = if(keyVaultKmsCreateAndPrereqs) { - name: 'keyvaultKms-${resourceName}' + name: '${deployment().name}-keyvaultKms-${resourceName}' params: { resourceName: 'kms${resourceName}' keyVaultPurgeProtection: keyVaultPurgeProtection @@ -284,7 +284,7 @@ module kvKms 'keyvault.bicep' = if(keyVaultKmsCreateAndPrereqs) { } module kvKmsCreatedRbac 'keyvaultrbac.bicep' = if(keyVaultKmsCreateAndPrereqs) { - name: 'keyvaultKmsRbacs-${resourceName}' + name: '${deployment().name}-keyvaultKmsRbacs-${resourceName}' params: { keyVaultName: keyVaultKmsCreate ? kvKms.outputs.keyVaultName : '' //We can't create a kms kv and key and do privatelink. Private Link is a BYO scenario @@ -307,7 +307,7 @@ module kvKmsCreatedRbac 'keyvaultrbac.bicep' = if(keyVaultKmsCreateAndPrereqs) { } module kvKmsByoRbac 'keyvaultrbac.bicep' = if(!empty(keyVaultKmsByoKeyId)) { - name: 'keyvaultKmsByoRbacs-${resourceName}' + name: '${deployment().name}-keyvaultKmsByoRbacs-${resourceName}' scope: resourceGroup(keyVaultKmsByoRG) params: { keyVaultName: kvKmsByo.name @@ -324,7 +324,7 @@ module kvKmsByoRbac 'keyvaultrbac.bicep' = if(!empty(keyVaultKmsByoKeyId)) { @description('It can take time for the RBAC to propagate, this delays the deployment to avoid this problem') module waitForKmsRbac 'br/public:deployment-scripts/wait:1.0.1' = if(keyVaultKmsCreateAndPrereqs && kmsRbacWaitSeconds>0) { - name: 'keyvaultKmsRbac-waits-${resourceName}' + name: '${deployment().name}-keyvaultKmsRbac-waits-${resourceName}' params: { waitSeconds: kmsRbacWaitSeconds location: location @@ -336,7 +336,7 @@ module waitForKmsRbac 'br/public:deployment-scripts/wait:1.0.1' = if(keyVaultKms @description('Adding a key to the keyvault... We can only do this for public key vaults') module kvKmsKey 'keyvaultkey.bicep' = if(keyVaultKmsCreateAndPrereqs) { - name: 'keyvaultKmsKeys-${resourceName}' + name: '${deployment().name}-keyvaultKmsKeys-${resourceName}' params: { keyVaultName: keyVaultKmsCreateAndPrereqs ? kvKms.outputs.keyVaultName : '' } @@ -458,7 +458,7 @@ resource acrDiags 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = i //resource acrPool 'Microsoft.ContainerRegistry/registries/agentPools@2019-06-01-preview' = if (custom_vnet && (!empty(registries_sku)) && privateLinks && acrPrivatePool) { module acrPool 'acragentpool.bicep' = if (custom_vnet && (!empty(registries_sku)) && privateLinks && acrPrivatePool) { - name: 'acrprivatepool' + name: '${deployment().name}-acrprivatepool' params: { acrName: acr.name acrPoolSubnetId: custom_vnet ? network.outputs.acrPoolSubnetId : '' @@ -498,7 +498,7 @@ resource aks_acr_push 'Microsoft.Authorization/roleAssignments@2022-04-01' = if param imageNames array = [] module acrImport 'br/public:deployment-scripts/import-acr:2.0.1' = if (!empty(registries_sku) && !empty(imageNames)) { - name: 'testAcrImportMulti' + name: '${deployment().name}-AcrImportMulti' params: { acrName: acr.name location: location @@ -538,7 +538,7 @@ param certManagerFW bool = false param azureFirewallSku string = 'Standard' module firewall './firewall.bicep' = if (azureFirewalls && custom_vnet) { - name: 'firewall' + name: '${deployment().name}-firewall' params: { resourceName: resourceName location: location @@ -1320,7 +1320,7 @@ output aksResourceId string = aks.id @description('Not giving Rbac at the vnet level when using private dns results in ReconcilePrivateDNS. Therefore we need to upgrade the scope when private dns is being used, because it wants to set up the dns->vnet integration.') var uaiNetworkScopeRbac = enablePrivateCluster && !empty(dnsApiPrivateZoneId) ? 'Vnet' : 'Subnet' module privateDnsZoneRbac './dnsZoneRbac.bicep' = if (enablePrivateCluster && !empty(dnsApiPrivateZoneId) && createAksUai) { - name: 'addPrivateK8sApiDnsContributor' + name: '${deployment().name}-addPrivateK8sApiDnsContributor' params: { vnetId: '' dnsZoneId: dnsApiPrivateZoneId @@ -1477,7 +1477,7 @@ var AlertFrequencyLookup = { var AlertFrequency = AlertFrequencyLookup[AksMetricAlertMetricFrequencyModel] module aksmetricalerts './aksmetricalerts.bicep' = if (createLaw) { - name: 'aksmetricalerts' + name: '${deployment().name}-aksmetricalerts' scope: resourceGroup() params: { clusterName: aks.name @@ -1507,6 +1507,9 @@ resource aks_law 'Microsoft.OperationalInsights/workspaces@2022-10-01' = if (cre location: location properties : union({ retentionInDays: retentionInDays + sku: { + name: 'PerGB2018' + } }, logDataCap>0 ? { workspaceCapping: { dailyQuotaGb: logDataCap diff --git a/bicep/network.bicep b/bicep/network.bicep index bfae921b3..d3df8ebb4 100644 --- a/bicep/network.bicep +++ b/bicep/network.bicep @@ -95,7 +95,7 @@ var fw_subnet = { /// ---- Firewall VNET config module calcAzFwIp './calcAzFwIp.bicep' = if (azureFirewalls) { - name: 'calcAzFwIp' + name: '${deployment().name}-calcAzFwIp' params: { vnetFirewallSubnetAddressPrefix: vnetFirewallSubnetAddressPrefix } @@ -183,7 +183,7 @@ output appGwSubnetId string = resourceId('Microsoft.Network/virtualNetworks/subn output privateLinkSubnetId string = resourceId('Microsoft.Network/virtualNetworks/subnets', vnet.name, private_link_subnet_name) module aks_vnet_con 'networksubnetrbac.bicep' = if (!empty(aksPrincipleId)) { - name: '${resourceName}-subnetRbac' + name: '${deployment().name}-subnetRbac' params: { servicePrincipalId: aksPrincipleId subnetName: aks_subnet_name @@ -374,7 +374,7 @@ resource flowLogStor 'Microsoft.Storage/storageAccounts@2021-08-01' = if(CreateN //NSG's module nsgAks 'nsg.bicep' = if(networkSecurityGroups) { - name: 'nsgAks' + name: '${deployment().name}-nsgAks' params: { location: location resourceName: '${aks_subnet_name}-${resourceName}' @@ -389,7 +389,7 @@ module nsgAks 'nsg.bicep' = if(networkSecurityGroups) { } module nsgAcrPool 'nsg.bicep' = if(acrPrivatePool && networkSecurityGroups) { - name: 'nsgAcrPool' + name: '${deployment().name}-nsgAcrPool' params: { location: location resourceName: '${acrpool_subnet_name}-${resourceName}' @@ -404,7 +404,7 @@ module nsgAcrPool 'nsg.bicep' = if(acrPrivatePool && networkSecurityGroups) { } module nsgAppGw 'nsg.bicep' = if(ingressApplicationGateway && networkSecurityGroups) { - name: 'nsgAppGw' + name: '${deployment().name}-nsgAppGw' params: { location: location resourceName: '${appgw_subnet_name}-${resourceName}' @@ -425,7 +425,7 @@ module nsgAppGw 'nsg.bicep' = if(ingressApplicationGateway && networkSecurityGro } module nsgBastion 'nsg.bicep' = if(bastion && networkSecurityGroups) { - name: 'nsgBastion' + name: '${deployment().name}-nsgBastion' params: { location: location resourceName: '${bastion_subnet_name}-${resourceName}' @@ -446,7 +446,7 @@ module nsgBastion 'nsg.bicep' = if(bastion && networkSecurityGroups) { } module nsgPrivateLinks 'nsg.bicep' = if(privateLinks && networkSecurityGroups) { - name: 'nsgPrivateLinks' + name: '${deployment().name}-nsgPrivateLinks' params: { location: location resourceName: '${private_link_subnet_name}-${resourceName}' diff --git a/bicep/nsg.bicep b/bicep/nsg.bicep index e90e57f5d..52768acf8 100644 --- a/bicep/nsg.bicep +++ b/bicep/nsg.bicep @@ -260,7 +260,7 @@ resource nsgDiags 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = i param FlowLogStorageAccountId string = '' param FlowLogTrafficAnalytics bool = !empty(FlowLogStorageAccountId) module nsgFlow 'networkwatcherflowlog.bicep' = if(!empty(FlowLogStorageAccountId)) { - name: 'flow-${nsgName}' + name: '${deployment().name}-flow-${nsgName}' scope: resourceGroup('NetworkWatcherRG') params: { location:location From ec94555ea0fc7392d0704318fb423644df4806c0 Mon Sep 17 00:00:00 2001 From: Gordon Byers Date: Fri, 13 Jan 2023 09:29:24 +0000 Subject: [PATCH 02/11] bumping acr import --- bicep/main.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bicep/main.bicep b/bicep/main.bicep index 2fd6a3f2a..94689756e 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -497,7 +497,7 @@ resource aks_acr_push 'Microsoft.Authorization/roleAssignments@2022-04-01' = if param imageNames array = [] -module acrImport 'br/public:deployment-scripts/import-acr:2.0.1' = if (!empty(registries_sku) && !empty(imageNames)) { +module acrImport 'br/public:deployment-scripts/import-acr:3.0.1' = if (!empty(registries_sku) && !empty(imageNames)) { name: '${deployment().name}-AcrImportMulti' params: { acrName: acr.name From 75cc3ba4ad34ee996b4ef067b3646241ea20a979 Mon Sep 17 00:00:00 2001 From: Gordon Byers Date: Fri, 13 Jan 2023 09:42:35 +0000 Subject: [PATCH 03/11] deployment name limit --- bicep/appgw.bicep | 2 +- bicep/dnsZoneRbac.bicep | 2 +- bicep/main.bicep | 30 +++++++++++++++--------------- bicep/network.bicep | 14 +++++++------- bicep/nsg.bicep | 2 +- 5 files changed, 25 insertions(+), 25 deletions(-) diff --git a/bicep/appgw.bicep b/bicep/appgw.bicep index 82c0e2a25..41de07ee7 100644 --- a/bicep/appgw.bicep +++ b/bicep/appgw.bicep @@ -25,7 +25,7 @@ resource appgwpip 'Microsoft.Network/publicIPAddresses@2020-07-01' = { var frontendPublicIpConfig = { properties: { publicIPAddress: { - id: '${appgwpip.id}' + id: appgwpip.id } } name: 'appGatewayFrontendIP' diff --git a/bicep/dnsZoneRbac.bicep b/bicep/dnsZoneRbac.bicep index 903760d48..4713c56e1 100644 --- a/bicep/dnsZoneRbac.bicep +++ b/bicep/dnsZoneRbac.bicep @@ -15,7 +15,7 @@ var dnsZoneName = !empty(dnsZoneId) ? split(dnsZoneId, '/')[8] : '' var isDnsZonePrivate = !empty(dnsZoneId) ? split(dnsZoneId, '/')[7] == 'privateDnsZones' : false module dnsZone './dnsZone.bicep' = if (!empty(dnsZoneId)) { - name: '${deployment().name}-dns-${dnsZoneName}' + name: take('${deployment().name}-dns-${dnsZoneName}',64) scope: resourceGroup(dnsZoneRg) params: { dnsZoneName: dnsZoneName diff --git a/bicep/main.bicep b/bicep/main.bicep index 4843fc3db..d2ff30263 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -49,7 +49,7 @@ resource aksUai 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = var existingAksVnetRG = !empty(byoAKSSubnetId) ? (length(split(byoAKSSubnetId, '/')) > 4 ? split(byoAKSSubnetId, '/')[4] : '') : '' module aksnetcontrib './aksnetcontrib.bicep' = if (!empty(byoAKSSubnetId) && createAksUai) { - name: '${deployment().name}-addAksNetContributor' + name: take('${deployment().name}-addAksNetContributor',64) scope: resourceGroup(existingAksVnetRG) params: { byoAKSSubnetId: byoAKSSubnetId @@ -115,7 +115,7 @@ param CreateNetworkSecurityGroups bool = false param CreateNetworkSecurityGroupFlowLogs bool = false module network './network.bicep' = if (custom_vnet) { - name: '${deployment().name}-network' + name: take('${deployment().name}-network',64) params: { resourceName: resourceName location: location @@ -165,7 +165,7 @@ param dnsZoneId string = '' var isDnsZonePrivate = !empty(dnsZoneId) ? split(dnsZoneId, '/')[7] == 'privateDnsZones' : false module dnsZone './dnsZoneRbac.bicep' = if (!empty(dnsZoneId)) { - name: '${deployment().name}-addDnsContributor' + name: take('${deployment().name}-addDnsContributor',64) params: { dnsZoneId: dnsZoneId vnetId: isDnsZonePrivate ? (!empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/subnets')[0] : (custom_vnet ? network.outputs.vnetId : '')) : '' @@ -201,7 +201,7 @@ param keyVaultAksCSIPollInterval string = '2m' @description('Creates a KeyVault for application secrets (eg. CSI)') module kv 'keyvault.bicep' = if(keyVaultCreate) { - name: '${deployment().name}-keyvaultApps' + name: take('${deployment().name}-keyvaultApps',64) params: { resourceName: resourceName keyVaultPurgeProtection: keyVaultPurgeProtection @@ -223,7 +223,7 @@ var rbacSecretUserSps = union([deployAppGw && appgwKVIntegration ? appGwIdentity @description('A seperate module is used for RBAC to avoid delaying the KeyVault creation and causing a circular reference.') module kvRbac 'keyvaultrbac.bicep' = if (keyVaultCreate) { - name: '${deployment().name}-KeyVaultAppsRbac' + name: take('${deployment().name}-KeyVaultAppsRbac',64) params: { keyVaultName: keyVaultCreate ? kv.outputs.keyVaultName : '' @@ -272,7 +272,7 @@ resource kvKmsByo 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = if(! @description('Creates a new Key vault for a new KMS Key') module kvKms 'keyvault.bicep' = if(keyVaultKmsCreateAndPrereqs) { - name: '${deployment().name}-keyvaultKms-${resourceName}' + name: take('${deployment().name}-keyvaultKms-${resourceName}',64) params: { resourceName: 'kms${resourceName}' keyVaultPurgeProtection: keyVaultPurgeProtection @@ -284,7 +284,7 @@ module kvKms 'keyvault.bicep' = if(keyVaultKmsCreateAndPrereqs) { } module kvKmsCreatedRbac 'keyvaultrbac.bicep' = if(keyVaultKmsCreateAndPrereqs) { - name: '${deployment().name}-keyvaultKmsRbacs-${resourceName}' + name: take('${deployment().name}-keyvaultKmsRbacs-${resourceName}',64) params: { keyVaultName: keyVaultKmsCreate ? kvKms.outputs.keyVaultName : '' //We can't create a kms kv and key and do privatelink. Private Link is a BYO scenario @@ -307,7 +307,7 @@ module kvKmsCreatedRbac 'keyvaultrbac.bicep' = if(keyVaultKmsCreateAndPrereqs) { } module kvKmsByoRbac 'keyvaultrbac.bicep' = if(!empty(keyVaultKmsByoKeyId)) { - name: '${deployment().name}-keyvaultKmsByoRbacs-${resourceName}' + name: take('${deployment().name}-keyvaultKmsByoRbacs-${resourceName}',64) scope: resourceGroup(keyVaultKmsByoRG) params: { keyVaultName: kvKmsByo.name @@ -324,7 +324,7 @@ module kvKmsByoRbac 'keyvaultrbac.bicep' = if(!empty(keyVaultKmsByoKeyId)) { @description('It can take time for the RBAC to propagate, this delays the deployment to avoid this problem') module waitForKmsRbac 'br/public:deployment-scripts/wait:1.0.1' = if(keyVaultKmsCreateAndPrereqs && kmsRbacWaitSeconds>0) { - name: '${deployment().name}-keyvaultKmsRbac-waits-${resourceName}' + name: take('${deployment().name}-keyvaultKmsRbac-waits-${resourceName}',64) params: { waitSeconds: kmsRbacWaitSeconds location: location @@ -336,7 +336,7 @@ module waitForKmsRbac 'br/public:deployment-scripts/wait:1.0.1' = if(keyVaultKms @description('Adding a key to the keyvault... We can only do this for public key vaults') module kvKmsKey 'keyvaultkey.bicep' = if(keyVaultKmsCreateAndPrereqs) { - name: '${deployment().name}-keyvaultKmsKeys-${resourceName}' + name: take('${deployment().name}-keyvaultKmsKeys-${resourceName}',64) params: { keyVaultName: keyVaultKmsCreateAndPrereqs ? kvKms.outputs.keyVaultName : '' } @@ -458,7 +458,7 @@ resource acrDiags 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = i //resource acrPool 'Microsoft.ContainerRegistry/registries/agentPools@2019-06-01-preview' = if (custom_vnet && (!empty(registries_sku)) && privateLinks && acrPrivatePool) { module acrPool 'acragentpool.bicep' = if (custom_vnet && (!empty(registries_sku)) && privateLinks && acrPrivatePool) { - name: '${deployment().name}-acrprivatepool' + name: take('${deployment().name}-acrprivatepool',64) params: { acrName: acr.name acrPoolSubnetId: custom_vnet ? network.outputs.acrPoolSubnetId : '' @@ -498,7 +498,7 @@ resource aks_acr_push 'Microsoft.Authorization/roleAssignments@2022-04-01' = if param imageNames array = [] module acrImport 'br/public:deployment-scripts/import-acr:3.0.1' = if (!empty(registries_sku) && !empty(imageNames)) { - name: '${deployment().name}-AcrImportMulti' + name: take('${deployment().name}-AcrImport',64) params: { acrName: acr.name location: location @@ -538,7 +538,7 @@ param certManagerFW bool = false param azureFirewallSku string = 'Standard' module firewall './firewall.bicep' = if (azureFirewalls && custom_vnet) { - name: '${deployment().name}-firewall' + name: take('${deployment().name}-firewall',64) params: { resourceName: resourceName location: location @@ -1328,7 +1328,7 @@ output aksResourceId string = aks.id @description('Not giving Rbac at the vnet level when using private dns results in ReconcilePrivateDNS. Therefore we need to upgrade the scope when private dns is being used, because it wants to set up the dns->vnet integration.') var uaiNetworkScopeRbac = enablePrivateCluster && !empty(dnsApiPrivateZoneId) ? 'Vnet' : 'Subnet' module privateDnsZoneRbac './dnsZoneRbac.bicep' = if (enablePrivateCluster && !empty(dnsApiPrivateZoneId) && createAksUai) { - name: '${deployment().name}-addPrivateK8sApiDnsContributor' + name: take('${deployment().name}-addPrivateK8sApiDnsContributor',64) params: { vnetId: '' dnsZoneId: dnsApiPrivateZoneId @@ -1485,7 +1485,7 @@ var AlertFrequencyLookup = { var AlertFrequency = AlertFrequencyLookup[AksMetricAlertMetricFrequencyModel] module aksmetricalerts './aksmetricalerts.bicep' = if (createLaw) { - name: '${deployment().name}-aksmetricalerts' + name: take('${deployment().name}-aksmetricalerts',64) scope: resourceGroup() params: { clusterName: aks.name diff --git a/bicep/network.bicep b/bicep/network.bicep index e1e6a8057..eec6304eb 100644 --- a/bicep/network.bicep +++ b/bicep/network.bicep @@ -95,7 +95,7 @@ var fw_subnet = { /// ---- Firewall VNET config module calcAzFwIp './calcAzFwIp.bicep' = if (azureFirewalls) { - name: '${deployment().name}-calcAzFwIp' + name: take('${deployment().name}-calcAzFwIp',64) params: { vnetFirewallSubnetAddressPrefix: vnetFirewallSubnetAddressPrefix } @@ -183,7 +183,7 @@ output appGwSubnetId string = resourceId('Microsoft.Network/virtualNetworks/subn output privateLinkSubnetId string = resourceId('Microsoft.Network/virtualNetworks/subnets', vnet.name, private_link_subnet_name) module aks_vnet_con 'networksubnetrbac.bicep' = if (!empty(aksPrincipleId)) { - name: '${deployment().name}-subnetRbac' + name: take('${deployment().name}-subnetRbac',64) params: { servicePrincipalId: aksPrincipleId subnetName: aks_subnet_name @@ -374,7 +374,7 @@ resource flowLogStor 'Microsoft.Storage/storageAccounts@2021-08-01' = if(CreateN //NSG's module nsgAks 'nsg.bicep' = if(networkSecurityGroups) { - name: '${deployment().name}-nsgAks' + name: take('${deployment().name}-nsgAks',64) params: { location: location resourceName: '${aks_subnet_name}-${resourceName}' @@ -389,7 +389,7 @@ module nsgAks 'nsg.bicep' = if(networkSecurityGroups) { } module nsgAcrPool 'nsg.bicep' = if(acrPrivatePool && networkSecurityGroups) { - name: '${deployment().name}-nsgAcrPool' + name: take('${deployment().name}-nsgAcrPool',64) params: { location: location resourceName: '${acrpool_subnet_name}-${resourceName}' @@ -404,7 +404,7 @@ module nsgAcrPool 'nsg.bicep' = if(acrPrivatePool && networkSecurityGroups) { } module nsgAppGw 'nsg.bicep' = if(ingressApplicationGateway && networkSecurityGroups) { - name: '${deployment().name}-nsgAppGw' + name: take('${deployment().name}-nsgAppGw',64) params: { location: location resourceName: '${appgw_subnet_name}-${resourceName}' @@ -425,7 +425,7 @@ module nsgAppGw 'nsg.bicep' = if(ingressApplicationGateway && networkSecurityGro } module nsgBastion 'nsg.bicep' = if(bastion && networkSecurityGroups) { - name: '${deployment().name}-nsgBastion' + name: take('${deployment().name}-nsgBastion',64) params: { location: location resourceName: '${bastion_subnet_name}-${resourceName}' @@ -446,7 +446,7 @@ module nsgBastion 'nsg.bicep' = if(bastion && networkSecurityGroups) { } module nsgPrivateLinks 'nsg.bicep' = if(privateLinks && networkSecurityGroups) { - name: '${deployment().name}-nsgPrivateLinks' + name: take('${deployment().name}-nsgPrivateLinks',64) params: { location: location resourceName: '${private_link_subnet_name}-${resourceName}' diff --git a/bicep/nsg.bicep b/bicep/nsg.bicep index 52768acf8..2c591c47b 100644 --- a/bicep/nsg.bicep +++ b/bicep/nsg.bicep @@ -260,7 +260,7 @@ resource nsgDiags 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = i param FlowLogStorageAccountId string = '' param FlowLogTrafficAnalytics bool = !empty(FlowLogStorageAccountId) module nsgFlow 'networkwatcherflowlog.bicep' = if(!empty(FlowLogStorageAccountId)) { - name: '${deployment().name}-flow-${nsgName}' + name: take('${deployment().name}-flow-${nsgName}',64) scope: resourceGroup('NetworkWatcherRG') params: { location:location From 3cf923eff53dada4997159a83e128cf4d6010093 Mon Sep 17 00:00:00 2001 From: Gordon Byers Date: Fri, 13 Jan 2023 09:45:57 +0000 Subject: [PATCH 04/11] better string trimming. --- bicep/keyvault.bicep | 3 +-- bicep/network.bicep | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/bicep/keyvault.bicep b/bicep/keyvault.bicep index 3a6283f3d..37b7e4520 100644 --- a/bicep/keyvault.bicep +++ b/bicep/keyvault.bicep @@ -21,8 +21,7 @@ param keyVaultIPAllowlist array = [] param logAnalyticsWorkspaceId string = '' -var akvRawName = 'kv-${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}' -var akvName = length(akvRawName) > 24 ? substring(akvRawName, 0, 24) : akvRawName +var akvName = take('kv-${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}',24) var kvIPRules = [for kvIp in keyVaultIPAllowlist: { value: kvIp diff --git a/bicep/network.bicep b/bicep/network.bicep index eec6304eb..587aa90d8 100644 --- a/bicep/network.bicep +++ b/bicep/network.bicep @@ -358,8 +358,7 @@ resource log 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = if param CreateNsgFlowLogs bool = false -var flowLogStorageRawName = replace(toLower('stflow${resourceName}${uniqueString(resourceGroup().id, resourceName)}'),'-','') -var flowLogStorageName = length(flowLogStorageRawName) > 24 ? substring(flowLogStorageRawName, 0, 24) : flowLogStorageRawName +var flowLogStorageName = take(replace(toLower('stflow${resourceName}${uniqueString(resourceGroup().id, resourceName)}'),'-',''),24) resource flowLogStor 'Microsoft.Storage/storageAccounts@2021-08-01' = if(CreateNsgFlowLogs && networkSecurityGroups) { name: flowLogStorageName kind: 'StorageV2' From 9c04e61cceed6c9f9cb5d8df3448e7d2f65c0362 Mon Sep 17 00:00:00 2001 From: Gordon Byers Date: Fri, 13 Jan 2023 09:58:38 +0000 Subject: [PATCH 05/11] descriptive managed id name --- bicep/main.bicep | 1 + 1 file changed, 1 insertion(+) diff --git a/bicep/main.bicep b/bicep/main.bicep index d2ff30263..7d780263d 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -503,6 +503,7 @@ module acrImport 'br/public:deployment-scripts/import-acr:3.0.1' = if (!empty(re acrName: acr.name location: location images: imageNames + managedIdentityName: 'id-acrImport-${resourceName}-${location}' } } From e77cffde8c5da9414ffd8f0ce79f23d381ef4da4 Mon Sep 17 00:00:00 2001 From: Gordon Byers Date: Mon, 16 Jan 2023 11:37:53 +0000 Subject: [PATCH 06/11] bumping k8s version --- .github/workflows_dep/regressionparams/edgeK8sVersion.json | 2 +- bicep/main.bicep | 2 +- helper/src/config.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows_dep/regressionparams/edgeK8sVersion.json b/.github/workflows_dep/regressionparams/edgeK8sVersion.json index 0f2924c18..949cb71a7 100644 --- a/.github/workflows_dep/regressionparams/edgeK8sVersion.json +++ b/.github/workflows_dep/regressionparams/edgeK8sVersion.json @@ -9,7 +9,7 @@ "value": "Standard_DS3_v2" }, "kubernetesVersion": { - "value": "1.23.5" + "value": "1.25.4" }, "custom_vnet": { "value": true diff --git a/bicep/main.bicep b/bicep/main.bicep index 7d780263d..481e9fb20 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -832,7 +832,7 @@ output ApplicationGatewayName string = deployAppGw ? appgw.name : '' param dnsPrefix string = '${resourceName}-dns' @description('Kubernetes Version') -param kubernetesVersion string = '1.23.12' +param kubernetesVersion string = '1.24.6' @description('Enable Azure AD integration on AKS') param enable_aad bool = false diff --git a/helper/src/config.json b/helper/src/config.json index a7092e081..f511442eb 100644 --- a/helper/src/config.json +++ b/helper/src/config.json @@ -9,7 +9,7 @@ "defaults": { "deploy": { "enableTelemetry": true, - "kubernetesVersion": "1.23.12", + "kubernetesVersion": "1.24.6", "location": "WestEurope", "apiips": "", "demoapp": false, From 47b8ce6d974a0968285e69a4a7232701d7c427fe Mon Sep 17 00:00:00 2001 From: Gordon Byers Date: Mon, 6 Mar 2023 11:23:19 +0000 Subject: [PATCH 07/11] api version bumps --- bicep/acragentpool.bicep | 2 +- bicep/aksnetcontrib.bicep | 8 ++++---- bicep/bicepconfig.json | 4 ++++ bicep/dnsZone.bicep | 4 ++-- bicep/firewall.bicep | 4 ++-- bicep/keyvault.bicep | 2 +- bicep/keyvaultkey.bicep | 4 ++-- bicep/keyvaultrbac.bicep | 2 +- bicep/main.bicep | 16 ++++++++-------- bicep/network.bicep | 4 ++-- bicep/nsg.bicep | 22 +++++++++++----------- 11 files changed, 38 insertions(+), 34 deletions(-) diff --git a/bicep/acragentpool.bicep b/bicep/acragentpool.bicep index 4bba2c434..2b45b0e65 100644 --- a/bicep/acragentpool.bicep +++ b/bicep/acragentpool.bicep @@ -2,7 +2,7 @@ param location string = resourceGroup().location param acrName string param acrPoolSubnetId string = '' -resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' existing = { +resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing = { name: acrName } diff --git a/bicep/aksnetcontrib.bicep b/bicep/aksnetcontrib.bicep index bae871c89..488318c24 100644 --- a/bicep/aksnetcontrib.bicep +++ b/bicep/aksnetcontrib.bicep @@ -15,15 +15,15 @@ var networkContributorRole = subscriptionResourceId('Microsoft.Authorization/rol var existingAksSubnetName = !empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/')[10] : '' var existingAksVnetName = !empty(byoAKSSubnetId) ? split(byoAKSSubnetId, '/')[8] : '' -resource existingvnet 'Microsoft.Network/virtualNetworks@2021-02-01' existing = { +resource existingvnet 'Microsoft.Network/virtualNetworks@2022-07-01' existing = { name: existingAksVnetName } -resource existingAksSubnet 'Microsoft.Network/virtualNetworks/subnets@2020-08-01' existing = { +resource existingAksSubnet 'Microsoft.Network/virtualNetworks/subnets@2022-07-01' existing = { parent: existingvnet name: existingAksSubnetName } -resource subnetRbac 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (rbacAssignmentScope == 'subnet') { +resource subnetRbac 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (rbacAssignmentScope == 'subnet') { name: guid(user_identity_principalId, networkContributorRole, existingAksSubnetName) scope: existingAksSubnet properties: { @@ -33,7 +33,7 @@ resource subnetRbac 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' } } -resource existingVnetRbac 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (rbacAssignmentScope != 'subnet') { +resource existingVnetRbac 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (rbacAssignmentScope != 'subnet') { name: guid(user_identity_principalId, networkContributorRole, existingAksVnetName) scope: existingvnet properties: { diff --git a/bicep/bicepconfig.json b/bicep/bicepconfig.json index a4efe8882..eac32d5e8 100644 --- a/bicep/bicepconfig.json +++ b/bicep/bicepconfig.json @@ -1,9 +1,13 @@ + { "analyzers": { "core": { "enabled": true, "verbose": false, "rules": { + "use-recent-api-versions" : { + "level": "warning" + }, "no-hardcoded-location" : { "level": "error" }, diff --git a/bicep/dnsZone.bicep b/bicep/dnsZone.bicep index 2f678304c..82cc6547c 100644 --- a/bicep/dnsZone.bicep +++ b/bicep/dnsZone.bicep @@ -12,7 +12,7 @@ resource privateDns 'Microsoft.Network/privateDnsZones@2020-06-01' existing = if } var DNSZoneContributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314') -resource dnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (!isPrivate) { +resource dnsContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!isPrivate) { scope: dns name: guid(dns.id, principalId, DNSZoneContributor) properties: { @@ -23,7 +23,7 @@ resource dnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-prev } var PrivateDNSZoneContributor = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') -resource privateDnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (isPrivate) { +resource privateDnsContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (isPrivate) { scope: privateDns name: guid(privateDns.id, principalId, PrivateDNSZoneContributor) properties: { diff --git a/bicep/firewall.bicep b/bicep/firewall.bicep index 2fd934ce6..b2bf15bed 100644 --- a/bicep/firewall.bicep +++ b/bicep/firewall.bicep @@ -25,7 +25,7 @@ var managementIpConfig = { } } -resource fw_pip 'Microsoft.Network/publicIPAddresses@2021-03-01' = { +resource fw_pip 'Microsoft.Network/publicIPAddresses@2022-07-01' = { name: firewallPublicIpName location: location sku: { @@ -38,7 +38,7 @@ resource fw_pip 'Microsoft.Network/publicIPAddresses@2021-03-01' = { } } -resource fwManagementIp_pip 'Microsoft.Network/publicIPAddresses@2021-03-01' = if(fwSku=='Basic') { +resource fwManagementIp_pip 'Microsoft.Network/publicIPAddresses@2022-07-01' = if(fwSku=='Basic') { name: firewallManagementPublicIpName location: location sku: { diff --git a/bicep/keyvault.bicep b/bicep/keyvault.bicep index 37b7e4520..722326910 100644 --- a/bicep/keyvault.bicep +++ b/bicep/keyvault.bicep @@ -27,7 +27,7 @@ var kvIPRules = [for kvIp in keyVaultIPAllowlist: { value: kvIp }] -resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' = { +resource kv 'Microsoft.KeyVault/vaults@2022-07-01' = { name: akvName location: location properties: { diff --git a/bicep/keyvaultkey.bicep b/bicep/keyvaultkey.bicep index f00bf6701..c564cfbba 100644 --- a/bicep/keyvaultkey.bicep +++ b/bicep/keyvaultkey.bicep @@ -1,10 +1,10 @@ param keyVaultName string -resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = { +resource kv 'Microsoft.KeyVault/vaults@2022-07-01' existing = { name: keyVaultName } -resource kvKmsKey 'Microsoft.KeyVault/vaults/keys@2021-11-01-preview' = { +resource kvKmsKey 'Microsoft.KeyVault/vaults/keys@2022-07-01' = { name: 'kmskey' parent: kv properties: { diff --git a/bicep/keyvaultrbac.bicep b/bicep/keyvaultrbac.bicep index 6ef65dd1e..eeae10120 100644 --- a/bicep/keyvaultrbac.bicep +++ b/bicep/keyvaultrbac.bicep @@ -48,7 +48,7 @@ var keyVaultCryptoUserRole = subscriptionResourceId('Microsoft.Authorization/rol var keyVaultCryptoOfficerRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '14b46e9e-c2b7-41b4-b07b-48a6ebf60603') var keyVaultCryptoServiceEncrpytionRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions','e147488a-f6f5-4113-8e2d-b22465e65bf6') -resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = { +resource kv 'Microsoft.KeyVault/vaults@2022-07-01' existing = { name: keyVaultName } diff --git a/bicep/main.bicep b/bicep/main.bicep index 852957ace..c9c2e494a 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -266,7 +266,7 @@ var kmsRbacWaitSeconds=30 @description('This indicates if the deploying user has provided their PrincipalId in order for the key to be created') var keyVaultKmsCreateAndPrereqs = keyVaultKmsCreate && !empty(keyVaultKmsOfficerRolePrincipalId) && privateLinks == false -resource kvKmsByo 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = if(!empty(keyVaultKmsByoName)) { +resource kvKmsByo 'Microsoft.KeyVault/vaults@2022-07-01' existing = if(!empty(keyVaultKmsByoName)) { name: keyVaultKmsByoName scope: resourceGroup(keyVaultKmsByoRG) } @@ -393,7 +393,7 @@ param acrUntaggedRetentionPolicy int = 30 var acrName = 'cr${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}' -resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' = if (!empty(registries_sku)) { +resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = if (!empty(registries_sku)) { name: acrName location: location sku: { @@ -605,7 +605,7 @@ resource appGwIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11 var appgwName = 'agw-${resourceName}' var appgwResourceId = deployAppGw ? resourceId('Microsoft.Network/applicationGateways', '${appgwName}') : '' -resource appgwpip 'Microsoft.Network/publicIPAddresses@2021-02-01' = if (deployAppGw) { +resource appgwpip 'Microsoft.Network/publicIPAddresses@2022-07-01' = if (deployAppGw) { name: 'pip-agw-${resourceName}' location: location sku: { @@ -743,7 +743,7 @@ var appgwProperties = union({ } : {}) // 'identity' is always set until this is fixed: https://github.com/Azure/bicep/issues/387#issuecomment-885671296 -resource appgw 'Microsoft.Network/applicationGateways@2021-02-01' = if (deployAppGw) { +resource appgw 'Microsoft.Network/applicationGateways@2022-07-01' = if (deployAppGw) { name: appgwName location: location zones: !empty(availabilityZones) ? availabilityZones : [] @@ -1281,7 +1281,7 @@ defenderForContainers && createLaw ? azureDefenderSecurityProfile : {}, keyVaultKmsCreateAndPrereqs || !empty(keyVaultKmsByoKeyId) ? azureKeyVaultKms : {} ) -resource aks 'Microsoft.ContainerService/managedClusters@2022-10-02-preview' = { +resource aks 'Microsoft.ContainerService/managedClusters@2022-11-02-preview' = { name: 'aks-${resourceName}' location: location properties: aksProperties @@ -1357,7 +1357,7 @@ module privateDnsZoneRbac './dnsZoneRbac.bicep' = if (enablePrivateCluster && !e var policySetBaseline = '/providers/Microsoft.Authorization/policySetDefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d' var policySetRestrictive = '/providers/Microsoft.Authorization/policySetDefinitions/42b8ef37-b724-4e24-bbc8-7a7708edfe00' -resource aks_policies 'Microsoft.Authorization/policyAssignments@2020-09-01' = if (!empty(azurepolicy)) { +resource aks_policies 'Microsoft.Authorization/policyAssignments@2022-06-01' = if (!empty(azurepolicy)) { name: '${resourceName}-${azurePolicyInitiative}' location: location properties: { @@ -1402,7 +1402,7 @@ resource aks_admin_role_assignment 'Microsoft.Authorization/roleAssignments@2022 param fluxGitOpsAddon bool = false -resource fluxAddon 'Microsoft.KubernetesConfiguration/extensions@2022-04-02-preview' = if(fluxGitOpsAddon) { +resource fluxAddon 'Microsoft.KubernetesConfiguration/extensions@2022-11-01' = if(fluxGitOpsAddon) { name: 'flux' scope: aks properties: { @@ -1425,7 +1425,7 @@ param daprAddon bool = false @description('Enable high availability (HA) mode for the Dapr control plane') param daprAddonHA bool = false -resource daprExtension 'Microsoft.KubernetesConfiguration/extensions@2022-04-02-preview' = if(daprAddon) { +resource daprExtension 'Microsoft.KubernetesConfiguration/extensions@2022-11-01' = if(daprAddon) { name: 'dapr' scope: aks properties: { diff --git a/bicep/network.bicep b/bicep/network.bicep index 28cf7cdf3..252f715b3 100644 --- a/bicep/network.bicep +++ b/bicep/network.bicep @@ -174,7 +174,7 @@ var subnets = union( output debugSubnets array = subnets var vnetName = 'vnet-${resourceName}' -resource vnet 'Microsoft.Network/virtualNetworks@2021-02-01' = { +resource vnet 'Microsoft.Network/virtualNetworks@2022-07-01' = { name: vnetName location: location properties: { @@ -328,7 +328,7 @@ var publicIpAddressName = 'pip-${bastionHostName}' ]) param bastionSku string = 'Standard' -resource bastionPip 'Microsoft.Network/publicIPAddresses@2021-03-01' = if(bastion) { +resource bastionPip 'Microsoft.Network/publicIPAddresses@2022-07-01' = if(bastion) { name: publicIpAddressName location: location sku: { diff --git a/bicep/nsg.bicep b/bicep/nsg.bicep index 2c591c47b..b5501ea02 100644 --- a/bicep/nsg.bicep +++ b/bicep/nsg.bicep @@ -14,7 +14,7 @@ output nsgId string = nsg.id param ruleInAllowGwManagement bool = false param ruleInGwManagementPort string = '443,65200-65535' -resource ruleAppGwManagement 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInAllowGwManagement) { +resource ruleAppGwManagement 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInAllowGwManagement) { parent: nsg name: 'Allow_AppGatewayManagement' properties: { @@ -30,7 +30,7 @@ resource ruleAppGwManagement 'Microsoft.Network/networkSecurityGroups/securityRu } param ruleInAllowAzureLoadBalancer bool = false -resource ruleAzureLoadBalancer 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if (ruleInAllowAzureLoadBalancer) { +resource ruleAzureLoadBalancer 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if (ruleInAllowAzureLoadBalancer) { parent: nsg name: 'Allow_AzureLoadBalancer' properties: { @@ -50,7 +50,7 @@ resource ruleAzureLoadBalancer 'Microsoft.Network/networkSecurityGroups/security } param ruleInDenyInternet bool = false -resource ruleDenyInternet 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInDenyInternet) { +resource ruleDenyInternet 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInDenyInternet) { parent: nsg name: 'Deny_AllInboundInternet' properties: { @@ -71,7 +71,7 @@ resource ruleDenyInternet 'Microsoft.Network/networkSecurityGroups/securityRules } param ruleInAllowInternetHttp bool = false -resource ruleInternetHttp 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInAllowInternetHttp) { +resource ruleInternetHttp 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInAllowInternetHttp) { parent: nsg name: 'Allow_Internet_Http' properties: { @@ -92,7 +92,7 @@ resource ruleInternetHttp 'Microsoft.Network/networkSecurityGroups/securityRules } param ruleInAllowInternetHttps bool = false -resource ruleInternetHttps 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInAllowInternetHttps) { +resource ruleInternetHttps 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInAllowInternetHttps) { parent: nsg name: 'Allow_Internet_Https' properties: { @@ -113,7 +113,7 @@ resource ruleInternetHttps 'Microsoft.Network/networkSecurityGroups/securityRule } param ruleInAllowBastionHostComms bool = false -resource ruleBastionHost 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInAllowBastionHostComms) { +resource ruleBastionHost 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInAllowBastionHostComms) { parent: nsg name: 'Allow_Bastion_Host_Communication' properties: { @@ -135,7 +135,7 @@ resource ruleBastionHost 'Microsoft.Network/networkSecurityGroups/securityRules@ } param ruleOutAllowBastionComms bool = false -resource ruleBastionEgressSshRdp 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleOutAllowBastionComms) { +resource ruleBastionEgressSshRdp 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleOutAllowBastionComms) { parent: nsg name: 'Allow_SshRdp_Outbound' properties: { @@ -156,7 +156,7 @@ resource ruleBastionEgressSshRdp 'Microsoft.Network/networkSecurityGroups/securi } } -resource ruleBastionEgressAzure 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleOutAllowBastionComms) { +resource ruleBastionEgressAzure 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleOutAllowBastionComms) { parent: nsg name: 'Allow_Azure_Cloud_Outbound' properties: { @@ -176,7 +176,7 @@ resource ruleBastionEgressAzure 'Microsoft.Network/networkSecurityGroups/securit } } -resource ruleBastionEgressBastionComms 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleOutAllowBastionComms) { +resource ruleBastionEgressBastionComms 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleOutAllowBastionComms) { parent: nsg name: 'Allow_Bastion_Communication' properties: { @@ -197,7 +197,7 @@ resource ruleBastionEgressBastionComms 'Microsoft.Network/networkSecurityGroups/ } } -resource ruleBastionEgressSessionInfo 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleOutAllowBastionComms) { +resource ruleBastionEgressSessionInfo 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleOutAllowBastionComms) { parent: nsg name: 'Allow_Get_Session_Info' properties: { @@ -218,7 +218,7 @@ resource ruleBastionEgressSessionInfo 'Microsoft.Network/networkSecurityGroups/s } param ruleInDenySsh bool = false -resource ruleSshIngressDeny 'Microsoft.Network/networkSecurityGroups/securityRules@2020-11-01' = if(ruleInDenySsh) { +resource ruleSshIngressDeny 'Microsoft.Network/networkSecurityGroups/securityRules@2022-07-01' = if(ruleInDenySsh) { parent: nsg name: 'DenySshInbound' properties: { From bfdab9e193d39839c4134b8e63946a679cb6db51 Mon Sep 17 00:00:00 2001 From: Gordon Byers Date: Wed, 8 Mar 2023 16:11:57 +0000 Subject: [PATCH 08/11] linter warnings --- bicep/aksagentpool.bicep | 6 +++--- bicep/keyvault.bicep | 2 +- bicep/main.bicep | 8 ++++---- bicep/networkwatcherflowlog.bicep | 3 ++- 4 files changed, 10 insertions(+), 9 deletions(-) diff --git a/bicep/aksagentpool.bicep b/bicep/aksagentpool.bicep index 100992aaf..fae38e2f1 100644 --- a/bicep/aksagentpool.bicep +++ b/bicep/aksagentpool.bicep @@ -59,8 +59,8 @@ resource userNodepool 'Microsoft.ContainerService/managedClusters/agentPools@202 mode: 'User' vmSize: agentVMSize count: agentCount - minCount: autoScale ? agentCount : json('null') - maxCount: autoScale ? agentCountMax : json('null') + minCount: autoScale ? agentCount : null + maxCount: autoScale ? agentCountMax : null enableAutoScaling: autoScale availabilityZones: !empty(availabilityZones) ? availabilityZones : null osDiskType: osDiskType @@ -69,7 +69,7 @@ resource userNodepool 'Microsoft.ContainerService/managedClusters/agentPools@202 osType: osType maxPods: maxPods type: 'VirtualMachineScaleSets' - vnetSubnetID: !empty(subnetId) ? subnetId : json('null') + vnetSubnetID: !empty(subnetId) ? subnetId : null upgradeSettings: { maxSurge: '33%' } diff --git a/bicep/keyvault.bicep b/bicep/keyvault.bicep index 722326910..2ba5b82aa 100644 --- a/bicep/keyvault.bicep +++ b/bicep/keyvault.bicep @@ -51,7 +51,7 @@ resource kv 'Microsoft.KeyVault/vaults@2022-07-01' = { enabledForDiskEncryption: false enabledForTemplateDeployment: false enableSoftDelete: keyVaultSoftDelete - enablePurgeProtection: keyVaultPurgeProtection ? true : json('null') + enablePurgeProtection: keyVaultPurgeProtection ? true : null } } diff --git a/bicep/main.bicep b/bicep/main.bicep index c9c2e494a..a28525e67 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -40,7 +40,7 @@ param byoAGWSubnetId string = '' //--- Custom, BYO networking and PrivateApiZones requires BYO AKS User Identity var createAksUai = custom_vnet || !empty(byoAKSSubnetId) || !empty(dnsApiPrivateZoneId) || keyVaultKmsCreateAndPrereqs || !empty(keyVaultKmsByoKeyId) -resource aksUai 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = if (createAksUai) { +resource aksUai 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = if (createAksUai) { name: 'id-aks-${resourceName}' location: location } @@ -409,7 +409,7 @@ resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = if (! retentionPolicy: acrUntaggedRetentionPolicyEnabled ? { status: 'enabled' days: acrUntaggedRetentionPolicy - } : json('null') + } : null } publicNetworkAccess: privateLinks /* && empty(acrIPWhitelist)*/ ? 'Disabled' : 'Enabled' zoneRedundancy: acrZoneRedundancyEnabled @@ -597,7 +597,7 @@ var appGWenableWafFirewall = appGWsku=='Standard_v2' ? false : appGWenableFirewa // If integrating App Gateway with KeyVault, create a Identity App Gateway will use to access keyvault // 'identity' is always created (adding: "|| deployAppGw") until this is fixed: // https://github.com/Azure/bicep/issues/387#issuecomment-885671296 -resource appGwIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = if (deployAppGw) { +resource appGwIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = if (deployAppGw) { name: 'id-appgw-${resourceName}' location: location } @@ -1114,7 +1114,7 @@ var systemPoolBase = { osType: 'Linux' maxPods: 30 type: 'VirtualMachineScaleSets' - vnetSubnetID: !empty(aksSubnetId) ? aksSubnetId : json('null') + vnetSubnetID: !empty(aksSubnetId) ? aksSubnetId : null upgradeSettings: { maxSurge: '33%' } diff --git a/bicep/networkwatcherflowlog.bicep b/bicep/networkwatcherflowlog.bicep index 8c77e80d9..c8b1e018a 100644 --- a/bicep/networkwatcherflowlog.bicep +++ b/bicep/networkwatcherflowlog.bicep @@ -19,7 +19,8 @@ resource networkWatcher 'Microsoft.Network/networkWatchers@2022-01-01' = { } resource nsgFlowLogs 'Microsoft.Network/networkWatchers/flowLogs@2021-05-01' = { - name: '${networkWatcher.name}/${name}' + name: name + parent: networkWatcher location: location properties: { targetResourceId: nsgId From d1ff9e6aaa9333c71ab03661146ea1170d8a857c Mon Sep 17 00:00:00 2001 From: Gordon Byers Date: Wed, 8 Mar 2023 16:27:46 +0000 Subject: [PATCH 09/11] ContainerLogV2 parent --- bicep/main.bicep | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bicep/main.bicep b/bicep/main.bicep index a28525e67..790943a26 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -1545,7 +1545,8 @@ resource aks_law 'Microsoft.OperationalInsights/workspaces@2022-10-01' = if (cre resource containerLogsV2_Basiclogs 'Microsoft.OperationalInsights/workspaces/tables@2022-10-01' = if(containerLogsV2BasicLogs){ - name: '${aks_law_name}/ContainerLogV2' + name: 'ContainerLogV2' + parent: aks_law properties: { plan: 'Basic' } From b9d077f8edf4d43cc384cbf7d09254f7e7e35edf Mon Sep 17 00:00:00 2001 From: Gordon Byers Date: Wed, 15 Mar 2023 12:09:55 +0000 Subject: [PATCH 10/11] adding v2configmap to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index a17bfd999..20050abeb 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ bicep/main.json helper/localsite.html helper/prodsite.html helper/build/** +container-azm-ms-agentconfig.yaml From ad9aafe000e28376bc84c9889b38b383211ec200 Mon Sep 17 00:00:00 2001 From: Gordon Byers Date: Wed, 15 Mar 2023 12:19:13 +0000 Subject: [PATCH 11/11] requestRoutingRule priority --- bicep/main.bicep | 1 + 1 file changed, 1 insertion(+) diff --git a/bicep/main.bicep b/bicep/main.bicep index 790943a26..f355b116c 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -723,6 +723,7 @@ var appgwProperties = union({ name: 'appGwRoutingRuleName' properties: { ruleType: 'Basic' + priority: '1' httpListener: { id: '${appgwResourceId}/httpListeners/hlisten' }