From 44941676f45df6061e147862a9ec0f28e89b125b Mon Sep 17 00:00:00 2001 From: Preston Alvarado <700740+coolhome@users.noreply.github.com> Date: Mon, 6 Nov 2023 14:21:25 -0500 Subject: [PATCH 1/3] Update main.bicep Do not attempt to load Private DNS Zone when `enableDnsZoneContributorRoleAssignment` is false. Added output `managedCluster.properties.ingressProfile.webAppRouting.identity.objectId` so I can add role assignment for private dns zone --- modules/container-service/managed-cluster/main.bicep | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/container-service/managed-cluster/main.bicep b/modules/container-service/managed-cluster/main.bicep index 5808b8d313..8b20dbb795 100644 --- a/modules/container-service/managed-cluster/main.bicep +++ b/modules/container-service/managed-cluster/main.bicep @@ -676,7 +676,7 @@ resource managedCluster_roleAssignments 'Microsoft.Authorization/roleAssignments scope: managedCluster }] -resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = if (dnsZoneResourceId != null && webApplicationRoutingEnabled) { +resource dnsZone 'Microsoft.Network/dnsZones@2018-05-01' existing = if (enableDnsZoneContributorRoleAssignment == true && dnsZoneResourceId != null && webApplicationRoutingEnabled) { name: last(split((!empty(dnsZoneResourceId) ? dnsZoneResourceId : '/dummmyZone'), '/'))! } @@ -726,6 +726,9 @@ output oidcIssuerUrl string = enableOidcIssuerProfile ? managedCluster.propertie @description('The addonProfiles of the Kubernetes cluster.') output addonProfiles object = contains(managedCluster.properties, 'addonProfiles') ? managedCluster.properties.addonProfiles : {} +@description('The Object ID of Web Application Routing.') +output webAppRoutingIdentityObjectId string = contains(managedCluster.properties, 'ingressProfile') && contains(managedCluster.properties.ingressProfile, 'webAppRouting') && contains(managedCluster.properties.ingressProfile.webAppRouting, 'identity') && contains(managedCluster.properties.ingressProfile.webAppRouting.identity, 'objectId') ? managedCluster.properties.ingressProfile.webAppRouting.identity.objectId : '' + // =============== // // Definitions // // =============== // From 502155185241f26ce619332cb5bee744348eb60e Mon Sep 17 00:00:00 2001 From: Preston Alvarado <700740+coolhome@users.noreply.github.com> Date: Wed, 6 Dec 2023 10:30:46 -0500 Subject: [PATCH 2/3] Update module --- modules/container-service/managed-cluster/README.md | 1 + modules/container-service/managed-cluster/main.json | 11 +++++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/modules/container-service/managed-cluster/README.md b/modules/container-service/managed-cluster/README.md index f2de8470fa..caec00b2a0 100644 --- a/modules/container-service/managed-cluster/README.md +++ b/modules/container-service/managed-cluster/README.md @@ -2199,6 +2199,7 @@ Specifies whether the webApplicationRoutingEnabled add-on is enabled or not. | `resourceGroupName` | string | The resource group the managed cluster was deployed into. | | `resourceId` | string | The resource ID of the managed cluster. | | `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | +| `webAppRoutingIdentityObjectId` | string | The Object ID of Web Application Routing. | ## Cross-referenced modules diff --git a/modules/container-service/managed-cluster/main.json b/modules/container-service/managed-cluster/main.json index 552037b85f..e5abc28330 100644 --- a/modules/container-service/managed-cluster/main.json +++ b/modules/container-service/managed-cluster/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.22.6.54827", - "templateHash": "15042684995150005891" + "templateHash": "9522111047987298490" }, "name": "Azure Kubernetes Service (AKS) Managed Clusters", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.", @@ -1196,7 +1196,7 @@ ] }, "dnsZone": { - "condition": "[and(not(equals(parameters('dnsZoneResourceId'), null())), parameters('webApplicationRoutingEnabled'))]", + "condition": "[and(and(equals(parameters('enableDnsZoneContributorRoleAssignment'), true()), not(equals(parameters('dnsZoneResourceId'), null()))), parameters('webApplicationRoutingEnabled'))]", "existing": true, "type": "Microsoft.Network/dnsZones", "apiVersion": "2018-05-01", @@ -2172,6 +2172,13 @@ "description": "The addonProfiles of the Kubernetes cluster." }, "value": "[if(contains(reference('managedCluster'), 'addonProfiles'), reference('managedCluster').addonProfiles, createObject())]" + }, + "webAppRoutingIdentityObjectId": { + "type": "string", + "metadata": { + "description": "The Object ID of Web Application Routing." + }, + "value": "[if(and(and(and(contains(reference('managedCluster'), 'ingressProfile'), contains(reference('managedCluster').ingressProfile, 'webAppRouting')), contains(reference('managedCluster').ingressProfile.webAppRouting, 'identity')), contains(reference('managedCluster').ingressProfile.webAppRouting.identity, 'objectId')), reference('managedCluster').ingressProfile.webAppRouting.identity.objectId, '')]" } } } \ No newline at end of file From 3811f3e1b19528bff9d771519b8eb7b09aaefb33 Mon Sep 17 00:00:00 2001 From: Preston Alvarado <700740+coolhome@users.noreply.github.com> Date: Thu, 7 Dec 2023 12:46:01 -0600 Subject: [PATCH 3/3] Upgraded bicep, re-ran --- modules/container-service/managed-cluster/main.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/container-service/managed-cluster/main.json b/modules/container-service/managed-cluster/main.json index 20969acf9d..b3e159c0f7 100644 --- a/modules/container-service/managed-cluster/main.json +++ b/modules/container-service/managed-cluster/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.23.1.45101", - "templateHash": "609013537229775592" + "templateHash": "1679575632831341410" }, "name": "Azure Kubernetes Service (AKS) Managed Clusters", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.",