{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.8.2.30886", "templateHash": "161353799042682722" } }, "parameters": { "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location of AKS cluster." } }, "aksClusterName": { "type": "string", "defaultValue": "[format('aks-{0}', uniqueString(resourceGroup().id))]", "metadata": { "description": "Specifies the name of the AKS cluster." } }, "createMetricAlerts": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether creating metric alerts or not." } }, "metricAlertsEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether metric alerts as either enabled or disabled." } }, "metricAlertsEvalFrequency": { "type": "string", "defaultValue": "PT1M", "metadata": { "description": "Specifies metric alerts eval frequency." } }, "metricAlertsWindowsSize": { "type": "string", "defaultValue": "PT1H", "metadata": { "description": "Specifies metric alerts window size." } }, "aksClusterDnsPrefix": { "type": "string", "defaultValue": "[parameters('aksClusterName')]", "metadata": { "description": "Specifies the DNS prefix specified when creating the managed cluster." } }, "aksClusterNetworkPlugin": { "type": "string", "defaultValue": "azure", "allowedValues": [ "azure", "kubenet" ], "metadata": { "description": "Specifies the network plugin used for building Kubernetes network. - azure or kubenet." } }, "aksClusterNetworkPolicy": { "type": "string", "defaultValue": "azure", "allowedValues": [ "azure", "calico" ], "metadata": { "description": "Specifies the network policy used for building Kubernetes network. - calico or azure" } }, "aksClusterPodCidr": { "type": "string", "defaultValue": "10.244.0.0/16", "metadata": { "description": "Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used." } }, "aksClusterServiceCidr": { "type": "string", "defaultValue": "172.16.0.0/16", "metadata": { "description": "A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges." } }, "aksClusterDnsServiceIP": { "type": "string", "defaultValue": "172.16.0.10", "metadata": { "description": "Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr." } }, "aksClusterDockerBridgeCidr": { "type": "string", "defaultValue": "172.17.0.1/16", "metadata": { "description": "Specifies the CIDR notation IP range assigned to the Docker bridge network. It must not overlap with any Subnet IP ranges or the Kubernetes service address range." } }, "aksClusterLoadBalancerSku": { "type": "string", "defaultValue": "standard", "allowedValues": [ "basic", "standard" ], "metadata": { "description": "Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools." } }, "aksClusterOutboundType": { "type": "string", "defaultValue": "loadBalancer", "allowedValues": [ "loadBalancer", "userDefinedRouting" ], "metadata": { "description": "Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting." } }, "aksClusterSkuTier": { "type": "string", "defaultValue": "Paid", "allowedValues": [ "Paid", "Free" ], "metadata": { "description": "Specifies the tier of a managed cluster SKU: Paid or Free" } }, "aksClusterKubernetesVersion": { "type": "string", "defaultValue": "1.18.8", "metadata": { "description": "Specifies the version of Kubernetes specified when creating the managed cluster." } }, "aksClusterAdminUsername": { "type": "string", "defaultValue": "azureuser", "metadata": { "description": "Specifies the administrator username of Linux virtual machines." } }, "aksClusterSshPublicKey": { "type": "string", "metadata": { "description": "Specifies the SSH RSA public key string for the Linux nodes." } }, "aadProfileTenantId": { "type": "string", "defaultValue": "[subscription().tenantId]", "metadata": { "description": "Specifies the tenant id of the Azure Active Directory used by the AKS cluster for authentication." } }, "aadProfileAdminGroupObjectIDs": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the AAD group object IDs that will have admin role of the cluster." } }, "aksClusterUpgradeChannel": { "type": "string", "defaultValue": "stable", "allowedValues": [ "rapid", "stable", "patch", "node-image", "none" ], "metadata": { "description": "Specifies the upgrade channel for auto upgrade. Allowed values include rapid, stable, patch, node-image, none." } }, "aksClusterEnablePrivateCluster": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to create the cluster as a private cluster or not." } }, "aksPrivateDNSZone": { "type": "string", "defaultValue": "none", "metadata": { "description": "Specifies the Private DNS Zone mode for private cluster. When the value is equal to None, a Public DNS Zone is used in place of a Private DNS Zone" } }, "aksEnablePrivateClusterPublicFQDN": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to create additional public FQDN for private cluster or not." } }, "aadProfileManaged": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable managed AAD integration." } }, "aadProfileEnableAzureRBAC": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to to enable Azure RBAC for Kubernetes authorization." } }, "systemNodePoolName": { "type": "string", "defaultValue": "nodepool1", "metadata": { "description": "Specifies the unique name of of the system node pool profile in the context of the subscription and resource group." } }, "systemNodePoolVmSize": { "type": "string", "defaultValue": "Standard_DS5_v2", "metadata": { "description": "Specifies the vm size of nodes in the system node pool." } }, "systemNodePoolOsDiskSizeGB": { "type": "int", "defaultValue": 100, "metadata": { "description": "Specifies the OS Disk Size in GB to be used to specify the disk size for every machine in the system agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified." } }, "systemNodePoolOsDiskType": { "type": "string", "defaultValue": "Ephemeral", "allowedValues": [ "Ephemeral", "Managed" ], "metadata": { "description": "Specifies the OS disk type to be used for machines in a given agent pool. Allowed values are 'Ephemeral' and 'Managed'. If unspecified, defaults to 'Ephemeral' when the VM supports ephemeral OS and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. - Managed or Ephemeral" } }, "systemNodePoolAgentCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the number of agents (VMs) to host docker containers in the system node pool. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1." } }, "systemNodePoolOsType": { "type": "string", "defaultValue": "Linux", "allowedValues": [ "Linux", "Windows" ], "metadata": { "description": "Specifies the OS type for the vms in the system node pool. Choose from Linux and Windows. Default to Linux." } }, "systemNodePoolMaxPods": { "type": "int", "defaultValue": 30, "metadata": { "description": "Specifies the maximum number of pods that can run on a node in the system node pool. The maximum number of pods per node in an AKS cluster is 250. The default maximum number of pods per node varies between kubenet and Azure CNI networking, and the method of cluster deployment." } }, "systemNodePoolMaxCount": { "type": "int", "defaultValue": 5, "metadata": { "description": "Specifies the maximum number of nodes for auto-scaling for the system node pool." } }, "systemNodePoolMinCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the minimum number of nodes for auto-scaling for the system node pool." } }, "systemNodePoolEnableAutoScaling": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable auto-scaling for the system node pool." } }, "systemNodePoolScaleSetPriority": { "type": "string", "defaultValue": "Regular", "allowedValues": [ "Spot", "Regular" ], "metadata": { "description": "Specifies the virtual machine scale set priority in the system node pool: Spot or Regular." } }, "systemNodePoolScaleSetEvictionPolicy": { "type": "string", "defaultValue": "Delete", "allowedValues": [ "Delete", "Deallocate" ], "metadata": { "description": "Specifies the ScaleSetEvictionPolicy to be used to specify eviction policy for spot virtual machine scale set. Default to Delete. Allowed values are Delete or Deallocate." } }, "systemNodePoolNodeLabels": { "type": "object", "defaultValue": {}, "metadata": { "description": "Specifies the Agent pool node labels to be persisted across all nodes in the system node pool." } }, "systemNodePoolNodeTaints": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule." } }, "systemNodePoolKubeletDiskType": { "type": "string", "defaultValue": "OS", "allowedValues": [ "OS", "Temporary" ], "metadata": { "description": "Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage." } }, "systemNodePoolType": { "type": "string", "defaultValue": "VirtualMachineScaleSets", "allowedValues": [ "VirtualMachineScaleSets", "AvailabilitySet" ], "metadata": { "description": "Specifies the type for the system node pool: VirtualMachineScaleSets or AvailabilitySet" } }, "systemNodePoolAvailabilityZones": { "type": "array", "defaultValue": [ "1", "2", "3" ], "metadata": { "description": "Specifies the availability zones for the agent nodes in the system node pool. Requirese the use of VirtualMachineScaleSets as node pool type." } }, "userNodePoolName": { "type": "string", "defaultValue": "nodepool1", "metadata": { "description": "Specifies the unique name of of the user node pool profile in the context of the subscription and resource group." } }, "userNodePoolVmSize": { "type": "string", "defaultValue": "Standard_DS5_v2", "metadata": { "description": "Specifies the vm size of nodes in the user node pool." } }, "userNodePoolOsDiskSizeGB": { "type": "int", "defaultValue": 100, "metadata": { "description": "Specifies the OS Disk Size in GB to be used to specify the disk size for every machine in the system agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified.." } }, "userNodePoolOsDiskType": { "type": "string", "defaultValue": "Ephemeral", "allowedValues": [ "Ephemeral", "Managed" ], "metadata": { "description": "Specifies the OS disk type to be used for machines in a given agent pool. Allowed values are 'Ephemeral' and 'Managed'. If unspecified, defaults to 'Ephemeral' when the VM supports ephemeral OS and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. - Managed or Ephemeral" } }, "userNodePoolAgentCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the number of agents (VMs) to host docker containers in the user node pool. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1." } }, "userNodePoolOsType": { "type": "string", "defaultValue": "Linux", "allowedValues": [ "Linux", "Windows" ], "metadata": { "description": "Specifies the OS type for the vms in the user node pool. Choose from Linux and Windows. Default to Linux." } }, "userNodePoolMaxPods": { "type": "int", "defaultValue": 30, "metadata": { "description": "Specifies the maximum number of pods that can run on a node in the user node pool. The maximum number of pods per node in an AKS cluster is 250. The default maximum number of pods per node varies between kubenet and Azure CNI networking, and the method of cluster deployment." } }, "userNodePoolMaxCount": { "type": "int", "defaultValue": 5, "metadata": { "description": "Specifies the maximum number of nodes for auto-scaling for the user node pool." } }, "userNodePoolMinCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the minimum number of nodes for auto-scaling for the user node pool." } }, "userNodePoolEnableAutoScaling": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable auto-scaling for the user node pool." } }, "userNodePoolScaleSetPriority": { "type": "string", "defaultValue": "Regular", "allowedValues": [ "Spot", "Regular" ], "metadata": { "description": "Specifies the virtual machine scale set priority in the user node pool: Spot or Regular." } }, "userNodePoolScaleSetEvictionPolicy": { "type": "string", "defaultValue": "Delete", "allowedValues": [ "Delete", "Deallocate" ], "metadata": { "description": "Specifies the ScaleSetEvictionPolicy to be used to specify eviction policy for spot virtual machine scale set. Default to Delete. Allowed values are Delete or Deallocate." } }, "userNodePoolNodeLabels": { "type": "object", "defaultValue": {}, "metadata": { "description": "Specifies the Agent pool node labels to be persisted across all nodes in the user node pool." } }, "userNodePoolNodeTaints": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule." } }, "userNodePoolKubeletDiskType": { "type": "string", "defaultValue": "OS", "allowedValues": [ "OS", "Temporary" ], "metadata": { "description": "Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage." } }, "userNodePoolType": { "type": "string", "defaultValue": "VirtualMachineScaleSets", "allowedValues": [ "VirtualMachineScaleSets", "AvailabilitySet" ], "metadata": { "description": "Specifies the type for the user node pool: VirtualMachineScaleSets or AvailabilitySet" } }, "userNodePoolAvailabilityZones": { "type": "array", "defaultValue": [ "1", "2", "3" ], "metadata": { "description": "Specifies the availability zones for the agent nodes in the user node pool. Requirese the use of VirtualMachineScaleSets as node pool type." } }, "httpApplicationRoutingEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the httpApplicationRouting add-on is enabled or not." } }, "openServiceMeshEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Open Service Mesh add-on is enabled or not." } }, "kedaEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Kubernetes Event-Driven Autoscaler (KEDA) add-on is enabled or not." } }, "aciConnectorLinuxEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the aciConnectorLinux add-on is enabled or not." } }, "azurePolicyEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the azurepolicy add-on is enabled or not." } }, "kubeDashboardEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the kubeDashboard add-on is enabled or not." } }, "podIdentityProfileEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the pod identity addon is enabled.." } }, "oidcIssuerProfileEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the OIDC issuer is enabled." } }, "autoScalerProfileScanInterval": { "type": "string", "defaultValue": "10s", "metadata": { "description": "Specifies the scan interval of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownDelayAfterAdd": { "type": "string", "defaultValue": "10m", "metadata": { "description": "Specifies the scale down delay after add of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownDelayAfterDelete": { "type": "string", "defaultValue": "20s", "metadata": { "description": "Specifies the scale down delay after delete of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownDelayAfterFailure": { "type": "string", "defaultValue": "3m", "metadata": { "description": "Specifies scale down delay after failure of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownUnneededTime": { "type": "string", "defaultValue": "10m", "metadata": { "description": "Specifies the scale down unneeded time of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownUnreadyTime": { "type": "string", "defaultValue": "20m", "metadata": { "description": "Specifies the scale down unready time of the auto-scaler of the AKS cluster." } }, "autoScalerProfileUtilizationThreshold": { "type": "string", "defaultValue": "0.5", "metadata": { "description": "Specifies the utilization threshold of the auto-scaler of the AKS cluster." } }, "autoScalerProfileMaxGracefulTerminationSec": { "type": "string", "defaultValue": "600", "metadata": { "description": "Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster." } }, "virtualNetworkName": { "type": "string", "defaultValue": "[format('{0}Vnet', parameters('aksClusterName'))]", "metadata": { "description": "Specifies the name of the virtual network." } }, "virtualNetworkAddressPrefixes": { "type": "string", "defaultValue": "10.0.0.0/8", "metadata": { "description": "Specifies the address prefixes of the virtual network." } }, "aksSubnetName": { "type": "string", "defaultValue": "AksSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the worker nodes of the AKS cluster." } }, "aksSubnetAddressPrefix": { "type": "string", "defaultValue": "10.0.0.0/16", "metadata": { "description": "Specifies the address prefix of the subnet hosting the worker nodes of the AKS cluster." } }, "vmSubnetName": { "type": "string", "defaultValue": "VmSubnet", "metadata": { "description": "Specifies the name of the subnet which contains the virtual machine." } }, "vmSubnetAddressPrefix": { "type": "string", "defaultValue": "10.2.0.0/24", "metadata": { "description": "Specifies the address prefix of the subnet which contains the virtual machine." } }, "bastionSubnetAddressPrefix": { "type": "string", "defaultValue": "10.2.1.0/24", "metadata": { "description": "Specifies the Bastion subnet IP prefix. This prefix must be within vnet IP prefix address space." } }, "logAnalyticsWorkspaceName": { "type": "string", "defaultValue": "[format('{0}Workspace', parameters('aksClusterName'))]", "metadata": { "description": "Specifies the name of the Log Analytics Workspace." } }, "logAnalyticsSku": { "type": "string", "defaultValue": "PerNode", "allowedValues": [ "Free", "Standalone", "PerNode", "PerGB2018" ], "metadata": { "description": "Specifies the service tier of the workspace: Free, Standalone, PerNode, Per-GB." } }, "logAnalyticsRetentionInDays": { "type": "int", "defaultValue": 60, "metadata": { "description": "Specifies the workspace data retention in days. -1 means Unlimited retention for the Unlimited Sku. 730 days is the maximum allowed for all other Skus." } }, "blobStorageAccountName": { "type": "string", "defaultValue": "[format('boot{0}', uniqueString(resourceGroup().id))]", "metadata": { "description": "Specifies the globally unique name for the storage account used to store the boot diagnostics logs of the virtual machine." } }, "blobStorageAccountPrivateEndpointName": { "type": "string", "defaultValue": "BlobStorageAccountPrivateEndpoint", "metadata": { "description": "Specifies the name of the private link to the boot diagnostics storage account." } }, "acrPrivateEndpointName": { "type": "string", "defaultValue": "AcrPrivateEndpoint", "metadata": { "description": "Specifies the name of the private link to the Azure Container Registry." } }, "acrName": { "type": "string", "defaultValue": "[format('acr{0}', uniqueString(resourceGroup().id))]", "maxLength": 50, "minLength": 5, "metadata": { "description": "Name of your Azure Container Registry" } }, "acrAdminUserEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable admin user that have push / pull permission to the registry." } }, "acrSku": { "type": "string", "defaultValue": "Premium", "allowedValues": [ "Basic", "Standard", "Premium" ], "metadata": { "description": "Tier of your Azure Container Registry." } }, "bastionHostName": { "type": "string", "defaultValue": "[format('{0}Bastion', parameters('aksClusterName'))]", "metadata": { "description": "Specifies the name of the Azure Bastion resource." } }, "keyVaultPrivateEndpointName": { "type": "string", "defaultValue": "KeyVaultPrivateEndpoint", "metadata": { "description": "Specifies the name of the private link to the Key Vault." } }, "keyVaultName": { "type": "string", "defaultValue": "[format('keyvault-{0}', uniqueString(resourceGroup().id))]", "metadata": { "description": "Specifies the name of the Key Vault resource." } }, "keyVaultNetworkAclsDefaultAction": { "type": "string", "defaultValue": "Allow", "allowedValues": [ "Allow", "Deny" ], "metadata": { "description": "The default action of allow or deny when no other rules match. Allowed values: Allow or Deny" } }, "keyVaultEnabledForDeployment": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the Azure Key Vault resource is enabled for deployments." } }, "keyVaultEnabledForDiskEncryption": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the Azure Key Vault resource is enabled for disk encryption." } }, "keyVaultEnabledForTemplateDeployment": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the Azure Key Vault resource is enabled for template deployment." } }, "keyVaultEnableSoftDelete": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the soft deelete is enabled for this Azure Key Vault resource." } }, "keyVaultObjectIds": { "type": "array", "defaultValue": [], "metadata": { "description": "Speicifies the object ID ofthe service principals to configure in Key Vault access policies." } }, "tags": { "type": "object", "defaultValue": { "IaC": "Bicep" }, "metadata": { "description": "Specifies the resource tags." } }, "deploymentScriptUri": { "type": "string", "metadata": { "description": "Specifies the deployment script uri." } } }, "resources": [ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "keyVault", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('keyVaultName')]" }, "networkAclsDefaultAction": { "value": "[parameters('keyVaultNetworkAclsDefaultAction')]" }, "enabledForDeployment": { "value": "[parameters('keyVaultEnabledForDeployment')]" }, "enabledForDiskEncryption": { "value": "[parameters('keyVaultEnabledForDiskEncryption')]" }, "enabledForTemplateDeployment": { "value": "[parameters('keyVaultEnabledForTemplateDeployment')]" }, "enableSoftDelete": { "value": "[parameters('keyVaultEnableSoftDelete')]" }, "objectIds": { "value": "[parameters('keyVaultObjectIds')]" }, "workspaceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'workspace')).outputs.id.value]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.8.2.30886", "templateHash": "8157664056454128278" } }, "parameters": { "name": { "type": "string", "metadata": { "description": "Specifies the name of the Key Vault resource." } }, "skuName": { "type": "string", "defaultValue": "standard", "allowedValues": [ "premium", "standard" ], "metadata": { "description": "Specifies the sku name of the Key Vault resource." } }, "tenantId": { "type": "string", "defaultValue": "[subscription().tenantId]", "metadata": { "description": "Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault." } }, "networkAclsDefaultAction": { "type": "string", "defaultValue": "Allow", "allowedValues": [ "Allow", "Deny" ], "metadata": { "description": "The default action of allow or deny when no other rules match. Allowed values: Allow or Deny" } }, "enabledForDeployment": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the Azure Key Vault resource is enabled for deployments." } }, "enabledForDiskEncryption": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the Azure Key Vault resource is enabled for disk encryption." } }, "enabledForTemplateDeployment": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the Azure Key Vault resource is enabled for template deployment." } }, "enableSoftDelete": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the soft deelete is enabled for this Azure Key Vault resource." } }, "objectIds": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the object ID ofthe service principals to configure in Key Vault access policies." } }, "createSecrets": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to create secrets." } }, "secrets": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies a list of secrets." } }, "workspaceId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Log Analytics workspace." } }, "retentionInDays": { "type": "int", "defaultValue": 60, "metadata": { "description": "Specifies the workspace data retention in days." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "variables": { "copy": [ { "name": "logs", "count": "[length(variables('logCategories'))]", "input": { "category": "[variables('logCategories')[copyIndex('logs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": "[parameters('retentionInDays')]" } } }, { "name": "metrics", "count": "[length(variables('metricCategories'))]", "input": { "category": "[variables('metricCategories')[copyIndex('metrics')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": "[parameters('retentionInDays')]" } } } ], "diagnosticSettingsName": "diagnosticSettings", "logCategories": [ "AuditEvent", "AzurePolicyEvaluationDetails" ], "metricCategories": [ "AllMetrics" ] }, "resources": [ { "type": "Microsoft.KeyVault/vaults", "apiVersion": "2021-10-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "copy": [ { "name": "accessPolicies", "count": "[length(parameters('objectIds'))]", "input": { "tenantId": "[subscription().tenantId]", "objectId": "[parameters('objectIds')[copyIndex('accessPolicies')]]", "permissions": { "keys": [ "get", "list" ], "secrets": [ "get", "list" ], "certificates": [ "get", "list" ] } } } ], "sku": { "family": "A", "name": "[parameters('skuName')]" }, "tenantId": "[parameters('tenantId')]", "networkAcls": { "bypass": "AzureServices", "defaultAction": "[parameters('networkAclsDefaultAction')]" }, "enabledForDeployment": "[parameters('enabledForDeployment')]", "enabledForDiskEncryption": "[parameters('enabledForDiskEncryption')]", "enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]", "enableSoftDelete": "[parameters('enableSoftDelete')]" } }, { "condition": "[parameters('createSecrets')]", "copy": { "name": "secret", "count": "[length(parameters('secrets'))]" }, "type": "Microsoft.KeyVault/vaults/secrets", "apiVersion": "2021-11-01-preview", "name": "[format('{0}/{1}', parameters('name'), parameters('secrets')[copyIndex()].name)]", "properties": { "value": "[parameters('secrets')[copyIndex()].value]" }, "dependsOn": [ "[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]" ] }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('logs')]", "metrics": "[variables('metrics')]" }, "dependsOn": [ "[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]" ] } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'workspace')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "workspace", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('logAnalyticsWorkspaceName')]" }, "location": { "value": "[parameters('location')]" }, "sku": { "value": "[parameters('logAnalyticsSku')]" }, "retentionInDays": { "value": "[parameters('logAnalyticsRetentionInDays')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.8.2.30886", "templateHash": "5654950236650366435" } }, "parameters": { "name": { "type": "string", "metadata": { "description": "Specifies the name of the Log Analytics workspace." } }, "sku": { "type": "string", "defaultValue": "PerNode", "allowedValues": [ "Free", "Standalone", "PerNode", "PerGB2018" ], "metadata": { "description": "Specifies the service tier of the workspace: Free, Standalone, PerNode, Per-GB." } }, "retentionInDays": { "type": "int", "defaultValue": 60, "metadata": { "description": "Specifies the workspace data retention in days. -1 means Unlimited retention for the Unlimited Sku. 730 days is the maximum allowed for all other Skus." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "variables": { "containerInsightsSolutionName": "[format('ContainerInsights({0})', parameters('name'))]" }, "resources": [ { "type": "Microsoft.OperationalInsights/workspaces", "apiVersion": "2021-12-01-preview", "name": "[parameters('name')]", "tags": "[parameters('tags')]", "location": "[parameters('location')]", "properties": { "sku": { "name": "[parameters('sku')]" }, "retentionInDays": "[parameters('retentionInDays')]" } }, { "type": "Microsoft.OperationsManagement/solutions", "apiVersion": "2015-11-01-preview", "name": "[variables('containerInsightsSolutionName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "plan": { "name": "[variables('containerInsightsSolutionName')]", "promotionCode": "", "product": "OMSGallery/ContainerInsights", "publisher": "Microsoft" }, "properties": { "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]", "containedResources": [] }, "dependsOn": [ "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]" ] } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" }, "customerId": { "type": "string", "value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))).customerId]" } } } } }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "containerRegistry", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('acrName')]" }, "sku": { "value": "[parameters('acrSku')]" }, "adminUserEnabled": { "value": "[parameters('acrAdminUserEnabled')]" }, "workspaceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'workspace')).outputs.id.value]" }, "retentionInDays": { "value": "[parameters('logAnalyticsRetentionInDays')]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.8.2.30886", "templateHash": "6508858885966524249" } }, "parameters": { "name": { "type": "string", "defaultValue": "[format('acr{0}', uniqueString(resourceGroup().id))]", "maxLength": 50, "minLength": 5, "metadata": { "description": "Name of your Azure Container Registry" } }, "adminUserEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable admin user that have push / pull permission to the registry." } }, "sku": { "type": "string", "defaultValue": "Premium", "allowedValues": [ "Basic", "Standard", "Premium" ], "metadata": { "description": "Tier of your Azure Container Registry." } }, "workspaceId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Log Analytics workspace." } }, "retentionInDays": { "type": "int", "defaultValue": 60, "metadata": { "description": "Specifies the workspace data retention in days." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "variables": { "copy": [ { "name": "logs", "count": "[length(variables('logCategories'))]", "input": { "category": "[variables('logCategories')[copyIndex('logs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": "[parameters('retentionInDays')]" } } }, { "name": "metrics", "count": "[length(variables('metricCategories'))]", "input": { "category": "[variables('metricCategories')[copyIndex('metrics')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": "[parameters('retentionInDays')]" } } } ], "diagnosticSettingsName": "diagnosticSettings", "logCategories": [ "ContainerRegistryRepositoryEvents", "ContainerRegistryLoginEvents" ], "metricCategories": [ "AllMetrics" ] }, "resources": [ { "type": "Microsoft.ContainerRegistry/registries", "apiVersion": "2021-12-01-preview", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "sku": { "name": "[parameters('sku')]" }, "properties": { "adminUserEnabled": "[parameters('adminUserEnabled')]" } }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('name'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('logs')]", "metrics": "[variables('metrics')]" }, "dependsOn": [ "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]" ] } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'workspace')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "storageAccount", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('blobStorageAccountName')]" }, "createContainers": { "value": true }, "containerNames": { "value": [ "todoapi", "todoweb" ] }, "keyVaultName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'keyVault')).outputs.name.value]" }, "workspaceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'workspace')).outputs.id.value]" }, "retentionInDays": { "value": "[parameters('logAnalyticsRetentionInDays')]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.8.2.30886", "templateHash": "13943367956540511699" } }, "parameters": { "name": { "type": "string", "defaultValue": "[format('boot{0}', uniqueString(resourceGroup().id))]", "metadata": { "description": "Specifies the globally unique name for the storage account used to store the boot diagnostics logs of the virtual machine." } }, "createContainers": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to create containers." } }, "containerNames": { "type": "array", "metadata": { "description": "Specifies an array of containers to create." } }, "keyVaultName": { "type": "string", "metadata": { "description": "Specifies the name of a Key Vault where to store secrets." } }, "workspaceId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Log Analytics workspace." } }, "retentionInDays": { "type": "int", "defaultValue": 60, "metadata": { "description": "Specifies the workspace data retention in days." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "variables": { "copy": [ { "name": "logs", "count": "[length(variables('logCategories'))]", "input": { "category": "[variables('logCategories')[copyIndex('logs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": "[parameters('retentionInDays')]" } } }, { "name": "metrics", "count": "[length(variables('metricCategories'))]", "input": { "category": "[variables('metricCategories')[copyIndex('metrics')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": "[parameters('retentionInDays')]" } } } ], "diagnosticSettingsName": "diagnosticSettings", "logCategories": [ "StorageRead", "StorageWrite", "StorageDelete" ], "metricCategories": [ "Transaction" ] }, "resources": [ { "condition": "[parameters('createContainers')]", "copy": { "name": "containers", "count": "[length(parameters('containerNames'))]" }, "type": "Microsoft.Storage/storageAccounts/blobServices/containers", "apiVersion": "2021-09-01", "name": "[format('{0}/{1}/{2}', parameters('name'), 'default', parameters('containerNames')[copyIndex()])]", "properties": { "publicAccess": "None" }, "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('name'), 'default')]" ] }, { "type": "Microsoft.Storage/storageAccounts/blobServices", "apiVersion": "2021-09-01", "name": "[format('{0}/{1}', parameters('name'), 'default')]", "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" ] }, { "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2021-09-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "sku": { "name": "Standard_LRS" }, "kind": "StorageV2" }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}', parameters('name'), 'default')]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('logs')]", "metrics": "[variables('metrics')]" }, "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('name'), 'default')]" ] }, { "type": "Microsoft.KeyVault/vaults/secrets", "apiVersion": "2021-11-01-preview", "name": "[format('{0}/{1}', parameters('keyVaultName'), 'DataProtection--BlobStorage--AccountName')]", "properties": { "value": "[parameters('name')]" }, "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" ] }, { "type": "Microsoft.KeyVault/vaults/secrets", "apiVersion": "2021-11-01-preview", "name": "[format('{0}/{1}', parameters('keyVaultName'), 'DataProtection--BlobStorage--ConnectionString')]", "properties": { "value": "[format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1}', parameters('name'), listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('name')), '2021-09-01').keys[0].value)]" }, "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" ] }, { "type": "Microsoft.KeyVault/vaults/secrets", "apiVersion": "2021-11-01-preview", "name": "[format('{0}/{1}', parameters('keyVaultName'), 'DataProtection--BlobStorage--UseAzureCredential')]", "properties": { "value": "true" } } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'keyVault')]", "[resourceId('Microsoft.Resources/deployments', 'workspace')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "network", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "virtualNetworkName": { "value": "[parameters('virtualNetworkName')]" }, "virtualNetworkAddressPrefixes": { "value": "[parameters('virtualNetworkAddressPrefixes')]" }, "aksSubnetName": { "value": "[parameters('aksSubnetName')]" }, "aksSubnetAddressPrefix": { "value": "[parameters('aksSubnetAddressPrefix')]" }, "vmSubnetName": { "value": "[parameters('vmSubnetName')]" }, "vmSubnetAddressPrefix": { "value": "[parameters('vmSubnetAddressPrefix')]" }, "vmSubnetNsgName": { "value": "[format('{0}Nsg', parameters('vmSubnetName'))]" }, "bastionSubnetAddressPrefix": { "value": "[parameters('bastionSubnetAddressPrefix')]" }, "bastionSubnetNsgName": { "value": "AzureBastionSubnetNsg" }, "bastionHostName": { "value": "[parameters('bastionHostName')]" }, "createAcrPrivateEndpoint": { "value": "[equals(parameters('acrSku'), 'Premium')]" }, "storageAccountPrivateEndpointName": { "value": "[parameters('blobStorageAccountPrivateEndpointName')]" }, "storageAccountId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'storageAccount')).outputs.id.value]" }, "keyVaultPrivateEndpointName": { "value": "[parameters('keyVaultPrivateEndpointName')]" }, "keyVaultId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'keyVault')).outputs.id.value]" }, "acrPrivateEndpointName": { "value": "[parameters('acrPrivateEndpointName')]" }, "acrId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'containerRegistry')).outputs.id.value]" }, "workspaceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'workspace')).outputs.id.value]" }, "retentionInDays": { "value": "[parameters('logAnalyticsRetentionInDays')]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.8.2.30886", "templateHash": "1433206885009662220" } }, "parameters": { "virtualNetworkName": { "type": "string", "metadata": { "description": "Specifies the name of the virtual network." } }, "virtualNetworkAddressPrefixes": { "type": "string", "defaultValue": "10.0.0.0/8", "metadata": { "description": "Specifies the address prefixes of the virtual network." } }, "aksSubnetName": { "type": "string", "defaultValue": "AksSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the worker nodes of the AKS cluster." } }, "aksSubnetAddressPrefix": { "type": "string", "defaultValue": "10.0.0.0/16", "metadata": { "description": "Specifies the address prefix of the subnet hosting the worker nodes of the AKS cluster." } }, "vmSubnetName": { "type": "string", "defaultValue": "VmSubnet", "metadata": { "description": "Specifies the name of the subnet which contains the virtual machine." } }, "vmSubnetAddressPrefix": { "type": "string", "defaultValue": "10.2.0.0/24", "metadata": { "description": "Specifies the address prefix of the subnet which contains the virtual machine." } }, "vmSubnetNsgName": { "type": "string", "defaultValue": "VmSubnetNsg", "metadata": { "description": "Specifies the name of the network security group associated to the subnet hosting the virtual machine." } }, "bastionSubnetAddressPrefix": { "type": "string", "defaultValue": "10.2.1.0/24", "metadata": { "description": "Specifies the Bastion subnet IP prefix. This prefix must be within vnet IP prefix address space." } }, "bastionSubnetNsgName": { "type": "string", "defaultValue": "AzureBastionNsg", "metadata": { "description": "Specifies the name of the network security group associated to the subnet hosting Azure Bastion." } }, "bastionHostName": { "type": "string", "metadata": { "description": "Specifies the name of the Azure Bastion resource." } }, "bastionHostDisableCopyPaste": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable/Disable Copy/Paste feature of the Bastion Host resource." } }, "bastionHostEnableFileCopy": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable/Disable File Copy feature of the Bastion Host resource." } }, "bastionHostEnableIpConnect": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable/Disable IP Connect feature of the Bastion Host resource." } }, "bastionHostEnableShareableLink": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable/Disable Shareable Link of the Bastion Host resource." } }, "bastionHostEnableTunneling": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable/Disable Tunneling feature of the Bastion Host resource." } }, "storageAccountPrivateEndpointName": { "type": "string", "defaultValue": "BlobStorageAccountPrivateEndpoint", "metadata": { "description": "Specifies the name of the private link to the boot diagnostics storage account." } }, "storageAccountId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Azure Storage Account." } }, "keyVaultPrivateEndpointName": { "type": "string", "defaultValue": "KeyVaultPrivateEndpoint", "metadata": { "description": "Specifies the name of the private link to the Key Vault." } }, "keyVaultId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Azure Key vault." } }, "createAcrPrivateEndpoint": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to create a private endpoint for the Azure Container Registry" } }, "acrPrivateEndpointName": { "type": "string", "defaultValue": "AcrPrivateEndpoint", "metadata": { "description": "Specifies the name of the private link to the Azure Container Registry." } }, "acrId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Azure Container Registry." } }, "workspaceId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Log Analytics workspace." } }, "retentionInDays": { "type": "int", "defaultValue": 60, "metadata": { "description": "Specifies the workspace data retention in days." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "variables": { "copy": [ { "name": "nsgLogs", "count": "[length(variables('nsgLogCategories'))]", "input": { "category": "[variables('nsgLogCategories')[copyIndex('nsgLogs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": "[parameters('retentionInDays')]" } } }, { "name": "vnetLogs", "count": "[length(variables('vnetLogCategories'))]", "input": { "category": "[variables('vnetLogCategories')[copyIndex('vnetLogs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": "[parameters('retentionInDays')]" } } }, { "name": "vnetMetrics", "count": "[length(variables('vnetMetricCategories'))]", "input": { "category": "[variables('vnetMetricCategories')[copyIndex('vnetMetrics')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": "[parameters('retentionInDays')]" } } }, { "name": "bastionLogs", "count": "[length(variables('bastionLogCategories'))]", "input": { "category": "[variables('bastionLogCategories')[copyIndex('bastionLogs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": "[parameters('retentionInDays')]" } } }, { "name": "bastionMetrics", "count": "[length(variables('bastionMetricCategories'))]", "input": { "category": "[variables('bastionMetricCategories')[copyIndex('bastionMetrics')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": "[parameters('retentionInDays')]" } } } ], "diagnosticSettingsName": "diagnosticSettings", "nsgLogCategories": [ "NetworkSecurityGroupEvent", "NetworkSecurityGroupRuleCounter" ], "vnetLogCategories": [ "VMProtectionAlerts" ], "vnetMetricCategories": [ "AllMetrics" ], "bastionLogCategories": [ "BastionAuditLogs" ], "bastionMetricCategories": [ "AllMetrics" ], "bastionSubnetName": "AzureBastionSubnet", "bastionPublicIpAddressName": "[format('{0}PublicIp', parameters('bastionHostName'))]" }, "resources": [ { "type": "Microsoft.Network/networkSecurityGroups", "apiVersion": "2021-08-01", "name": "[parameters('bastionSubnetNsgName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "securityRules": [ { "name": "AllowHttpsInBound", "properties": { "protocol": "Tcp", "sourcePortRange": "*", "sourceAddressPrefix": "Internet", "destinationPortRange": "443", "destinationAddressPrefix": "*", "access": "Allow", "priority": 100, "direction": "Inbound" } }, { "name": "AllowGatewayManagerInBound", "properties": { "protocol": "Tcp", "sourcePortRange": "*", "sourceAddressPrefix": "GatewayManager", "destinationPortRange": "443", "destinationAddressPrefix": "*", "access": "Allow", "priority": 110, "direction": "Inbound" } }, { "name": "AllowLoadBalancerInBound", "properties": { "protocol": "Tcp", "sourcePortRange": "*", "sourceAddressPrefix": "AzureLoadBalancer", "destinationPortRange": "443", "destinationAddressPrefix": "*", "access": "Allow", "priority": 120, "direction": "Inbound" } }, { "name": "AllowBastionHostCommunicationInBound", "properties": { "protocol": "*", "sourcePortRange": "*", "sourceAddressPrefix": "VirtualNetwork", "destinationPortRanges": [ "8080", "5701" ], "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 130, "direction": "Inbound" } }, { "name": "DenyAllInBound", "properties": { "protocol": "*", "sourcePortRange": "*", "sourceAddressPrefix": "*", "destinationPortRange": "*", "destinationAddressPrefix": "*", "access": "Deny", "priority": 1000, "direction": "Inbound" } }, { "name": "AllowSshRdpOutBound", "properties": { "protocol": "Tcp", "sourcePortRange": "*", "sourceAddressPrefix": "*", "destinationPortRanges": [ "22", "3389" ], "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 100, "direction": "Outbound" } }, { "name": "AllowAzureCloudCommunicationOutBound", "properties": { "protocol": "Tcp", "sourcePortRange": "*", "sourceAddressPrefix": "*", "destinationPortRange": "443", "destinationAddressPrefix": "AzureCloud", "access": "Allow", "priority": 110, "direction": "Outbound" } }, { "name": "AllowBastionHostCommunicationOutBound", "properties": { "protocol": "*", "sourcePortRange": "*", "sourceAddressPrefix": "VirtualNetwork", "destinationPortRanges": [ "8080", "5701" ], "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 120, "direction": "Outbound" } }, { "name": "AllowGetSessionInformationOutBound", "properties": { "protocol": "*", "sourcePortRange": "*", "sourceAddressPrefix": "*", "destinationAddressPrefix": "Internet", "destinationPortRanges": [ "80", "443" ], "access": "Allow", "priority": 130, "direction": "Outbound" } }, { "name": "DenyAllOutBound", "properties": { "protocol": "*", "sourcePortRange": "*", "destinationPortRange": "*", "sourceAddressPrefix": "*", "destinationAddressPrefix": "*", "access": "Deny", "priority": 1000, "direction": "Outbound" } } ] } }, { "type": "Microsoft.Network/networkSecurityGroups", "apiVersion": "2021-08-01", "name": "[parameters('vmSubnetNsgName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "securityRules": [ { "name": "AllowSshInbound", "properties": { "priority": 100, "access": "Allow", "direction": "Inbound", "destinationPortRange": "22", "protocol": "Tcp", "sourceAddressPrefix": "*", "sourcePortRange": "*", "destinationAddressPrefix": "*" } } ] } }, { "type": "Microsoft.Network/virtualNetworks", "apiVersion": "2021-08-01", "name": "[parameters('virtualNetworkName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "addressSpace": { "addressPrefixes": [ "[parameters('virtualNetworkAddressPrefixes')]" ] }, "subnets": [ { "name": "[parameters('aksSubnetName')]", "properties": { "addressPrefix": "[parameters('aksSubnetAddressPrefix')]", "privateEndpointNetworkPolicies": "Disabled", "privateLinkServiceNetworkPolicies": "Enabled" } }, { "name": "[parameters('vmSubnetName')]", "properties": { "addressPrefix": "[parameters('vmSubnetAddressPrefix')]", "networkSecurityGroup": { "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('vmSubnetNsgName'))]" }, "privateEndpointNetworkPolicies": "Disabled", "privateLinkServiceNetworkPolicies": "Enabled" } }, { "name": "[variables('bastionSubnetName')]", "properties": { "addressPrefix": "[parameters('bastionSubnetAddressPrefix')]", "networkSecurityGroup": { "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('bastionSubnetNsgName'))]" } } } ] }, "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('bastionSubnetNsgName'))]", "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('vmSubnetNsgName'))]" ] }, { "type": "Microsoft.Network/publicIPAddresses", "apiVersion": "2021-08-01", "name": "[variables('bastionPublicIpAddressName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "sku": { "name": "Standard" }, "properties": { "publicIPAllocationMethod": "Static" } }, { "type": "Microsoft.Network/bastionHosts", "apiVersion": "2021-08-01", "name": "[parameters('bastionHostName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "disableCopyPaste": "[parameters('bastionHostDisableCopyPaste')]", "enableFileCopy": "[parameters('bastionHostEnableFileCopy')]", "enableIpConnect": "[parameters('bastionHostEnableIpConnect')]", "enableShareableLink": "[parameters('bastionHostEnableShareableLink')]", "enableTunneling": "[parameters('bastionHostEnableTunneling')]", "ipConfigurations": [ { "name": "IpConf", "properties": { "subnet": { "id": "[format('{0}/subnets/{1}', resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName')), variables('bastionSubnetName'))]" }, "publicIPAddress": { "id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('bastionPublicIpAddressName'))]" } } } ] }, "dependsOn": [ "[resourceId('Microsoft.Network/publicIPAddresses', variables('bastionPublicIpAddressName'))]", "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "type": "Microsoft.Network/privateDnsZones", "apiVersion": "2020-06-01", "name": "[format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'azurecr.us', 'azurecr.io'))]", "location": "global", "tags": "[parameters('tags')]" }, { "type": "Microsoft.Network/privateDnsZones", "apiVersion": "2020-06-01", "name": "[format('privatelink.blob.{0}', environment().suffixes.storage)]", "location": "global", "tags": "[parameters('tags')]" }, { "type": "Microsoft.Network/privateDnsZones", "apiVersion": "2020-06-01", "name": "[format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'vaultcore.usgovcloudapi.net', 'vaultcore.azure.net'))]", "location": "global", "tags": "[parameters('tags')]" }, { "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'azurecr.us', 'azurecr.io')), format('link_to_{0}', toLower(parameters('virtualNetworkName'))))]", "location": "global", "properties": { "registrationEnabled": false, "virtualNetwork": { "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" } }, "dependsOn": [ "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'azurecr.us', 'azurecr.io')))]", "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', format('privatelink.blob.{0}', environment().suffixes.storage), format('link_to_{0}', toLower(parameters('virtualNetworkName'))))]", "location": "global", "properties": { "registrationEnabled": false, "virtualNetwork": { "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" } }, "dependsOn": [ "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.blob.{0}', environment().suffixes.storage))]", "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'vaultcore.usgovcloudapi.net', 'vaultcore.azure.net')), format('link_to_{0}', toLower(parameters('virtualNetworkName'))))]", "location": "global", "properties": { "registrationEnabled": false, "virtualNetwork": { "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" } }, "dependsOn": [ "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'vaultcore.usgovcloudapi.net', 'vaultcore.azure.net')))]", "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2021-08-01", "name": "[parameters('storageAccountPrivateEndpointName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "privateLinkServiceConnections": [ { "name": "[parameters('storageAccountPrivateEndpointName')]", "properties": { "privateLinkServiceId": "[parameters('storageAccountId')]", "groupIds": [ "blob" ] } } ], "subnet": { "id": "[format('{0}/subnets/{1}', resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName')), parameters('vmSubnetName'))]" } }, "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2021-08-01", "name": "[format('{0}/{1}', parameters('storageAccountPrivateEndpointName'), 'PrivateDnsZoneGroupName')]", "properties": { "privateDnsZoneConfigs": [ { "name": "dnsConfig", "properties": { "privateDnsZoneId": "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.blob.{0}', environment().suffixes.storage))]" } } ] }, "dependsOn": [ "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.blob.{0}', environment().suffixes.storage))]", "[resourceId('Microsoft.Network/privateEndpoints', parameters('storageAccountPrivateEndpointName'))]" ] }, { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2021-08-01", "name": "[parameters('keyVaultPrivateEndpointName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "privateLinkServiceConnections": [ { "name": "[parameters('keyVaultPrivateEndpointName')]", "properties": { "privateLinkServiceId": "[parameters('keyVaultId')]", "groupIds": [ "vault" ] } } ], "subnet": { "id": "[format('{0}/subnets/{1}', resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName')), parameters('vmSubnetName'))]" } }, "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2021-08-01", "name": "[format('{0}/{1}', parameters('keyVaultPrivateEndpointName'), 'PrivateDnsZoneGroupName')]", "properties": { "privateDnsZoneConfigs": [ { "name": "dnsConfig", "properties": { "privateDnsZoneId": "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'vaultcore.usgovcloudapi.net', 'vaultcore.azure.net')))]" } } ] }, "dependsOn": [ "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'vaultcore.usgovcloudapi.net', 'vaultcore.azure.net')))]", "[resourceId('Microsoft.Network/privateEndpoints', parameters('keyVaultPrivateEndpointName'))]" ] }, { "condition": "[parameters('createAcrPrivateEndpoint')]", "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2021-08-01", "name": "[parameters('acrPrivateEndpointName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "privateLinkServiceConnections": [ { "name": "[parameters('acrPrivateEndpointName')]", "properties": { "privateLinkServiceId": "[parameters('acrId')]", "groupIds": [ "registry" ] } } ], "subnet": { "id": "[format('{0}/subnets/{1}', resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName')), parameters('vmSubnetName'))]" } }, "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "condition": "[parameters('createAcrPrivateEndpoint')]", "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2021-08-01", "name": "[format('{0}/{1}', parameters('acrPrivateEndpointName'), 'acrPrivateDnsZoneGroup')]", "properties": { "privateDnsZoneConfigs": [ { "name": "dnsConfig", "properties": { "privateDnsZoneId": "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'azurecr.us', 'azurecr.io')))]" } } ] }, "dependsOn": [ "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'azurecr.us', 'azurecr.io')))]", "[resourceId('Microsoft.Network/privateEndpoints', parameters('acrPrivateEndpointName'))]" ] }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('vmSubnetNsgName'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('nsgLogs')]" }, "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('vmSubnetNsgName'))]" ] }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('bastionSubnetNsgName'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('nsgLogs')]" }, "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('bastionSubnetNsgName'))]" ] }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('virtualNetworkName'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('vnetLogs')]", "metrics": "[variables('vnetMetrics')]" }, "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/bastionHosts/{0}', parameters('bastionHostName'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('bastionLogs')]", "metrics": "[variables('bastionMetrics')]" }, "dependsOn": [ "[resourceId('Microsoft.Network/bastionHosts', parameters('bastionHostName'))]" ] } ], "outputs": { "virtualNetworkId": { "type": "string", "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" }, "virtualNetworkName": { "type": "string", "value": "[parameters('virtualNetworkName')]" }, "aksSubnetId": { "type": "string", "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('aksSubnetName'))]" }, "vmSubnetId": { "type": "string", "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('vmSubnetName'))]" }, "bastionSubnetId": { "type": "string", "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('bastionSubnetName'))]" }, "aksSubnetName": { "type": "string", "value": "[parameters('aksSubnetName')]" }, "vmSubnetName": { "type": "string", "value": "[parameters('vmSubnetName')]" }, "bastionSubnetName": { "type": "string", "value": "[variables('bastionSubnetName')]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'containerRegistry')]", "[resourceId('Microsoft.Resources/deployments', 'keyVault')]", "[resourceId('Microsoft.Resources/deployments', 'storageAccount')]", "[resourceId('Microsoft.Resources/deployments', 'workspace')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "aksManageIdentity", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "managedIdentityName": { "value": "[format('{0}Identity', parameters('aksClusterName'))]" }, "virtualNetworkName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'network')).outputs.virtualNetworkName.value]" }, "subnetName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'network')).outputs.aksSubnetName.value]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.8.2.30886", "templateHash": "10695768811502377945" } }, "parameters": { "managedIdentityName": { "type": "string", "metadata": { "description": "Specifies the name of the user-defined managed identity." } }, "virtualNetworkName": { "type": "string", "metadata": { "description": "Specifies the name of the existing virtual network." } }, "subnetName": { "type": "string", "metadata": { "description": "Specifies the name of the existing subnet." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "variables": { "networkContributorRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]" }, "resources": [ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2021-09-30-preview", "name": "[parameters('managedIdentityName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]" }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2020-10-01-preview", "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', parameters('virtualNetworkName'), parameters('subnetName'))]", "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName')), variables('networkContributorRoleDefinitionId'))]", "properties": { "roleDefinitionId": "[variables('networkContributorRoleDefinitionId')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))).principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))]" ] } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))]" }, "name": { "type": "string", "value": "[parameters('managedIdentityName')]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'network')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "kubeletManageIdentity", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "aksClusterName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksCluster')).outputs.name.value]" }, "acrName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'containerRegistry')).outputs.name.value]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.8.2.30886", "templateHash": "4324031208629189507" } }, "parameters": { "aksClusterName": { "type": "string", "metadata": { "description": "Specifies the name of the existing AKS cluster." } }, "acrName": { "type": "string", "metadata": { "description": "Specifies the name of the existing container registry." } } }, "variables": { "acrPullRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]" }, "resources": [ { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2020-10-01-preview", "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('acrName'))]", "name": "[guid(parameters('aksClusterName'), resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName')), variables('acrPullRoleDefinitionId'))]", "properties": { "roleDefinitionId": "[variables('acrPullRoleDefinitionId')]", "principalId": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName')), '2022-03-02-preview').identityProfile.kubeletidentity.objectId]", "principalType": "ServicePrincipal" } } ] } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'aksCluster')]", "[resourceId('Microsoft.Resources/deployments', 'containerRegistry')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "aksCluster", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('aksClusterName')]" }, "virtualNetworkName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'network')).outputs.virtualNetworkName.value]" }, "subnetName": { "value": "[parameters('aksSubnetName')]" }, "managedIdentityName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksManageIdentity')).outputs.name.value]" }, "dnsPrefix": { "value": "[parameters('aksClusterDnsPrefix')]" }, "networkPlugin": { "value": "[parameters('aksClusterNetworkPlugin')]" }, "networkPolicy": { "value": "[parameters('aksClusterNetworkPolicy')]" }, "podCidr": { "value": "[parameters('aksClusterPodCidr')]" }, "serviceCidr": { "value": "[parameters('aksClusterServiceCidr')]" }, "dnsServiceIP": { "value": "[parameters('aksClusterDnsServiceIP')]" }, "dockerBridgeCidr": { "value": "[parameters('aksClusterDockerBridgeCidr')]" }, "loadBalancerSku": { "value": "[parameters('aksClusterLoadBalancerSku')]" }, "outboundType": { "value": "[parameters('aksClusterOutboundType')]" }, "skuTier": { "value": "[parameters('aksClusterSkuTier')]" }, "kubernetesVersion": { "value": "[parameters('aksClusterKubernetesVersion')]" }, "adminUsername": { "value": "[parameters('aksClusterAdminUsername')]" }, "sshPublicKey": { "value": "[parameters('aksClusterSshPublicKey')]" }, "aadProfileTenantId": { "value": "[parameters('aadProfileTenantId')]" }, "aadProfileAdminGroupObjectIDs": { "value": "[parameters('aadProfileAdminGroupObjectIDs')]" }, "aadProfileManaged": { "value": "[parameters('aadProfileManaged')]" }, "aadProfileEnableAzureRBAC": { "value": "[parameters('aadProfileEnableAzureRBAC')]" }, "upgradeChannel": { "value": "[parameters('aksClusterUpgradeChannel')]" }, "enablePrivateCluster": { "value": "[parameters('aksClusterEnablePrivateCluster')]" }, "privateDNSZone": { "value": "[parameters('aksPrivateDNSZone')]" }, "enablePrivateClusterPublicFQDN": { "value": "[parameters('aksEnablePrivateClusterPublicFQDN')]" }, "systemNodePoolName": { "value": "[parameters('systemNodePoolName')]" }, "systemNodePoolVmSize": { "value": "[parameters('systemNodePoolVmSize')]" }, "systemNodePoolOsDiskSizeGB": { "value": "[parameters('systemNodePoolOsDiskSizeGB')]" }, "systemNodePoolOsDiskType": { "value": "[parameters('systemNodePoolOsDiskType')]" }, "systemNodePoolAgentCount": { "value": "[parameters('systemNodePoolAgentCount')]" }, "systemNodePoolOsType": { "value": "[parameters('systemNodePoolOsType')]" }, "systemNodePoolMaxPods": { "value": "[parameters('systemNodePoolMaxPods')]" }, "systemNodePoolMaxCount": { "value": "[parameters('systemNodePoolMaxCount')]" }, "systemNodePoolMinCount": { "value": "[parameters('systemNodePoolMinCount')]" }, "systemNodePoolEnableAutoScaling": { "value": "[parameters('systemNodePoolEnableAutoScaling')]" }, "systemNodePoolScaleSetPriority": { "value": "[parameters('systemNodePoolScaleSetPriority')]" }, "systemNodePoolScaleSetEvictionPolicy": { "value": "[parameters('systemNodePoolScaleSetEvictionPolicy')]" }, "systemNodePoolNodeLabels": { "value": "[parameters('systemNodePoolNodeLabels')]" }, "systemNodePoolNodeTaints": { "value": "[parameters('systemNodePoolNodeTaints')]" }, "systemNodePoolType": { "value": "[parameters('systemNodePoolType')]" }, "systemNodePoolAvailabilityZones": { "value": "[parameters('systemNodePoolAvailabilityZones')]" }, "systemNodePoolKubeletDiskType": { "value": "[parameters('systemNodePoolKubeletDiskType')]" }, "userNodePoolName": { "value": "[parameters('userNodePoolName')]" }, "userNodePoolVmSize": { "value": "[parameters('userNodePoolVmSize')]" }, "userNodePoolOsDiskSizeGB": { "value": "[parameters('userNodePoolOsDiskSizeGB')]" }, "userNodePoolOsDiskType": { "value": "[parameters('userNodePoolOsDiskType')]" }, "userNodePoolAgentCount": { "value": "[parameters('userNodePoolAgentCount')]" }, "userNodePoolOsType": { "value": "[parameters('userNodePoolOsType')]" }, "userNodePoolMaxPods": { "value": "[parameters('userNodePoolMaxPods')]" }, "userNodePoolMaxCount": { "value": "[parameters('userNodePoolMaxCount')]" }, "userNodePoolMinCount": { "value": "[parameters('userNodePoolMinCount')]" }, "userNodePoolEnableAutoScaling": { "value": "[parameters('userNodePoolEnableAutoScaling')]" }, "userNodePoolScaleSetPriority": { "value": "[parameters('userNodePoolScaleSetPriority')]" }, "userNodePoolScaleSetEvictionPolicy": { "value": "[parameters('userNodePoolScaleSetEvictionPolicy')]" }, "userNodePoolNodeLabels": { "value": "[parameters('userNodePoolNodeLabels')]" }, "userNodePoolNodeTaints": { "value": "[parameters('userNodePoolNodeTaints')]" }, "userNodePoolType": { "value": "[parameters('userNodePoolType')]" }, "userNodePoolAvailabilityZones": { "value": "[parameters('userNodePoolAvailabilityZones')]" }, "userNodePoolKubeletDiskType": { "value": "[parameters('userNodePoolKubeletDiskType')]" }, "httpApplicationRoutingEnabled": { "value": "[parameters('httpApplicationRoutingEnabled')]" }, "openServiceMeshEnabled": { "value": "[parameters('openServiceMeshEnabled')]" }, "kedaEnabled": { "value": "[parameters('kedaEnabled')]" }, "aciConnectorLinuxEnabled": { "value": "[parameters('aciConnectorLinuxEnabled')]" }, "azurePolicyEnabled": { "value": "[parameters('azurePolicyEnabled')]" }, "kubeDashboardEnabled": { "value": "[parameters('kubeDashboardEnabled')]" }, "podIdentityProfileEnabled": { "value": "[parameters('podIdentityProfileEnabled')]" }, "oidcIssuerProfileEnabled": { "value": "[parameters('oidcIssuerProfileEnabled')]" }, "autoScalerProfileScanInterval": { "value": "[parameters('autoScalerProfileScanInterval')]" }, "autoScalerProfileScaleDownDelayAfterAdd": { "value": "[parameters('autoScalerProfileScaleDownDelayAfterAdd')]" }, "autoScalerProfileScaleDownDelayAfterDelete": { "value": "[parameters('autoScalerProfileScaleDownDelayAfterDelete')]" }, "autoScalerProfileScaleDownDelayAfterFailure": { "value": "[parameters('autoScalerProfileScaleDownDelayAfterFailure')]" }, "autoScalerProfileScaleDownUnneededTime": { "value": "[parameters('autoScalerProfileScaleDownUnneededTime')]" }, "autoScalerProfileScaleDownUnreadyTime": { "value": "[parameters('autoScalerProfileScaleDownUnreadyTime')]" }, "autoScalerProfileUtilizationThreshold": { "value": "[parameters('autoScalerProfileUtilizationThreshold')]" }, "autoScalerProfileMaxGracefulTerminationSec": { "value": "[parameters('autoScalerProfileMaxGracefulTerminationSec')]" }, "retentionInDays": { "value": "[parameters('logAnalyticsRetentionInDays')]" }, "workspaceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'workspace')).outputs.id.value]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.8.2.30886", "templateHash": "1724654840729242238" } }, "parameters": { "name": { "type": "string", "defaultValue": "[format('aks-{0}', uniqueString(resourceGroup().id))]", "metadata": { "description": "Specifies the name of the AKS cluster." } }, "virtualNetworkName": { "type": "string", "metadata": { "description": "Specifies the name of the existing virtual network." } }, "subnetName": { "type": "string", "metadata": { "description": "Specifies the name of the existing subnet." } }, "managedIdentityName": { "type": "string", "metadata": { "description": "Specifies the name of the AKS user-defined managed identity." } }, "dnsPrefix": { "type": "string", "defaultValue": "[parameters('name')]", "metadata": { "description": "Specifies the DNS prefix specified when creating the managed cluster." } }, "networkPlugin": { "type": "string", "defaultValue": "azure", "allowedValues": [ "azure", "kubenet" ], "metadata": { "description": "Specifies the network plugin used for building Kubernetes network. - azure or kubenet." } }, "networkPolicy": { "type": "string", "defaultValue": "azure", "allowedValues": [ "azure", "calico" ], "metadata": { "description": "Specifies the network policy used for building Kubernetes network. - calico or azure" } }, "podCidr": { "type": "string", "defaultValue": "10.244.0.0/16", "metadata": { "description": "Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used." } }, "serviceCidr": { "type": "string", "defaultValue": "172.16.0.0/16", "metadata": { "description": "A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges." } }, "dnsServiceIP": { "type": "string", "defaultValue": "172.16.0.10", "metadata": { "description": "Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr." } }, "dockerBridgeCidr": { "type": "string", "defaultValue": "172.17.0.1/16", "metadata": { "description": "Specifies the CIDR notation IP range assigned to the Docker bridge network. It must not overlap with any Subnet IP ranges or the Kubernetes service address range." } }, "loadBalancerSku": { "type": "string", "defaultValue": "standard", "allowedValues": [ "basic", "standard" ], "metadata": { "description": "Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools." } }, "outboundType": { "type": "string", "defaultValue": "loadBalancer", "allowedValues": [ "loadBalancer", "userDefinedRouting" ], "metadata": { "description": "Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting." } }, "skuTier": { "type": "string", "defaultValue": "Paid", "allowedValues": [ "Paid", "Free" ], "metadata": { "description": "Specifies the tier of a managed cluster SKU: Paid or Free" } }, "kubernetesVersion": { "type": "string", "defaultValue": "1.18.8", "metadata": { "description": "Specifies the version of Kubernetes specified when creating the managed cluster." } }, "adminUsername": { "type": "string", "defaultValue": "azureuser", "metadata": { "description": "Specifies the administrator username of Linux virtual machines." } }, "sshPublicKey": { "type": "string", "metadata": { "description": "Specifies the SSH RSA public key string for the Linux nodes." } }, "aadProfileTenantId": { "type": "string", "defaultValue": "[subscription().tenantId]", "metadata": { "description": "Specifies the tenant id of the Azure Active Directory used by the AKS cluster for authentication." } }, "aadProfileAdminGroupObjectIDs": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the AAD group object IDs that will have admin role of the cluster." } }, "upgradeChannel": { "type": "string", "defaultValue": "stable", "allowedValues": [ "rapid", "stable", "patch", "node-image", "none" ], "metadata": { "description": "Specifies the upgrade channel for auto upgrade. Allowed values include rapid, stable, patch, node-image, none." } }, "enablePrivateCluster": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to create the cluster as a private cluster or not." } }, "privateDNSZone": { "type": "string", "defaultValue": "none", "metadata": { "description": "Specifies the Private DNS Zone mode for private cluster. When the value is equal to None, a Public DNS Zone is used in place of a Private DNS Zone" } }, "enablePrivateClusterPublicFQDN": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to create additional public FQDN for private cluster or not." } }, "aadProfileManaged": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable managed AAD integration." } }, "aadProfileEnableAzureRBAC": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to to enable Azure RBAC for Kubernetes authorization." } }, "systemNodePoolName": { "type": "string", "defaultValue": "nodepool1", "metadata": { "description": "Specifies the unique name of of the system node pool profile in the context of the subscription and resource group." } }, "systemNodePoolVmSize": { "type": "string", "defaultValue": "Standard_DS5_v2", "metadata": { "description": "Specifies the vm size of nodes in the system node pool." } }, "systemNodePoolOsDiskSizeGB": { "type": "int", "defaultValue": 100, "metadata": { "description": "Specifies the OS Disk Size in GB to be used to specify the disk size for every machine in the system agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified." } }, "systemNodePoolOsDiskType": { "type": "string", "defaultValue": "Ephemeral", "allowedValues": [ "Ephemeral", "Managed" ], "metadata": { "description": "Specifies the OS disk type to be used for machines in a given agent pool. Allowed values are 'Ephemeral' and 'Managed'. If unspecified, defaults to 'Ephemeral' when the VM supports ephemeral OS and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. - Managed or Ephemeral" } }, "systemNodePoolAgentCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the number of agents (VMs) to host docker containers in the system node pool. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1." } }, "systemNodePoolOsType": { "type": "string", "defaultValue": "Linux", "allowedValues": [ "Linux", "Windows" ], "metadata": { "description": "Specifies the OS type for the vms in the system node pool. Choose from Linux and Windows. Default to Linux." } }, "systemNodePoolMaxPods": { "type": "int", "defaultValue": 30, "metadata": { "description": "Specifies the maximum number of pods that can run on a node in the system node pool. The maximum number of pods per node in an AKS cluster is 250. The default maximum number of pods per node varies between kubenet and Azure CNI networking, and the method of cluster deployment." } }, "systemNodePoolMaxCount": { "type": "int", "defaultValue": 5, "metadata": { "description": "Specifies the maximum number of nodes for auto-scaling for the system node pool." } }, "systemNodePoolMinCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the minimum number of nodes for auto-scaling for the system node pool." } }, "systemNodePoolEnableAutoScaling": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable auto-scaling for the system node pool." } }, "systemNodePoolScaleSetPriority": { "type": "string", "defaultValue": "Regular", "allowedValues": [ "Spot", "Regular" ], "metadata": { "description": "Specifies the virtual machine scale set priority in the system node pool: Spot or Regular." } }, "systemNodePoolScaleSetEvictionPolicy": { "type": "string", "defaultValue": "Delete", "allowedValues": [ "Delete", "Deallocate" ], "metadata": { "description": "Specifies the ScaleSetEvictionPolicy to be used to specify eviction policy for spot virtual machine scale set. Default to Delete. Allowed values are Delete or Deallocate." } }, "systemNodePoolNodeLabels": { "type": "object", "defaultValue": {}, "metadata": { "description": "Specifies the Agent pool node labels to be persisted across all nodes in the system node pool." } }, "systemNodePoolNodeTaints": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule." } }, "systemNodePoolKubeletDiskType": { "type": "string", "defaultValue": "OS", "allowedValues": [ "OS", "Temporary" ], "metadata": { "description": "Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage." } }, "systemNodePoolType": { "type": "string", "defaultValue": "VirtualMachineScaleSets", "allowedValues": [ "VirtualMachineScaleSets", "AvailabilitySet" ], "metadata": { "description": "Specifies the type for the system node pool: VirtualMachineScaleSets or AvailabilitySet" } }, "systemNodePoolAvailabilityZones": { "type": "array", "defaultValue": [ "1", "2", "3" ], "metadata": { "description": "Specifies the availability zones for the agent nodes in the system node pool. Requirese the use of VirtualMachineScaleSets as node pool type." } }, "userNodePoolName": { "type": "string", "defaultValue": "nodepool1", "metadata": { "description": "Specifies the unique name of of the user node pool profile in the context of the subscription and resource group." } }, "userNodePoolVmSize": { "type": "string", "defaultValue": "Standard_DS5_v2", "metadata": { "description": "Specifies the vm size of nodes in the user node pool." } }, "userNodePoolOsDiskSizeGB": { "type": "int", "defaultValue": 100, "metadata": { "description": "Specifies the OS Disk Size in GB to be used to specify the disk size for every machine in the system agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified.." } }, "userNodePoolOsDiskType": { "type": "string", "defaultValue": "Ephemeral", "allowedValues": [ "Ephemeral", "Managed" ], "metadata": { "description": "Specifies the OS disk type to be used for machines in a given agent pool. Allowed values are 'Ephemeral' and 'Managed'. If unspecified, defaults to 'Ephemeral' when the VM supports ephemeral OS and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. - Managed or Ephemeral" } }, "userNodePoolAgentCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the number of agents (VMs) to host docker containers in the user node pool. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1." } }, "userNodePoolOsType": { "type": "string", "defaultValue": "Linux", "allowedValues": [ "Linux", "Windows" ], "metadata": { "description": "Specifies the OS type for the vms in the user node pool. Choose from Linux and Windows. Default to Linux." } }, "userNodePoolMaxPods": { "type": "int", "defaultValue": 30, "metadata": { "description": "Specifies the maximum number of pods that can run on a node in the user node pool. The maximum number of pods per node in an AKS cluster is 250. The default maximum number of pods per node varies between kubenet and Azure CNI networking, and the method of cluster deployment." } }, "userNodePoolMaxCount": { "type": "int", "defaultValue": 5, "metadata": { "description": "Specifies the maximum number of nodes for auto-scaling for the user node pool." } }, "userNodePoolMinCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the minimum number of nodes for auto-scaling for the user node pool." } }, "userNodePoolEnableAutoScaling": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable auto-scaling for the user node pool." } }, "userNodePoolScaleSetPriority": { "type": "string", "defaultValue": "Regular", "allowedValues": [ "Spot", "Regular" ], "metadata": { "description": "Specifies the virtual machine scale set priority in the user node pool: Spot or Regular." } }, "userNodePoolScaleSetEvictionPolicy": { "type": "string", "defaultValue": "Delete", "allowedValues": [ "Delete", "Deallocate" ], "metadata": { "description": "Specifies the ScaleSetEvictionPolicy to be used to specify eviction policy for spot virtual machine scale set. Default to Delete. Allowed values are Delete or Deallocate." } }, "userNodePoolNodeLabels": { "type": "object", "defaultValue": {}, "metadata": { "description": "Specifies the Agent pool node labels to be persisted across all nodes in the user node pool." } }, "userNodePoolNodeTaints": { "type": "array", "defaultValue": [], "allowedValues": [ "OS", "Temporary" ], "metadata": { "description": "Specifies the taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule." } }, "userNodePoolKubeletDiskType": { "type": "string", "defaultValue": "OS", "metadata": { "description": "Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage." } }, "userNodePoolType": { "type": "string", "defaultValue": "VirtualMachineScaleSets", "allowedValues": [ "VirtualMachineScaleSets", "AvailabilitySet" ], "metadata": { "description": "Specifies the type for the user node pool: VirtualMachineScaleSets or AvailabilitySet" } }, "userNodePoolAvailabilityZones": { "type": "array", "defaultValue": [ "1", "2", "3" ], "metadata": { "description": "Specifies the availability zones for the agent nodes in the user node pool. Requirese the use of VirtualMachineScaleSets as node pool type." } }, "httpApplicationRoutingEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the httpApplicationRouting add-on is enabled or not." } }, "openServiceMeshEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Open Service Mesh add-on is enabled or not." } }, "kedaEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Kubernetes Event-Driven Autoscaler (KEDA) add-on is enabled or not." } }, "aciConnectorLinuxEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the aciConnectorLinux add-on is enabled or not." } }, "azurePolicyEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the azurepolicy add-on is enabled or not." } }, "kubeDashboardEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the kubeDashboard add-on is enabled or not." } }, "podIdentityProfileEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the pod identity addon is enabled.." } }, "oidcIssuerProfileEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the OIDC issuer is enabled." } }, "autoScalerProfileScanInterval": { "type": "string", "defaultValue": "10s", "metadata": { "description": "Specifies the scan interval of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownDelayAfterAdd": { "type": "string", "defaultValue": "10m", "metadata": { "description": "Specifies the scale down delay after add of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownDelayAfterDelete": { "type": "string", "defaultValue": "20s", "metadata": { "description": "Specifies the scale down delay after delete of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownDelayAfterFailure": { "type": "string", "defaultValue": "3m", "metadata": { "description": "Specifies scale down delay after failure of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownUnneededTime": { "type": "string", "defaultValue": "10m", "metadata": { "description": "Specifies the scale down unneeded time of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownUnreadyTime": { "type": "string", "defaultValue": "20m", "metadata": { "description": "Specifies the scale down unready time of the auto-scaler of the AKS cluster." } }, "autoScalerProfileUtilizationThreshold": { "type": "string", "defaultValue": "0.5", "metadata": { "description": "Specifies the utilization threshold of the auto-scaler of the AKS cluster." } }, "autoScalerProfileMaxGracefulTerminationSec": { "type": "string", "defaultValue": "600", "metadata": { "description": "Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster." } }, "workspaceId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Log Analytics workspace." } }, "retentionInDays": { "type": "int", "defaultValue": 60, "metadata": { "description": "Specifies the workspace data retention in days." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "variables": { "copy": [ { "name": "logs", "count": "[length(variables('logCategories'))]", "input": { "category": "[variables('logCategories')[copyIndex('logs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": "[parameters('retentionInDays')]" } } }, { "name": "metrics", "count": "[length(variables('metricCategories'))]", "input": { "category": "[variables('metricCategories')[copyIndex('metrics')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": "[parameters('retentionInDays')]" } } } ], "diagnosticSettingsName": "diagnosticSettings", "logCategories": [ "kube-apiserver", "kube-audit", "kube-audit-admin", "kube-controller-manager", "kube-scheduler", "cluster-autoscaler", "cloud-controller-manager", "guard", "csi-azuredisk-controller", "csi-azurefile-controller", "csi-snapshot-controller" ], "metricCategories": [ "AllMetrics" ] }, "resources": [ { "type": "Microsoft.ContainerService/managedClusters", "apiVersion": "2022-05-02-preview", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "sku": { "name": "Basic", "tier": "[parameters('skuTier')]" }, "identity": { "type": "UserAssigned", "userAssignedIdentities": { "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')))]": {} } }, "properties": { "kubernetesVersion": "[parameters('kubernetesVersion')]", "dnsPrefix": "[parameters('dnsPrefix')]", "agentPoolProfiles": [ { "name": "[toLower(parameters('systemNodePoolName'))]", "count": "[parameters('systemNodePoolAgentCount')]", "vmSize": "[parameters('systemNodePoolVmSize')]", "osDiskSizeGB": "[parameters('systemNodePoolOsDiskSizeGB')]", "osDiskType": "[parameters('systemNodePoolOsDiskType')]", "vnetSubnetID": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]", "maxPods": "[parameters('systemNodePoolMaxPods')]", "osType": "[parameters('systemNodePoolOsType')]", "maxCount": "[parameters('systemNodePoolMaxCount')]", "minCount": "[parameters('systemNodePoolMinCount')]", "scaleSetPriority": "[parameters('systemNodePoolScaleSetPriority')]", "scaleSetEvictionPolicy": "[parameters('systemNodePoolScaleSetEvictionPolicy')]", "enableAutoScaling": "[parameters('systemNodePoolEnableAutoScaling')]", "mode": "System", "type": "[parameters('systemNodePoolType')]", "availabilityZones": "[parameters('systemNodePoolAvailabilityZones')]", "nodeLabels": "[parameters('systemNodePoolNodeLabels')]", "nodeTaints": "[parameters('systemNodePoolNodeTaints')]", "kubeletDiskType": "[parameters('systemNodePoolKubeletDiskType')]" }, { "name": "[toLower(parameters('userNodePoolName'))]", "count": "[parameters('userNodePoolAgentCount')]", "vmSize": "[parameters('userNodePoolVmSize')]", "osDiskSizeGB": "[parameters('userNodePoolOsDiskSizeGB')]", "osDiskType": "[parameters('userNodePoolOsDiskType')]", "vnetSubnetID": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]", "maxPods": "[parameters('userNodePoolMaxPods')]", "osType": "[parameters('userNodePoolOsType')]", "maxCount": "[parameters('userNodePoolMaxCount')]", "minCount": "[parameters('userNodePoolMinCount')]", "scaleSetPriority": "[parameters('userNodePoolScaleSetPriority')]", "scaleSetEvictionPolicy": "[parameters('userNodePoolScaleSetEvictionPolicy')]", "enableAutoScaling": "[parameters('userNodePoolEnableAutoScaling')]", "mode": "User", "type": "[parameters('userNodePoolType')]", "availabilityZones": "[parameters('userNodePoolAvailabilityZones')]", "nodeLabels": "[parameters('userNodePoolNodeLabels')]", "nodeTaints": "[parameters('userNodePoolNodeTaints')]", "kubeletDiskType": "[parameters('userNodePoolKubeletDiskType')]" } ], "linuxProfile": { "adminUsername": "[parameters('adminUsername')]", "ssh": { "publicKeys": [ { "keyData": "[parameters('sshPublicKey')]" } ] } }, "addonProfiles": { "httpApplicationRouting": { "enabled": "[parameters('httpApplicationRoutingEnabled')]" }, "openServiceMesh": { "enabled": "[parameters('openServiceMeshEnabled')]", "config": {} }, "omsagent": { "enabled": true, "config": { "logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]" } }, "aciConnectorLinux": { "enabled": "[parameters('aciConnectorLinuxEnabled')]" }, "azurepolicy": { "enabled": "[parameters('azurePolicyEnabled')]", "config": { "version": "v2" } }, "kubeDashboard": { "enabled": "[parameters('kubeDashboardEnabled')]" } }, "podIdentityProfile": { "enabled": "[parameters('podIdentityProfileEnabled')]" }, "oidcIssuerProfile": { "enabled": "[parameters('oidcIssuerProfileEnabled')]" }, "enableRBAC": true, "networkProfile": { "networkPlugin": "[parameters('networkPlugin')]", "networkPolicy": "[parameters('networkPolicy')]", "podCidr": "[if(equals(parameters('networkPlugin'), 'azure'), json('null'), parameters('podCidr'))]", "serviceCidr": "[parameters('serviceCidr')]", "dnsServiceIP": "[parameters('dnsServiceIP')]", "dockerBridgeCidr": "[parameters('dockerBridgeCidr')]", "outboundType": "[parameters('outboundType')]", "loadBalancerSku": "[parameters('loadBalancerSku')]", "loadBalancerProfile": "[json('null')]" }, "workloadAutoScalerProfile": { "keda": { "enabled": "[parameters('kedaEnabled')]" } }, "aadProfile": { "clientAppID": null, "serverAppID": null, "serverAppSecret": null, "managed": "[parameters('aadProfileManaged')]", "enableAzureRBAC": "[parameters('aadProfileEnableAzureRBAC')]", "adminGroupObjectIDs": "[parameters('aadProfileAdminGroupObjectIDs')]", "tenantID": "[parameters('aadProfileTenantId')]" }, "autoUpgradeProfile": { "upgradeChannel": "[parameters('upgradeChannel')]" }, "autoScalerProfile": { "scan-interval": "[parameters('autoScalerProfileScanInterval')]", "scale-down-delay-after-add": "[parameters('autoScalerProfileScaleDownDelayAfterAdd')]", "scale-down-delay-after-delete": "[parameters('autoScalerProfileScaleDownDelayAfterDelete')]", "scale-down-delay-after-failure": "[parameters('autoScalerProfileScaleDownDelayAfterFailure')]", "scale-down-unneeded-time": "[parameters('autoScalerProfileScaleDownUnneededTime')]", "scale-down-unready-time": "[parameters('autoScalerProfileScaleDownUnreadyTime')]", "scale-down-utilization-threshold": "[parameters('autoScalerProfileUtilizationThreshold')]", "max-graceful-termination-sec": "[parameters('autoScalerProfileMaxGracefulTerminationSec')]" }, "apiServerAccessProfile": { "enablePrivateCluster": "[parameters('enablePrivateCluster')]", "privateDNSZone": "[if(parameters('enablePrivateCluster'), parameters('privateDNSZone'), json('null'))]", "enablePrivateClusterPublicFQDN": "[parameters('enablePrivateClusterPublicFQDN')]" } } }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('logs')]", "metrics": "[variables('metrics')]" }, "dependsOn": [ "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" ] } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'aksManageIdentity')]", "[resourceId('Microsoft.Resources/deployments', 'network')]", "[resourceId('Microsoft.Resources/deployments', 'workspace')]" ] }, { "condition": "[parameters('createMetricAlerts')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "aksmetricalerts", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "aksClusterName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksCluster')).outputs.name.value]" }, "metricAlertsEnabled": { "value": "[parameters('metricAlertsEnabled')]" }, "evalFrequency": { "value": "[parameters('metricAlertsEvalFrequency')]" }, "windowSize": { "value": "[parameters('metricAlertsWindowsSize')]" }, "alertSeverity": { "value": "Informational" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.8.2.30886", "templateHash": "1499862060519786772" } }, "parameters": { "aksClusterName": { "type": "string", "metadata": { "description": "The name of the AKS Cluster to configure the alerts on." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } }, "evalFrequency": { "type": "string", "defaultValue": "PT1M", "allowedValues": [ "PT1M", "PT15M" ], "metadata": { "description": "Select the frequency on how often the alert rule should be run. Selecting frequency smaller than granularity of datapoints grouping will result in sliding window evaluation" } }, "metricAlertsEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether metric alerts as either enabled or disabled." } }, "windowSize": { "type": "string", "defaultValue": "PT5M", "allowedValues": [ "PT5M", "PT1H" ], "metadata": { "description": "Defines the interval over which datapoints are grouped using the aggregation type function" } }, "alertSeverity": { "type": "string", "defaultValue": "Informational", "allowedValues": [ "Critical", "Error", "Warning", "Informational", "Verbose" ] } }, "variables": { "alertServerityLookup": { "Critical": 0, "Error": 1, "Warning": 2, "Informational": 3, "Verbose": 4 }, "alertSeverityNumber": "[variables('alertServerityLookup')[parameters('alertSeverity')]]", "AksResourceId": "[resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName'))]" }, "resources": [ { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Node CPU utilization high', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "host", "operator": "Include", "values": [ "*" ] } ], "metricName": "cpuUsagePercentage", "metricNamespace": "Insights.Container/nodes", "name": "Metric1", "operator": "GreaterThan", "threshold": 80, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "Node CPU utilization across the cluster.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Node working set memory utilization high', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "host", "operator": "Include", "values": [ "*" ] } ], "metricName": "memoryWorkingSetPercentage", "metricNamespace": "Insights.Container/nodes", "name": "Metric1", "operator": "GreaterThan", "threshold": 80, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "Node working set memory utilization across the cluster.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Jobs completed more than 6 hours ago', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "controllerName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] } ], "metricName": "completedJobsCount", "metricNamespace": "Insights.Container/pods", "name": "Metric1", "operator": "GreaterThan", "threshold": 0, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors completed jobs (more than 6 hours ago).", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Container CPU usage high', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "controllerName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] } ], "metricName": "cpuExceededPercentage", "metricNamespace": "Insights.Container/containers", "name": "Metric1", "operator": "GreaterThan", "threshold": 90, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors container CPU utilization.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Container working set memory usage high', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "controllerName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] } ], "metricName": "memoryWorkingSetExceededPercentage", "metricNamespace": "Insights.Container/containers", "name": "Metric1", "operator": "GreaterThan", "threshold": 90, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors container working set memory utilization.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Pods in failed state', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "phase", "operator": "Include", "values": [ "Failed" ] } ], "metricName": "podCount", "metricNamespace": "Insights.Container/pods", "name": "Metric1", "operator": "GreaterThan", "threshold": 0, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "Pod status monitoring.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Disk usage high', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "host", "operator": "Include", "values": [ "*" ] }, { "name": "device", "operator": "Include", "values": [ "*" ] } ], "metricName": "DiskUsedPercentage", "metricNamespace": "Insights.Container/nodes", "name": "Metric1", "operator": "GreaterThan", "threshold": 80, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors disk usage for all nodes and storage devices.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Nodes in not ready state', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "status", "operator": "Include", "values": [ "NotReady" ] } ], "metricName": "nodesCount", "metricNamespace": "Insights.Container/nodes", "name": "Metric1", "operator": "GreaterThan", "threshold": 0, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "Node status monitoring.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Containers getting OOM killed', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] }, { "name": "controllerName", "operator": "Include", "values": [ "*" ] } ], "metricName": "oomKilledContainerCount", "metricNamespace": "Insights.Container/pods", "name": "Metric1", "operator": "GreaterThan", "threshold": 0, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors number of containers killed due to out of memory (OOM) error.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Persistent volume usage high', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "podName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetesNamespace", "operator": "Include", "values": [ "*" ] } ], "metricName": "pvUsageExceededPercentage", "metricNamespace": "Insights.Container/persistentvolumes", "name": "Metric1", "operator": "GreaterThan", "threshold": 80, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors persistent volume utilization.", "enabled": false, "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Pods not in ready state', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "controllerName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] } ], "metricName": "PodReadyPercentage", "metricNamespace": "Insights.Container/pods", "name": "Metric1", "operator": "LessThan", "threshold": 80, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors for excessive pods not in the ready state.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Restarting container count', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] }, { "name": "controllerName", "operator": "Include", "values": [ "*" ] } ], "metricName": "restartingContainerCount", "metricNamespace": "Insights.Container/pods", "name": "Metric1", "operator": "GreaterThan", "threshold": 0, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors number of containers restarting across the cluster.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "Microsoft.ContainerService/managedClusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Container CPU usage violates the configured threshold', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "description": "This alert monitors container CPU usage. It uses the threshold defined in the config map.", "severity": "[variables('alertSeverityNumber')]", "enabled": true, "scopes": [ "[variables('AksResourceId')]" ], "evaluationFrequency": "[parameters('evalFrequency')]", "windowSize": "[parameters('windowSize')]", "criteria": { "allOf": [ { "threshold": 0, "name": "Metric1", "metricNamespace": "Insights.Container/containers", "metricName": "cpuThresholdViolated", "dimensions": [ { "name": "controllerName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] } ], "operator": "GreaterThan", "timeAggregation": "Average", "skipMetricValidation": true, "criterionType": "StaticThresholdCriterion" } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" } } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Container working set memory usage violates the configured threshold', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "description": "This alert monitors container working set memory usage. It uses the threshold defined in the config map.", "severity": "[variables('alertSeverityNumber')]", "enabled": "[parameters('metricAlertsEnabled')]", "scopes": [ "[variables('AksResourceId')]" ], "evaluationFrequency": "[parameters('evalFrequency')]", "windowSize": "[parameters('windowSize')]", "criteria": { "allOf": [ { "threshold": 0, "name": "Metric1", "metricNamespace": "Insights.Container/containers", "metricName": "memoryWorkingSetThresholdViolated", "dimensions": [ { "name": "controllerName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] } ], "operator": "GreaterThan", "timeAggregation": "Average", "skipMetricValidation": true, "criterionType": "StaticThresholdCriterion" } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" } } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Persistent Volume usage violates the configured threshold', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "description": "This alert monitors Persistent Volume usage. It uses the threshold defined in the config map.", "severity": "[variables('alertSeverityNumber')]", "enabled": "[parameters('metricAlertsEnabled')]", "scopes": [ "[variables('AksResourceId')]" ], "evaluationFrequency": "[parameters('evalFrequency')]", "windowSize": "[parameters('windowSize')]", "criteria": { "allOf": [ { "threshold": 0, "name": "Metric1", "metricNamespace": "Insights.Container/persistentvolumes", "metricName": "pvUsageThresholdViolated", "dimensions": [ { "name": "podName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetesNamespace", "operator": "Include", "values": [ "*" ] } ], "operator": "GreaterThan", "timeAggregation": "Average", "skipMetricValidation": true, "criterionType": "StaticThresholdCriterion" } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" } } } ] } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'aksCluster')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", "name": "deploymentScript", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "clusterName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksCluster')).outputs.name.value]" }, "primaryScriptUri": { "value": "[parameters('deploymentScriptUri')]" }, "resourceGroupName": { "value": "[resourceGroup().name]" }, "subscriptionId": { "value": "[subscription().subscriptionId]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.8.2.30886", "templateHash": "6109944372336254825" } }, "parameters": { "primaryScriptUri": { "type": "string", "metadata": { "description": "Specifies the primary script URI." } }, "clusterName": { "type": "string", "metadata": { "description": "Specifies the name of the AKS cluster." } }, "resourceGroupName": { "type": "string", "defaultValue": "[resourceGroup().name]", "metadata": { "description": "Specifies the resource group name" } }, "subscriptionId": { "type": "string", "defaultValue": "[subscription().subscriptionId]", "metadata": { "description": "Specifies the subscription id." } }, "utcValue": { "type": "string", "defaultValue": "[utcNow()]", "metadata": { "description": "Specifies the current datetime" } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "variables": { "clusterAdminRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]" }, "resources": [ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2021-09-30-preview", "name": "scriptManagedIdentity", "location": "[parameters('location')]", "tags": "[parameters('tags')]" }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2020-10-01-preview", "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('clusterName'))]", "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'scriptManagedIdentity'), resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), variables('clusterAdminRoleDefinitionId'))]", "properties": { "roleDefinitionId": "[variables('clusterAdminRoleDefinitionId')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'scriptManagedIdentity')).principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'scriptManagedIdentity')]" ] }, { "type": "Microsoft.Resources/deploymentScripts", "apiVersion": "2020-10-01", "name": "bashScript", "location": "[parameters('location')]", "kind": "AzureCLI", "identity": { "type": "UserAssigned", "userAssignedIdentities": { "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'scriptManagedIdentity'))]": {} } }, "properties": { "forceUpdateTag": "[parameters('utcValue')]", "azCliVersion": "2.37.0", "timeout": "PT30M", "environmentVariables": [ { "name": "clusterName", "value": "[parameters('clusterName')]" }, { "name": "resourceGroupName", "value": "[parameters('resourceGroupName')]" }, { "name": "subscriptionId", "value": "[parameters('subscriptionId')]" } ], "primaryScriptUri": "[parameters('primaryScriptUri')]", "cleanupPreference": "OnSuccess", "retentionInterval": "P1D" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'scriptManagedIdentity')]" ] } ], "outputs": { "result": { "type": "object", "value": "[reference(resourceId('Microsoft.Resources/deploymentScripts', 'bashScript')).outputs]" }, "certManager": { "type": "string", "value": "[reference(resourceId('Microsoft.Resources/deploymentScripts', 'bashScript')).outputs.certManager]" }, "nginxIngressController": { "type": "string", "value": "[reference(resourceId('Microsoft.Resources/deploymentScripts', 'bashScript')).outputs.nginxIngressController]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'aksCluster')]" ] } ] }