{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.25.53.49325", "templateHash": "37806133028583844" } }, "parameters": { "prefix": { "type": "string", "defaultValue": "[uniqueString(resourceGroup().id)]", "metadata": { "description": "Specifies the prefix for all the Azure resources." } }, "userId": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies the object id of an Azure Active Directory user. In general, this the object id of the system administrator who deploys the Azure resources." } }, "letterCaseType": { "type": "string", "defaultValue": "UpperCamelCase", "allowedValues": [ "CamelCase", "UpperCamelCase", "KebabCase" ], "metadata": { "description": "Specifies whether name resources are in CamelCase, UpperCamelCase, or KebabCase." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location of the AKS cluster." } }, "aksClusterName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}Aks', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}Aks', toLower(parameters('prefix'))), format('{0}-aks', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the AKS cluster." } }, "createMetricAlerts": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether creating metric alerts or not." } }, "metricAlertsEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether metric alerts as either enabled or disabled." } }, "metricAlertsEvalFrequency": { "type": "string", "defaultValue": "PT1M", "metadata": { "description": "Specifies metric alerts eval frequency." } }, "metricAlertsWindowsSize": { "type": "string", "defaultValue": "PT1H", "metadata": { "description": "Specifies metric alerts window size." } }, "aksClusterDnsPrefix": { "type": "string", "defaultValue": "[parameters('aksClusterName')]", "metadata": { "description": "Specifies the DNS prefix specified when creating the managed cluster." } }, "aksClusterNetworkPlugin": { "type": "string", "defaultValue": "azure", "allowedValues": [ "azure", "kubenet" ], "metadata": { "description": "Specifies the network plugin used for building Kubernetes network. - azure or kubenet." } }, "aksClusterNetworkPluginMode": { "type": "string", "defaultValue": "", "allowedValues": [ "", "overlay" ], "metadata": { "description": "Specifies the Network plugin mode used for building the Kubernetes network." } }, "aksClusterNetworkPolicy": { "type": "string", "defaultValue": "azure", "allowedValues": [ "azure", "calico" ], "metadata": { "description": "Specifies the network policy used for building Kubernetes network. - calico or azure" } }, "aksClusterNetworkDataplane": { "type": "string", "defaultValue": "azure", "allowedValues": [ "azure", "cilium" ], "metadata": { "description": "Specifies the network dataplane used in the Kubernetes cluster.." } }, "aksClusterNetworkMode": { "type": "string", "defaultValue": "transparent", "allowedValues": [ "bridge", "transparent" ], "metadata": { "description": "Specifies the network mode. This cannot be specified if networkPlugin is anything other than azure." } }, "aksClusterPodCidr": { "type": "string", "defaultValue": "192.168.0.0/16", "metadata": { "description": "Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used." } }, "aksClusterServiceCidr": { "type": "string", "defaultValue": "172.16.0.0/16", "metadata": { "description": "A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges." } }, "aksClusterDnsServiceIP": { "type": "string", "defaultValue": "172.16.0.10", "metadata": { "description": "Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr." } }, "aksClusterLoadBalancerSku": { "type": "string", "defaultValue": "standard", "allowedValues": [ "basic", "standard" ], "metadata": { "description": "Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools." } }, "aksClusterMonitoringEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether Network Observability is enabled or not. When enabled, network monitoring generates metrics in Prometheus format." } }, "aksClusterIpFamilies": { "type": "array", "defaultValue": [ "IPv4" ], "metadata": { "description": "Specifies the IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6." } }, "aksClusterOutboundType": { "type": "string", "defaultValue": "loadBalancer", "allowedValues": [ "loadBalancer", "managedNATGateway", "userAssignedNATGateway", "userDefinedRouting" ], "metadata": { "description": "Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting." } }, "aksClusterSkuTier": { "type": "string", "defaultValue": "Standard", "allowedValues": [ "Free", "Standard", "Premium" ], "metadata": { "description": "Specifies the tier of a managed cluster SKU: Paid or Free" } }, "aksClusterKubernetesVersion": { "type": "string", "defaultValue": "1.18.8", "metadata": { "description": "Specifies the version of Kubernetes specified when creating the managed cluster." } }, "aksClusterAdminUsername": { "type": "string", "defaultValue": "azureuser", "metadata": { "description": "Specifies the administrator username of Linux virtual machines." } }, "aksClusterSshPublicKey": { "type": "string", "metadata": { "description": "Specifies the SSH RSA public key string for the Linux nodes." } }, "aadProfileTenantId": { "type": "string", "defaultValue": "[subscription().tenantId]", "metadata": { "description": "Specifies the tenant id of the Azure Active Directory used by the AKS cluster for authentication." } }, "aadProfileAdminGroupObjectIDs": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the AAD group object IDs that will have admin role of the cluster." } }, "aksClusterNodeOSUpgradeChannel": { "type": "string", "defaultValue": "Unmanaged", "allowedValues": [ "NodeImage", "None", "SecurityPatch", "Unmanaged" ], "metadata": { "description": "Specifies the node OS upgrade channel. The default is Unmanaged, but may change to either NodeImage or SecurityPatch at GA.\t." } }, "aksClusterUpgradeChannel": { "type": "string", "defaultValue": "stable", "allowedValues": [ "rapid", "stable", "patch", "node-image", "none" ], "metadata": { "description": "Specifies the upgrade channel for auto upgrade. Allowed values include rapid, stable, patch, node-image, none." } }, "aksClusterEnablePrivateCluster": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to create the cluster as a private cluster or not." } }, "aksClusterWebAppRoutingEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the managed NGINX Ingress Controller application routing addon is enabled." } }, "aksPrivateDNSZone": { "type": "string", "defaultValue": "none", "metadata": { "description": "Specifies the Private DNS Zone mode for private cluster. When the value is equal to None, a Public DNS Zone is used in place of a Private DNS Zone" } }, "aksEnablePrivateClusterPublicFQDN": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to create additional public FQDN for private cluster or not." } }, "aadProfileManaged": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable managed AAD integration." } }, "aadProfileEnableAzureRBAC": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to to enable Azure RBAC for Kubernetes authorization." } }, "systemAgentPoolName": { "type": "string", "defaultValue": "nodepool1", "metadata": { "description": "Specifies the unique name of of the system node pool profile in the context of the subscription and resource group." } }, "systemAgentPoolVmSize": { "type": "string", "defaultValue": "Standard_DS5_v2", "metadata": { "description": "Specifies the vm size of nodes in the system node pool." } }, "systemAgentPoolOsDiskSizeGB": { "type": "int", "defaultValue": 100, "metadata": { "description": "Specifies the OS Disk Size in GB to be used to specify the disk size for every machine in the system agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified." } }, "systemAgentPoolOsDiskType": { "type": "string", "defaultValue": "Ephemeral", "allowedValues": [ "Ephemeral", "Managed" ], "metadata": { "description": "Specifies the OS disk type to be used for machines in a given agent pool. Allowed values are 'Ephemeral' and 'Managed'. If unspecified, defaults to 'Ephemeral' when the VM supports ephemeral OS and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. - Managed or Ephemeral" } }, "systemAgentPoolAgentCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the number of agents (VMs) to host docker containers in the system node pool. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1." } }, "systemAgentPoolOsType": { "type": "string", "defaultValue": "Linux", "allowedValues": [ "Linux", "Windows" ], "metadata": { "description": "Specifies the OS type for the vms in the system node pool. Choose from Linux and Windows. Default to Linux." } }, "systemAgentPoolOsSKU": { "type": "string", "defaultValue": "Ubuntu", "allowedValues": [ "Ubuntu", "Windows2019", "Windows2022", "AzureLinux" ], "metadata": { "description": "Specifies the OS SKU used by the system agent pool. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated." } }, "systemAgentPoolMaxPods": { "type": "int", "defaultValue": 30, "metadata": { "description": "Specifies the maximum number of pods that can run on a node in the system node pool. The maximum number of pods per node in an AKS cluster is 250. The default maximum number of pods per node varies between kubenet and Azure CNI networking, and the method of cluster deployment." } }, "systemAgentPoolMaxCount": { "type": "int", "defaultValue": 5, "metadata": { "description": "Specifies the maximum number of nodes for auto-scaling for the system node pool." } }, "systemAgentPoolMinCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the minimum number of nodes for auto-scaling for the system node pool." } }, "systemAgentPoolEnableAutoScaling": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable auto-scaling for the system node pool." } }, "systemAgentPoolScaleSetPriority": { "type": "string", "defaultValue": "Regular", "allowedValues": [ "Spot", "Regular" ], "metadata": { "description": "Specifies the virtual machine scale set priority in the system node pool: Spot or Regular." } }, "systemAgentPoolScaleSetEvictionPolicy": { "type": "string", "defaultValue": "Delete", "allowedValues": [ "Delete", "Deallocate" ], "metadata": { "description": "Specifies the ScaleSetEvictionPolicy to be used to specify eviction policy for spot virtual machine scale set. Default to Delete. Allowed values are Delete or Deallocate." } }, "systemAgentPoolNodeLabels": { "type": "object", "defaultValue": {}, "metadata": { "description": "Specifies the Agent pool node labels to be persisted across all nodes in the system node pool." } }, "systemAgentPoolNodeTaints": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule." } }, "systemAgentPoolKubeletDiskType": { "type": "string", "defaultValue": "OS", "allowedValues": [ "OS", "Temporary" ], "metadata": { "description": "Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage." } }, "systemAgentPoolType": { "type": "string", "defaultValue": "VirtualMachineScaleSets", "allowedValues": [ "VirtualMachineScaleSets", "AvailabilitySet" ], "metadata": { "description": "Specifies the type for the system node pool: VirtualMachineScaleSets or AvailabilitySet" } }, "systemAgentPoolAvailabilityZones": { "type": "array", "defaultValue": [ "1", "2", "3" ], "metadata": { "description": "Specifies the availability zones for the agent nodes in the system node pool. Requirese the use of VirtualMachineScaleSets as node pool type." } }, "userAgentPoolName": { "type": "string", "defaultValue": "nodepool1", "metadata": { "description": "Specifies the unique name of of the user node pool profile in the context of the subscription and resource group." } }, "userAgentPoolVmSize": { "type": "string", "defaultValue": "Standard_DS5_v2", "metadata": { "description": "Specifies the vm size of nodes in the user node pool." } }, "userAgentPoolOsDiskSizeGB": { "type": "int", "defaultValue": 100, "metadata": { "description": "Specifies the OS Disk Size in GB to be used to specify the disk size for every machine in the system agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified.." } }, "userAgentPoolOsDiskType": { "type": "string", "defaultValue": "Ephemeral", "allowedValues": [ "Ephemeral", "Managed" ], "metadata": { "description": "Specifies the OS disk type to be used for machines in a given agent pool. Allowed values are 'Ephemeral' and 'Managed'. If unspecified, defaults to 'Ephemeral' when the VM supports ephemeral OS and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. - Managed or Ephemeral" } }, "userAgentPoolAgentCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the number of agents (VMs) to host docker containers in the user node pool. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1." } }, "userAgentPoolOsType": { "type": "string", "defaultValue": "Linux", "allowedValues": [ "Linux", "Windows" ], "metadata": { "description": "Specifies the OS type for the vms in the user node pool. Choose from Linux and Windows. Default to Linux." } }, "userAgentPoolOsSKU": { "type": "string", "defaultValue": "Ubuntu", "allowedValues": [ "Ubuntu", "Windows2019", "Windows2022", "AzureLinux" ], "metadata": { "description": "Specifies the OS SKU used by the system agent pool. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated." } }, "userAgentPoolMaxPods": { "type": "int", "defaultValue": 30, "metadata": { "description": "Specifies the maximum number of pods that can run on a node in the user node pool. The maximum number of pods per node in an AKS cluster is 250. The default maximum number of pods per node varies between kubenet and Azure CNI networking, and the method of cluster deployment." } }, "userAgentPoolMaxCount": { "type": "int", "defaultValue": 5, "metadata": { "description": "Specifies the maximum number of nodes for auto-scaling for the user node pool." } }, "userAgentPoolMinCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the minimum number of nodes for auto-scaling for the user node pool." } }, "userAgentPoolEnableAutoScaling": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable auto-scaling for the user node pool." } }, "userAgentPoolScaleSetPriority": { "type": "string", "defaultValue": "Regular", "allowedValues": [ "Spot", "Regular" ], "metadata": { "description": "Specifies the virtual machine scale set priority in the user node pool: Spot or Regular." } }, "userAgentPoolScaleSetEvictionPolicy": { "type": "string", "defaultValue": "Delete", "allowedValues": [ "Delete", "Deallocate" ], "metadata": { "description": "Specifies the ScaleSetEvictionPolicy to be used to specify eviction policy for spot virtual machine scale set. Default to Delete. Allowed values are Delete or Deallocate." } }, "userAgentPoolNodeLabels": { "type": "object", "defaultValue": {}, "metadata": { "description": "Specifies the Agent pool node labels to be persisted across all nodes in the user node pool." } }, "userAgentPoolNodeTaints": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule." } }, "userAgentPoolKubeletDiskType": { "type": "string", "defaultValue": "OS", "allowedValues": [ "OS", "Temporary" ], "metadata": { "description": "Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage." } }, "userAgentPoolType": { "type": "string", "defaultValue": "VirtualMachineScaleSets", "allowedValues": [ "VirtualMachineScaleSets", "AvailabilitySet" ], "metadata": { "description": "Specifies the type for the user node pool: VirtualMachineScaleSets or AvailabilitySet" } }, "userAgentPoolAvailabilityZones": { "type": "array", "defaultValue": [ "1", "2", "3" ], "metadata": { "description": "Specifies the availability zones for the agent nodes in the user node pool. Requirese the use of VirtualMachineScaleSets as node pool type." } }, "httpApplicationRoutingEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the httpApplicationRouting add-on is enabled or not." } }, "istioServiceMeshEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Istio Service Mesh add-on is enabled or not." } }, "istioIngressGatewayEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Istio Ingress Gateway is enabled or not." } }, "istioIngressGatewayType": { "type": "string", "defaultValue": "External", "allowedValues": [ "Internal", "External" ], "metadata": { "description": "Specifies the type of the Istio Ingress Gateway." } }, "kedaEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Kubernetes Event-Driven Autoscaler (KEDA) add-on is enabled or not." } }, "daprEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Dapr extension is enabled or not." } }, "daprHaEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable high availability (HA) mode for the Dapr control plane" } }, "fluxGitOpsEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Flux V2 extension is enabled or not." } }, "verticalPodAutoscalerEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Vertical Pod Autoscaler is enabled or not." } }, "aciConnectorLinuxEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the aciConnectorLinux add-on is enabled or not." } }, "azurePolicyEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the azurepolicy add-on is enabled or not." } }, "azureKeyvaultSecretsProviderEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the Azure Key Vault Provider for Secrets Store CSI Driver addon is enabled or not." } }, "kubeDashboardEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the kubeDashboard add-on is enabled or not." } }, "podIdentityProfileEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the pod identity addon is enabled.." } }, "autoScalerProfileScanInterval": { "type": "string", "defaultValue": "10s", "metadata": { "description": "Specifies the scan interval of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownDelayAfterAdd": { "type": "string", "defaultValue": "10m", "metadata": { "description": "Specifies the scale down delay after add of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownDelayAfterDelete": { "type": "string", "defaultValue": "20s", "metadata": { "description": "Specifies the scale down delay after delete of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownDelayAfterFailure": { "type": "string", "defaultValue": "3m", "metadata": { "description": "Specifies scale down delay after failure of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownUnneededTime": { "type": "string", "defaultValue": "10m", "metadata": { "description": "Specifies the scale down unneeded time of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownUnreadyTime": { "type": "string", "defaultValue": "20m", "metadata": { "description": "Specifies the scale down unready time of the auto-scaler of the AKS cluster." } }, "autoScalerProfileUtilizationThreshold": { "type": "string", "defaultValue": "0.5", "metadata": { "description": "Specifies the utilization threshold of the auto-scaler of the AKS cluster." } }, "autoScalerProfileMaxGracefulTerminationSec": { "type": "string", "defaultValue": "600", "metadata": { "description": "Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster." } }, "enableVnetIntegration": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable API server VNET integration for the cluster or not." } }, "virtualNetworkName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}Vnet', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}Vnet', toLower(parameters('prefix'))), format('{0}-vnet', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the virtual network." } }, "virtualNetworkAddressPrefixes": { "type": "string", "defaultValue": "10.0.0.0/8", "metadata": { "description": "Specifies the address prefixes of the virtual network." } }, "systemAgentPoolSubnetName": { "type": "string", "defaultValue": "SystemSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the worker nodes of the default system agent pool of the AKS cluster." } }, "systemAgentPoolSubnetAddressPrefix": { "type": "string", "defaultValue": "10.0.0.0/16", "metadata": { "description": "Specifies the address prefix of the subnet hosting the worker nodes of the default system agent pool of the AKS cluster." } }, "userAgentPoolSubnetName": { "type": "string", "defaultValue": "UserSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the worker nodes of the user agent pool of the AKS cluster." } }, "userAgentPoolSubnetAddressPrefix": { "type": "string", "defaultValue": "10.1.0.0/16", "metadata": { "description": "Specifies the address prefix of the subnet hosting the worker nodes of the user agent pool of the AKS cluster." } }, "blobCSIDriverEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to enable the Azure Blob CSI Driver. The default value is false." } }, "diskCSIDriverEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable the Azure Disk CSI Driver. The default value is true." } }, "fileCSIDriverEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable the Azure File CSI Driver. The default value is true." } }, "snapshotControllerEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable the Snapshot Controller. The default value is true." } }, "defenderSecurityMonitoringEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to enable Defender threat detection. The default value is false." } }, "imageCleanerEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to enable ImageCleaner on AKS cluster. The default value is false." } }, "imageCleanerIntervalHours": { "type": "int", "defaultValue": 24, "metadata": { "description": "Specifies whether ImageCleaner scanning interval in hours." } }, "nodeRestrictionEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to enable Node Restriction. The default value is false." } }, "workloadIdentityEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable Workload Identity. The default value is false." } }, "oidcIssuerProfileEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the OIDC issuer is enabled." } }, "podSubnetName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), 'PodSubnet', if(equals(parameters('letterCaseType'), 'CamelCase'), 'podSubnet', 'pod-subnet'))]", "metadata": { "description": "Specifies the name of the subnet hosting the pods running in the AKS cluster." } }, "podSubnetAddressPrefix": { "type": "string", "defaultValue": "10.2.0.0/16", "metadata": { "description": "Specifies the address prefix of the subnet hosting the pods running in the AKS cluster." } }, "apiServerSubnetName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), 'ApiServerSubnet', if(equals(parameters('letterCaseType'), 'CamelCase'), 'apiServerSubnet', 'api-server-subnet'))]", "metadata": { "description": "Specifies the name of the subnet delegated to the API server when configuring the AKS cluster to use API server VNET integration." } }, "apiServerSubnetAddressPrefix": { "type": "string", "defaultValue": "10.3.0.0/28", "metadata": { "description": "Specifies the address prefix of the subnet delegated to the API server when configuring the AKS cluster to use API server VNET integration." } }, "vmSubnetName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), 'VmSubnet', if(equals(parameters('letterCaseType'), 'CamelCase'), 'vmSubnet', 'vm-subnet'))]", "metadata": { "description": "Specifies the name of the subnet which contains the virtual machine." } }, "vmSubnetAddressPrefix": { "type": "string", "defaultValue": "10.3.1.0/24", "metadata": { "description": "Specifies the address prefix of the subnet which contains the virtual machine." } }, "bastionSubnetAddressPrefix": { "type": "string", "defaultValue": "10.3.2.0/24", "metadata": { "description": "Specifies the Bastion subnet IP prefix. This prefix must be within vnet IP prefix address space." } }, "logAnalyticsWorkspaceName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}Workspace', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}Workspace', toLower(parameters('prefix'))), format('{0}-workspace', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Log Analytics Workspace." } }, "logAnalyticsSku": { "type": "string", "defaultValue": "PerNode", "allowedValues": [ "Free", "Standalone", "PerNode", "PerGB2018" ], "metadata": { "description": "Specifies the service tier of the workspace: Free, Standalone, PerNode, Per-GB." } }, "logAnalyticsRetentionInDays": { "type": "int", "defaultValue": 60, "metadata": { "description": "Specifies the workspace data retention in days. -1 means Unlimited retention for the Unlimited Sku. 730 days is the maximum allowed for all other Skus." } }, "vmEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether creating or not a jumpbox virtual machine in the AKS cluster virtual network." } }, "vmName": { "type": "string", "defaultValue": "TestVm", "metadata": { "description": "Specifies the name of the virtual machine." } }, "vmSize": { "type": "string", "defaultValue": "Standard_DS3_v2", "metadata": { "description": "Specifies the size of the virtual machine." } }, "imagePublisher": { "type": "string", "defaultValue": "Canonical", "metadata": { "description": "Specifies the image publisher of the disk image used to create the virtual machine." } }, "imageOffer": { "type": "string", "defaultValue": "0001-com-ubuntu-server-jammy", "metadata": { "description": "Specifies the offer of the platform image or marketplace image used to create the virtual machine." } }, "imageSku": { "type": "string", "defaultValue": "22_04-lts-gen2", "metadata": { "description": "Specifies the Ubuntu version for the VM. This will pick a fully patched image of this given Ubuntu version." } }, "authenticationType": { "type": "string", "defaultValue": "password", "allowedValues": [ "sshPublicKey", "password" ], "metadata": { "description": "Specifies the type of authentication when accessing the Virtual Machine. SSH key is recommended." } }, "vmAdminUsername": { "type": "string", "metadata": { "description": "Specifies the name of the administrator account of the virtual machine." } }, "vmAdminPasswordOrKey": { "type": "securestring", "metadata": { "description": "Specifies the SSH Key or password for the virtual machine. SSH key is recommended." } }, "diskStorageAccountType": { "type": "string", "defaultValue": "Premium_LRS", "allowedValues": [ "Premium_LRS", "StandardSSD_LRS", "Standard_LRS", "UltraSSD_LRS" ], "metadata": { "description": "Specifies the storage account type for OS and data disk." } }, "numDataDisks": { "type": "int", "defaultValue": 1, "minValue": 0, "maxValue": 64, "metadata": { "description": "Specifies the number of data disks of the virtual machine." } }, "osDiskSize": { "type": "int", "defaultValue": 50, "metadata": { "description": "Specifies the size in GB of the OS disk of the VM." } }, "dataDiskSize": { "type": "int", "defaultValue": 50, "metadata": { "description": "Specifies the size in GB of the OS disk of the virtual machine." } }, "dataDiskCaching": { "type": "string", "defaultValue": "ReadWrite", "metadata": { "description": "Specifies the caching requirements for the data disks." } }, "blobStorageAccountName": { "type": "string", "defaultValue": "[format('{0}{1}', toLower(parameters('prefix')), uniqueString(resourceGroup().id))]", "metadata": { "description": "Specifies the globally unique name for the storage account used to store the boot diagnostics logs of the virtual machine." } }, "blobStorageAccountPrivateEndpointName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), 'BlobStorageAccountPrivateEndpoint', if(equals(parameters('letterCaseType'), 'CamelCase'), 'blobStorageAccountPrivateEndpoint', 'blob-storage-account-private-endpoint'))]", "metadata": { "description": "Specifies the name of the private link to the boot diagnostics storage account." } }, "acrPrivateEndpointName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), 'AcrPrivateEndpoint', if(equals(parameters('letterCaseType'), 'CamelCase'), 'acrPrivateEndpoint', 'acr-private-endpoint'))]", "metadata": { "description": "Specifies the name of the private link to the Azure Container Registry." } }, "acrName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}Acr', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}Acr', toLower(parameters('prefix'))), format('{0}-acr', toLower(parameters('prefix')))))]", "minLength": 5, "maxLength": 50, "metadata": { "description": "Name of your Azure Container Registry" } }, "acrAdminUserEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable admin user that have push / pull permission to the registry." } }, "acrSku": { "type": "string", "defaultValue": "Premium", "allowedValues": [ "Basic", "Standard", "Premium" ], "metadata": { "description": "Tier of your Azure Container Registry." } }, "bastionHostEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether Azure Bastion should be created." } }, "bastionHostName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}Bastion', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}Bastion', toLower(parameters('prefix'))), format('{0}-bastion', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Azure Bastion resource." } }, "natGatewayName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}NatGateway', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}NatGateway', toLower(parameters('prefix'))), format('{0}-nat-gateway', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Azure NAT Gateway." } }, "natGatewayZones": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies a list of availability zones denoting the zone in which Nat Gateway should be deployed." } }, "natGatewayPublicIps": { "type": "int", "defaultValue": 1, "metadata": { "description": "Specifies the number of Public IPs to create for the Azure NAT Gateway." } }, "natGatewayIdleTimeoutMins": { "type": "int", "defaultValue": 30, "metadata": { "description": "Specifies the idle timeout in minutes for the Azure NAT Gateway." } }, "keyVaultPrivateEndpointName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), 'KeyVaultPrivateEndpoint', if(equals(parameters('letterCaseType'), 'CamelCase'), 'keyVaultPrivateEndpoint', 'key-vault-private-endpoint'))]", "metadata": { "description": "Specifies the name of the private link to the Key Vault." } }, "keyVaultName": { "type": "string", "metadata": { "description": "Specifies the name of an existing Key Vault resource holding the TLS certificate." } }, "keyVaultResourceGroupName": { "type": "string", "metadata": { "description": "Specifies the name of the resource group that contains the existing Key Vault resource." } }, "keyVaultCertificateName": { "type": "string", "metadata": { "description": "Specifies the name of the existing TLS certificate." } }, "frontDoorName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}FrontDoor', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}FrontDoor', toLower(parameters('prefix'))), format('{0}-front-door', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Azure Front Door." } }, "frontDoorSkuName": { "type": "string", "defaultValue": "Premium_AzureFrontDoor", "allowedValues": [ "Standard_AzureFrontDoor", "Premium_AzureFrontDoor" ], "metadata": { "description": "The name of the SKU to use when creating the Front Door profile." } }, "originResponseTimeoutSeconds": { "type": "int", "defaultValue": 30, "metadata": { "description": "Specifies the send and receive timeout on forwarding request to the origin. When timeout is reached, the request fails and returns." } }, "originGroupName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}OriginGroup', parameters('frontDoorName')), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}OriginGroup', parameters('frontDoorName')), format('{0}-origin-group', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Azure Front Door Origin Group for the web application." } }, "originName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}Origin', parameters('frontDoorName')), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}Origin', parameters('frontDoorName')), format('{0}-origin', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Azure Front Door Origin for the web application." } }, "httpPort": { "type": "int", "defaultValue": 80, "metadata": { "description": "Specifies the value of the HTTP port. Must be between 1 and 65535." } }, "httpsPort": { "type": "int", "defaultValue": 443, "metadata": { "description": "Specifies the value of the HTTPS port. Must be between 1 and 65535." } }, "priority": { "type": "int", "defaultValue": 1, "minValue": 1, "maxValue": 5, "metadata": { "description": "Specifies the priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5." } }, "weight": { "type": "int", "defaultValue": 1000, "minValue": 1, "maxValue": 1000, "metadata": { "description": "Specifies the weight of the origin in a given origin group for load balancing. Must be between 1 and 1000." } }, "originEnabledState": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Enabled", "Disabled" ], "metadata": { "description": "Specifies whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool." } }, "sampleSize": { "type": "int", "defaultValue": 4, "metadata": { "description": "Specifies the number of samples to consider for load balancing decisions." } }, "successfulSamplesRequired": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the number of samples within the sample period that must succeed." } }, "additionalLatencyInMilliseconds": { "type": "int", "defaultValue": 50, "metadata": { "description": "Specifies the additional latency in milliseconds for probes to fall into the lowest latency bucket." } }, "probePath": { "type": "string", "defaultValue": "/", "metadata": { "description": "Specifies path relative to the origin that is used to determine the health of the origin." } }, "probeRequestType": { "type": "string", "defaultValue": "GET", "allowedValues": [ "GET", "HEAD", "NotSet" ], "metadata": { "description": "Specifies the health probe request type." } }, "probeProtocol": { "type": "string", "defaultValue": "Http", "allowedValues": [ "Http", "Https", "NotSet" ], "metadata": { "description": "Specifies the health probe protocol." } }, "probeIntervalInSeconds": { "type": "int", "defaultValue": 60, "metadata": { "description": "Specifies the number of seconds between health probes.Default is 240 seconds." } }, "sessionAffinityState": { "type": "string", "defaultValue": "Disabled", "allowedValues": [ "Enabled", "Disabled" ], "metadata": { "description": "Specifies whether to allow session affinity on this host. Valid options are Enabled or Disabled." } }, "autoGeneratedDomainNameLabelScope": { "type": "string", "defaultValue": "TenantReuse", "allowedValues": [ "NoReuse", "ResourceGroupReuse", "SubscriptionReuse", "TenantReuse" ], "metadata": { "description": "Specifies the endpoint name reuse scope. The default value is TenantReuse." } }, "routeName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}Route', parameters('frontDoorName')), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}Route', parameters('frontDoorName')), format('{0}-route', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Azure Front Door Route for the web application." } }, "originPath": { "type": "string", "defaultValue": "/", "metadata": { "description": "Specifies a directory path on the origin that Azure Front Door can use to retrieve content from, e.g. contoso.cloudapp.net/originpath." } }, "ruleSets": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the rule sets referenced by this endpoint." } }, "supportedProtocols": { "type": "array", "defaultValue": [ "Http", "Https" ], "metadata": { "description": "Specifies the list of supported protocols for this route" } }, "routePatternsToMatch": { "type": "array", "defaultValue": [ "/*" ], "metadata": { "description": "Specifies the route patterns of the rule." } }, "forwardingProtocol": { "type": "string", "defaultValue": "HttpsOnly", "allowedValues": [ "HttpOnly", "HttpsOnly", "MatchRequest" ], "metadata": { "description": "Specifies the protocol this rule will use when forwarding traffic to backends." } }, "linkToDefaultDomain": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Enabled", "Disabled" ], "metadata": { "description": "Specifies whether this route will be linked to the default endpoint domain." } }, "httpsRedirect": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Enabled", "Disabled" ], "metadata": { "description": "Specifies whether to automatically redirect HTTP traffic to HTTPS traffic. Note that this is a easy way to set up this rule and it will be the first rule that gets executed." } }, "endpointName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}Endpoint', parameters('frontDoorName')), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}Endpoint', parameters('frontDoorName')), format('{0}-endpoint', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Azure Front Door Endpoint for the web application." } }, "endpointEnabledState": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Enabled", "Disabled" ], "metadata": { "description": "Specifies whether to enable use of this rule. Permitted values are Enabled or Disabled" } }, "wafPolicyName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}WafPolicy', parameters('frontDoorName')), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}WafPolicy', parameters('frontDoorName')), format('{0}-waf-policy', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Azure Front Door WAF policy." } }, "wafPolicyMode": { "type": "string", "defaultValue": "Prevention", "allowedValues": [ "Detection", "Prevention" ], "metadata": { "description": "Specifies the WAF policy is in detection mode or prevention mode." } }, "wafPolicyEnabledState": { "type": "string", "defaultValue": "Enabled", "metadata": { "description": "Specifies if the policy is in enabled or disabled state. Defaults to Enabled if not specified." } }, "wafManagedRuleSets": { "type": "array", "defaultValue": [ { "ruleSetType": "Microsoft_DefaultRuleSet", "ruleSetVersion": "1.1" }, { "ruleSetType": "Microsoft_BotManagerRuleSet", "ruleSetVersion": "1.0" } ], "metadata": { "description": "Specifies the list of managed rule sets to configure on the WAF." } }, "wafCustomRules": { "type": "array", "defaultValue": [ { "name": "BlockTrafficFromIPRanges", "priority": 100, "enabledState": "Enabled", "ruleType": "MatchRule", "action": "Block", "matchConditions": [ { "matchVariable": "RemoteAddr", "operator": "IPMatch", "matchValue": [ "198.0.100.100", "203.0.0.0/24" ] } ] }, { "name": "Blockme", "enabledState": "Enabled", "priority": 200, "ruleType": "MatchRule", "rateLimitDurationInMinutes": 1, "rateLimitThreshold": 100, "matchConditions": [ { "matchVariable": "QueryString", "operator": "Contains", "negateCondition": false, "matchValue": [ "blockme" ], "transforms": [ "Lowercase" ] } ], "action": "Block" } ], "metadata": { "description": "Specifies the list of custom rulesto configure on the WAF." } }, "wafPolicyRequestBodyCheck": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Enabled", "Disabled" ], "metadata": { "description": "Specifies if the WAF policy managed rules will inspect the request body content." } }, "securityPolicyName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}SecurityPolicy', parameters('frontDoorName')), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}SecurityPolicy', parameters('frontDoorName')), format('{0}-security-policy', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies name of the security policy." } }, "securityPolicyPatternsToMatch": { "type": "array", "defaultValue": [ "/*" ], "metadata": { "description": "Specifies the list of patterns to match by the security policy." } }, "privateLinkServiceName": { "type": "string", "defaultValue": "[if(empty(parameters('prefix')), format('{0}-private-link-service', uniqueString(resourceGroup().id)), format('{0}PrivateLinkService', parameters('prefix')))]", "metadata": { "description": "Specifies the name of the Azure Private Link Service." } }, "tags": { "type": "object", "defaultValue": { "IaC": "Bicep" }, "metadata": { "description": "Specifies the resource tags." } }, "clusterTags": { "type": "object", "defaultValue": { "IaC": "Bicep", "ApiServerVnetIntegration": true }, "metadata": { "description": "Specifies the resource tags." } }, "actionGroupName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}ActionGroup', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}ActionGroup', toLower(parameters('prefix'))), format('{0}-action-group', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Action Group." } }, "actionGroupShortName": { "type": "string", "defaultValue": "AksAlerts", "metadata": { "description": "Specifies the short name of the action group. This will be used in SMS messages.." } }, "actionGroupEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether this action group is enabled. If an action group is not enabled, then none of its receivers will receive communications." } }, "actionGroupEmailAddress": { "type": "string", "metadata": { "description": "Specifies the email address of the receiver." } }, "actionGroupUseCommonAlertSchema": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to use common alert schema.." } }, "actionGroupCountryCode": { "type": "string", "defaultValue": "39", "metadata": { "description": "Specifies the country code of the SMS receiver." } }, "actionGroupPhoneNumber": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies the phone number of the SMS receiver." } }, "metricAnnotationsAllowList": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies a comma-separated list of additional Kubernetes label keys that will be used in the resource labels metric." } }, "metricLabelsAllowlist": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies a comma-separated list of Kubernetes annotations keys that will be used in the resource labels metric." } }, "prometheusName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}Prometheus', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}Prometheus', toLower(parameters('prefix'))), format('{0}-prometheus', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Azure Monitor managed service for Prometheus resource." } }, "prometheusPublicNetworkAccess": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Enabled", "Disabled" ], "metadata": { "description": "Specifies whether or not public endpoint access is allowed for the Azure Monitor managed service for Prometheus resource." } }, "grafanaName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}Grafana', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}Grafana', toLower(parameters('prefix'))), format('{0}-grafana', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Azure Managed Grafana resource." } }, "grafanaSkuName": { "type": "string", "defaultValue": "Standard", "metadata": { "description": "Specifies the sku of the Azure Managed Grafana resource." } }, "grafanaApiKey": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Disabled", "Enabled" ], "metadata": { "description": "Specifies the api key setting of the Azure Managed Grafana resource." } }, "grafanaAutoGeneratedDomainNameLabelScope": { "type": "string", "defaultValue": "TenantReuse", "allowedValues": [ "TenantReuse" ], "metadata": { "description": "Specifies the scope for dns deterministic name hash calculation." } }, "grafanaDeterministicOutboundIP": { "type": "string", "defaultValue": "Disabled", "allowedValues": [ "Disabled", "Enabled" ], "metadata": { "description": "Specifies whether the Azure Managed Grafana resource uses deterministic outbound IPs." } }, "grafanaPublicNetworkAccess": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Disabled", "Enabled" ], "metadata": { "description": "Specifies the the state for enable or disable traffic over the public interface for the the Azure Managed Grafana resource." } }, "grafanaZoneRedundancy": { "type": "string", "defaultValue": "Disabled", "allowedValues": [ "Disabled", "Enabled" ], "metadata": { "description": "The zone redundancy setting of the Azure Managed Grafana resource." } }, "secretProviderClassName": { "type": "string", "defaultValue": "azure-tls", "metadata": { "description": "Specifies the secret provider class name that reads the certificate from key vault and creates a TLS secret in the Kubernetes cluster." } }, "secretName": { "type": "string", "defaultValue": "ingress-tls-csi", "metadata": { "description": "Specifies the name of the Kubernetes secret containing the TLS certificate." } }, "namespace": { "type": "string", "defaultValue": "httpbin-tls", "metadata": { "description": "Specifies the namespace of the application." } }, "tenantId": { "type": "string", "defaultValue": "[subscription().tenantId]", "metadata": { "description": "Specifies the tenant id." } }, "email": { "type": "string", "defaultValue": "admin@contoso.com", "metadata": { "description": "Specifies the email address for the cert-manager cluster issuer." } }, "deploymentScripName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}BashScript', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}BashScript', toLower(parameters('prefix'))), format('{0}-bash-script', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the deployment script uri." } }, "deploymentScriptUri": { "type": "string", "metadata": { "description": "Specifies the uri of the deployment script." } }, "publicDnsZoneName": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies the name of the public DNS zone used by the managed NGINX Ingress Controller, when enabled." } }, "publicDnsZoneResourceGroupName": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies the resource group name of the public DNS zone used by the managed NGINX Ingress Controller, when enabled." } }, "subdomain": { "type": "string", "metadata": { "description": "Specifies the subdomain of the workload." } }, "dnsZoneName": { "type": "string", "metadata": { "description": "Specifies the name of an existing public DNS zone." } }, "dnsZoneResourceGroupName": { "type": "string", "metadata": { "description": "Specifies the name of the resource group which contains the public DNS zone." } }, "cnameRecordTtl": { "type": "int", "defaultValue": 3600, "metadata": { "description": "Specifies the time-to-live (TTL) value for the CNAME record." } } }, "variables": { "loadBalancerName": "kubernetes-internal", "hostName": "[format('{0}.{1}', parameters('subdomain'), parameters('dnsZoneName'))]" }, "resources": [ { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "keyVault", "resourceGroup": "[parameters('keyVaultResourceGroupName')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('keyVaultName')]" }, "objectId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksCluster'), '2022-09-01').outputs.azureKeyvaultSecretsProviderIdentity.value.objectId]" }, "azureKeyvaultSecretsProviderEnabled": { "value": "[parameters('azureKeyvaultSecretsProviderEnabled')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.25.53.49325", "templateHash": "8485741661963293260" } }, "parameters": { "name": { "type": "string", "metadata": { "description": "Specifies the name of an existing Key Vault resource holding the TLS certificate." } }, "objectId": { "type": "string", "metadata": { "description": "Specifies the object id of the Key Vault CSI Driver user-assigned managed identity." } }, "azureKeyvaultSecretsProviderEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the Azure Key Vault Provider for Secrets Store CSI Driver addon is enabled or not." } } }, "resources": [ { "condition": "[parameters('azureKeyvaultSecretsProviderEnabled')]", "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.KeyVault/vaults', parameters('name')), 'CSIDriver', subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483'), parameters('objectId'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483')]", "principalType": "ServicePrincipal", "principalId": "[parameters('objectId')]" } } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'aksCluster')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "workspace", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('logAnalyticsWorkspaceName')]" }, "location": { "value": "[parameters('location')]" }, "sku": { "value": "[parameters('logAnalyticsSku')]" }, "retentionInDays": { "value": "[parameters('logAnalyticsRetentionInDays')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.25.53.49325", "templateHash": "4692046097321326756" } }, "parameters": { "name": { "type": "string", "metadata": { "description": "Specifies the name of the Log Analytics workspace." } }, "sku": { "type": "string", "defaultValue": "PerNode", "allowedValues": [ "Free", "Standalone", "PerNode", "PerGB2018" ], "metadata": { "description": "Specifies the service tier of the workspace: Free, Standalone, PerNode, Per-GB." } }, "retentionInDays": { "type": "int", "defaultValue": 60, "metadata": { "description": "Specifies the workspace data retention in days. -1 means Unlimited retention for the Unlimited Sku. 730 days is the maximum allowed for all other Skus." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "resources": [ { "type": "Microsoft.OperationalInsights/workspaces", "apiVersion": "2022-10-01", "name": "[parameters('name')]", "tags": "[parameters('tags')]", "location": "[parameters('location')]", "properties": { "sku": { "name": "[parameters('sku')]" }, "retentionInDays": "[parameters('retentionInDays')]" } } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" }, "customerId": { "type": "string", "value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('name')), '2022-10-01').customerId]" } } } } }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "containerRegistry", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('acrName')]" }, "sku": { "value": "[parameters('acrSku')]" }, "adminUserEnabled": { "value": "[parameters('acrAdminUserEnabled')]" }, "workspaceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'workspace'), '2022-09-01').outputs.id.value]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.25.53.49325", "templateHash": "2339752074469508400" } }, "parameters": { "name": { "type": "string", "defaultValue": "[format('acr{0}', uniqueString(resourceGroup().id))]", "minLength": 5, "maxLength": 50, "metadata": { "description": "Name of your Azure Container Registry" } }, "adminUserEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable admin user that have push / pull permission to the registry." } }, "sku": { "type": "string", "defaultValue": "Premium", "allowedValues": [ "Basic", "Standard", "Premium" ], "metadata": { "description": "Tier of your Azure Container Registry." } }, "workspaceId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Log Analytics workspace." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "variables": { "copy": [ { "name": "logs", "count": "[length(variables('logCategories'))]", "input": { "category": "[variables('logCategories')[copyIndex('logs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } }, { "name": "metrics", "count": "[length(variables('metricCategories'))]", "input": { "category": "[variables('metricCategories')[copyIndex('metrics')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } } ], "diagnosticSettingsName": "diagnosticSettings", "logCategories": [ "ContainerRegistryRepositoryEvents", "ContainerRegistryLoginEvents" ], "metricCategories": [ "AllMetrics" ] }, "resources": [ { "type": "Microsoft.ContainerRegistry/registries", "apiVersion": "2021-12-01-preview", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "sku": { "name": "[parameters('sku')]" }, "properties": { "adminUserEnabled": "[parameters('adminUserEnabled')]" } }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('name'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('logs')]", "metrics": "[variables('metrics')]" }, "dependsOn": [ "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]" ] } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'workspace')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "storageAccount", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('blobStorageAccountName')]" }, "createContainers": { "value": false }, "containerNames": { "value": [] }, "workspaceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'workspace'), '2022-09-01').outputs.id.value]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.25.53.49325", "templateHash": "13054844979723641578" } }, "parameters": { "name": { "type": "string", "defaultValue": "[format('boot{0}', uniqueString(resourceGroup().id))]", "metadata": { "description": "Specifies the globally unique name for the storage account used to store the boot diagnostics logs of the virtual machine." } }, "createContainers": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to create containers." } }, "containerNames": { "type": "array", "metadata": { "description": "Specifies an array of containers to create." } }, "workspaceId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Log Analytics workspace." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "variables": { "copy": [ { "name": "logs", "count": "[length(variables('logCategories'))]", "input": { "category": "[variables('logCategories')[copyIndex('logs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } }, { "name": "metrics", "count": "[length(variables('metricCategories'))]", "input": { "category": "[variables('metricCategories')[copyIndex('metrics')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } } ], "diagnosticSettingsName": "diagnosticSettings", "logCategories": [ "StorageRead", "StorageWrite", "StorageDelete" ], "metricCategories": [ "Transaction" ] }, "resources": [ { "copy": { "name": "containers", "count": "[length(parameters('containerNames'))]" }, "condition": "[parameters('createContainers')]", "type": "Microsoft.Storage/storageAccounts/blobServices/containers", "apiVersion": "2021-09-01", "name": "[format('{0}/{1}/{2}', parameters('name'), 'default', parameters('containerNames')[copyIndex()])]", "properties": { "publicAccess": "None" }, "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('name'), 'default')]" ] }, { "type": "Microsoft.Storage/storageAccounts/blobServices", "apiVersion": "2021-09-01", "name": "[format('{0}/{1}', parameters('name'), 'default')]", "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" ] }, { "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2021-09-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "sku": { "name": "Standard_LRS" }, "kind": "StorageV2" }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}', parameters('name'), 'default')]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('logs')]", "metrics": "[variables('metrics')]" }, "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('name'), 'default')]" ] } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'workspace')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "network", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "podSubnetEnabled": { "value": "[and(and(not(equals(parameters('aksClusterNetworkPluginMode'), 'overlay')), not(equals(parameters('podSubnetName'), ''))), not(equals(parameters('podSubnetAddressPrefix'), '')))]" }, "enableVnetIntegration": { "value": "[parameters('enableVnetIntegration')]" }, "bastionHostEnabled": { "value": "[parameters('bastionHostEnabled')]" }, "virtualNetworkName": { "value": "[parameters('virtualNetworkName')]" }, "virtualNetworkAddressPrefixes": { "value": "[parameters('virtualNetworkAddressPrefixes')]" }, "systemAgentPoolSubnetName": { "value": "[parameters('systemAgentPoolSubnetName')]" }, "systemAgentPoolSubnetAddressPrefix": { "value": "[parameters('systemAgentPoolSubnetAddressPrefix')]" }, "userAgentPoolSubnetName": { "value": "[parameters('userAgentPoolSubnetName')]" }, "userAgentPoolSubnetAddressPrefix": { "value": "[parameters('userAgentPoolSubnetAddressPrefix')]" }, "podSubnetName": { "value": "[parameters('podSubnetName')]" }, "podSubnetAddressPrefix": { "value": "[parameters('podSubnetAddressPrefix')]" }, "apiServerSubnetName": { "value": "[parameters('apiServerSubnetName')]" }, "apiServerSubnetAddressPrefix": { "value": "[parameters('apiServerSubnetAddressPrefix')]" }, "vmSubnetName": { "value": "[parameters('vmSubnetName')]" }, "vmSubnetAddressPrefix": { "value": "[parameters('vmSubnetAddressPrefix')]" }, "vmSubnetNsgName": { "value": "[format('{0}Nsg', parameters('vmSubnetName'))]" }, "bastionSubnetAddressPrefix": { "value": "[parameters('bastionSubnetAddressPrefix')]" }, "bastionSubnetNsgName": { "value": "AzureBastionSubnetNsg" }, "bastionHostName": { "value": "[parameters('bastionHostName')]" }, "natGatewayName": { "value": "[parameters('natGatewayName')]" }, "natGatewayEnabled": { "value": "[equals(parameters('aksClusterOutboundType'), 'userAssignedNATGateway')]" }, "natGatewayZones": { "value": "[parameters('natGatewayZones')]" }, "natGatewayPublicIps": { "value": "[parameters('natGatewayPublicIps')]" }, "natGatewayIdleTimeoutMins": { "value": "[parameters('natGatewayIdleTimeoutMins')]" }, "createAcrPrivateEndpoint": { "value": "[equals(parameters('acrSku'), 'Premium')]" }, "storageAccountPrivateEndpointName": { "value": "[parameters('blobStorageAccountPrivateEndpointName')]" }, "storageAccountId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'storageAccount'), '2022-09-01').outputs.id.value]" }, "keyVaultPrivateEndpointName": { "value": "[parameters('keyVaultPrivateEndpointName')]" }, "keyVaultId": { "value": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('keyVaultResourceGroupName')), 'Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" }, "acrPrivateEndpointName": { "value": "[parameters('acrPrivateEndpointName')]" }, "acrId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'containerRegistry'), '2022-09-01').outputs.id.value]" }, "workspaceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'workspace'), '2022-09-01').outputs.id.value]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.25.53.49325", "templateHash": "7417468035045571846" } }, "parameters": { "podSubnetEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the podSubnet is enabled." } }, "enableVnetIntegration": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable API server VNET integration for the cluster or not." } }, "virtualNetworkName": { "type": "string", "metadata": { "description": "Specifies the name of the virtual network." } }, "virtualNetworkAddressPrefixes": { "type": "string", "defaultValue": "10.0.0.0/8", "metadata": { "description": "Specifies the address prefixes of the virtual network." } }, "systemAgentPoolSubnetName": { "type": "string", "defaultValue": "SystemSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the worker nodes of the default system agent pool of the AKS cluster." } }, "systemAgentPoolSubnetAddressPrefix": { "type": "string", "defaultValue": "10.0.0.0/16", "metadata": { "description": "Specifies the address prefix of the subnet hosting the worker nodes of the default system agent pool of the AKS cluster." } }, "userAgentPoolSubnetName": { "type": "string", "defaultValue": "UserSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the worker nodes of the user agent pool of the AKS cluster." } }, "userAgentPoolSubnetAddressPrefix": { "type": "string", "defaultValue": "10.1.0.0/16", "metadata": { "description": "Specifies the address prefix of the subnet hosting the worker nodes of the user agent pool of the AKS cluster." } }, "podSubnetName": { "type": "string", "defaultValue": "PodSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the pods running in the AKS cluster." } }, "podSubnetAddressPrefix": { "type": "string", "defaultValue": "10.2.0.0/16", "metadata": { "description": "Specifies the address prefix of the subnet hosting the pods running in the AKS cluster." } }, "apiServerSubnetName": { "type": "string", "defaultValue": "ApiServerSubnet", "metadata": { "description": "Specifies the name of the subnet delegated to the API server when configuring the AKS cluster to use API server VNET integration." } }, "apiServerSubnetAddressPrefix": { "type": "string", "defaultValue": "10.3.0.0/28", "metadata": { "description": "Specifies the address prefix of the subnet delegated to the API server when configuring the AKS cluster to use API server VNET integration." } }, "vmSubnetName": { "type": "string", "defaultValue": "VmSubnet", "metadata": { "description": "Specifies the name of the subnet which contains the virtual machine." } }, "vmSubnetAddressPrefix": { "type": "string", "defaultValue": "10.3.1.0/24", "metadata": { "description": "Specifies the address prefix of the subnet which contains the virtual machine." } }, "vmSubnetNsgName": { "type": "string", "defaultValue": "VmSubnetNsg", "metadata": { "description": "Specifies the name of the network security group associated to the subnet hosting the virtual machine." } }, "bastionSubnetAddressPrefix": { "type": "string", "defaultValue": "10.3.2.0/24", "metadata": { "description": "Specifies the Bastion subnet IP prefix. This prefix must be within vnet IP prefix address space." } }, "bastionSubnetNsgName": { "type": "string", "defaultValue": "AzureBastionNsg", "metadata": { "description": "Specifies the name of the network security group associated to the subnet hosting Azure Bastion." } }, "bastionHostEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether Azure Bastion should be created." } }, "bastionHostName": { "type": "string", "metadata": { "description": "Specifies the name of the Azure Bastion resource." } }, "bastionHostDisableCopyPaste": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable/Disable Copy/Paste feature of the Bastion Host resource." } }, "bastionHostEnableFileCopy": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable/Disable File Copy feature of the Bastion Host resource." } }, "bastionHostEnableIpConnect": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable/Disable IP Connect feature of the Bastion Host resource." } }, "bastionHostEnableShareableLink": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable/Disable Shareable Link of the Bastion Host resource." } }, "bastionHostEnableTunneling": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable/Disable Tunneling feature of the Bastion Host resource." } }, "natGatewayName": { "type": "string", "metadata": { "description": "Specifies the name of the Azure NAT Gateway." } }, "natGatewayEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether creating an Azure NAT Gateway for outbound connections." } }, "natGatewayZones": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies a list of availability zones denoting the zone in which Nat Gateway should be deployed." } }, "natGatewayPublicIps": { "type": "int", "defaultValue": 1, "metadata": { "description": "Specifies the number of Public IPs to create for the Azure NAT Gateway." } }, "natGatewayIdleTimeoutMins": { "type": "int", "defaultValue": 30, "metadata": { "description": "Specifies the idle timeout in minutes for the Azure NAT Gateway." } }, "storageAccountPrivateEndpointName": { "type": "string", "defaultValue": "BlobStorageAccountPrivateEndpoint", "metadata": { "description": "Specifies the name of the private link to the boot diagnostics storage account." } }, "storageAccountId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Azure Storage Account." } }, "keyVaultPrivateEndpointName": { "type": "string", "defaultValue": "KeyVaultPrivateEndpoint", "metadata": { "description": "Specifies the name of the private link to the Key Vault." } }, "keyVaultId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Azure Key vault." } }, "createAcrPrivateEndpoint": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to create a private endpoint for the Azure Container Registry" } }, "acrPrivateEndpointName": { "type": "string", "defaultValue": "AcrPrivateEndpoint", "metadata": { "description": "Specifies the name of the private link to the Azure Container Registry." } }, "acrId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Azure Container Registry." } }, "workspaceId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Log Analytics workspace." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "variables": { "copy": [ { "name": "nsgLogs", "count": "[length(variables('nsgLogCategories'))]", "input": { "category": "[variables('nsgLogCategories')[copyIndex('nsgLogs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } }, { "name": "vnetLogs", "count": "[length(variables('vnetLogCategories'))]", "input": { "category": "[variables('vnetLogCategories')[copyIndex('vnetLogs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } }, { "name": "vnetMetrics", "count": "[length(variables('vnetMetricCategories'))]", "input": { "category": "[variables('vnetMetricCategories')[copyIndex('vnetMetrics')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } }, { "name": "bastionLogs", "count": "[length(variables('bastionLogCategories'))]", "input": { "category": "[variables('bastionLogCategories')[copyIndex('bastionLogs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } }, { "name": "bastionMetrics", "count": "[length(variables('bastionMetricCategories'))]", "input": { "category": "[variables('bastionMetricCategories')[copyIndex('bastionMetrics')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } } ], "diagnosticSettingsName": "diagnosticSettings", "nsgLogCategories": [ "NetworkSecurityGroupEvent", "NetworkSecurityGroupRuleCounter" ], "vnetLogCategories": [ "VMProtectionAlerts" ], "vnetMetricCategories": [ "AllMetrics" ], "bastionLogCategories": [ "BastionAuditLogs" ], "bastionMetricCategories": [ "AllMetrics" ], "bastionSubnetName": "AzureBastionSubnet", "bastionPublicIpAddressName": "[format('{0}PublicIp', parameters('bastionHostName'))]", "systemAgentPoolSubnet": { "name": "[parameters('systemAgentPoolSubnetName')]", "properties": { "addressPrefix": "[parameters('systemAgentPoolSubnetAddressPrefix')]", "privateEndpointNetworkPolicies": "Disabled", "privateLinkServiceNetworkPolicies": "Enabled", "natGateway": "[if(parameters('natGatewayEnabled'), createObject('id', resourceId('Microsoft.Network/natGateways', parameters('natGatewayName'))), null())]" } }, "userAgentPoolSubnet": { "name": "[parameters('userAgentPoolSubnetName')]", "properties": { "addressPrefix": "[parameters('userAgentPoolSubnetAddressPrefix')]", "privateEndpointNetworkPolicies": "Disabled", "privateLinkServiceNetworkPolicies": "Enabled", "natGateway": "[if(parameters('natGatewayEnabled'), createObject('id', resourceId('Microsoft.Network/natGateways', parameters('natGatewayName'))), null())]" } }, "podSubnet": { "name": "[parameters('podSubnetName')]", "properties": { "addressPrefix": "[parameters('podSubnetAddressPrefix')]", "privateEndpointNetworkPolicies": "Disabled", "privateLinkServiceNetworkPolicies": "Enabled", "natGateway": "[if(parameters('natGatewayEnabled'), createObject('id', resourceId('Microsoft.Network/natGateways', parameters('natGatewayName'))), null())]", "delegations": [ { "name": "aks-delegation", "properties": { "serviceName": "Microsoft.ContainerService/managedClusters" } } ] } }, "apiServerSubnet": { "name": "[parameters('apiServerSubnetName')]", "properties": { "addressPrefix": "[parameters('apiServerSubnetAddressPrefix')]", "privateEndpointNetworkPolicies": "Disabled", "privateLinkServiceNetworkPolicies": "Enabled", "delegations": [ { "name": "aks-delegation", "properties": { "serviceName": "Microsoft.ContainerService/managedClusters" } } ] } }, "vmSubnet": { "name": "[parameters('vmSubnetName')]", "properties": { "addressPrefix": "[parameters('vmSubnetAddressPrefix')]", "networkSecurityGroup": { "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('vmSubnetNsgName'))]" }, "privateEndpointNetworkPolicies": "Disabled", "privateLinkServiceNetworkPolicies": "Disabled", "natGateway": "[if(parameters('natGatewayEnabled'), createObject('id', resourceId('Microsoft.Network/natGateways', parameters('natGatewayName'))), null())]" } }, "bastionSubnet": { "name": "[variables('bastionSubnetName')]", "properties": { "addressPrefix": "[parameters('bastionSubnetAddressPrefix')]", "networkSecurityGroup": { "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('bastionSubnetNsgName'))]" } } }, "subnets": "[union(array(variables('systemAgentPoolSubnet')), array(variables('userAgentPoolSubnet')), if(parameters('podSubnetEnabled'), array(variables('podSubnet')), createArray()), if(parameters('enableVnetIntegration'), array(variables('apiServerSubnet')), createArray()), array(variables('vmSubnet')), if(parameters('bastionHostEnabled'), array(variables('bastionSubnet')), createArray()))]" }, "resources": [ { "condition": "[parameters('bastionHostEnabled')]", "type": "Microsoft.Network/networkSecurityGroups", "apiVersion": "2023-04-01", "name": "[parameters('bastionSubnetNsgName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "securityRules": [ { "name": "AllowHttpsInBound", "properties": { "protocol": "Tcp", "sourcePortRange": "*", "sourceAddressPrefix": "Internet", "destinationPortRange": "443", "destinationAddressPrefix": "*", "access": "Allow", "priority": 100, "direction": "Inbound" } }, { "name": "AllowGatewayManagerInBound", "properties": { "protocol": "Tcp", "sourcePortRange": "*", "sourceAddressPrefix": "GatewayManager", "destinationPortRange": "443", "destinationAddressPrefix": "*", "access": "Allow", "priority": 110, "direction": "Inbound" } }, { "name": "AllowLoadBalancerInBound", "properties": { "protocol": "Tcp", "sourcePortRange": "*", "sourceAddressPrefix": "AzureLoadBalancer", "destinationPortRange": "443", "destinationAddressPrefix": "*", "access": "Allow", "priority": 120, "direction": "Inbound" } }, { "name": "AllowBastionHostCommunicationInBound", "properties": { "protocol": "*", "sourcePortRange": "*", "sourceAddressPrefix": "VirtualNetwork", "destinationPortRanges": [ "8080", "5701" ], "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 130, "direction": "Inbound" } }, { "name": "DenyAllInBound", "properties": { "protocol": "*", "sourcePortRange": "*", "sourceAddressPrefix": "*", "destinationPortRange": "*", "destinationAddressPrefix": "*", "access": "Deny", "priority": 1000, "direction": "Inbound" } }, { "name": "AllowSshRdpOutBound", "properties": { "protocol": "Tcp", "sourcePortRange": "*", "sourceAddressPrefix": "*", "destinationPortRanges": [ "22", "3389" ], "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 100, "direction": "Outbound" } }, { "name": "AllowAzureCloudCommunicationOutBound", "properties": { "protocol": "Tcp", "sourcePortRange": "*", "sourceAddressPrefix": "*", "destinationPortRange": "443", "destinationAddressPrefix": "AzureCloud", "access": "Allow", "priority": 110, "direction": "Outbound" } }, { "name": "AllowBastionHostCommunicationOutBound", "properties": { "protocol": "*", "sourcePortRange": "*", "sourceAddressPrefix": "VirtualNetwork", "destinationPortRanges": [ "8080", "5701" ], "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 120, "direction": "Outbound" } }, { "name": "AllowGetSessionInformationOutBound", "properties": { "protocol": "*", "sourcePortRange": "*", "sourceAddressPrefix": "*", "destinationAddressPrefix": "Internet", "destinationPortRanges": [ "80", "443" ], "access": "Allow", "priority": 130, "direction": "Outbound" } }, { "name": "DenyAllOutBound", "properties": { "protocol": "*", "sourcePortRange": "*", "destinationPortRange": "*", "sourceAddressPrefix": "*", "destinationAddressPrefix": "*", "access": "Deny", "priority": 1000, "direction": "Outbound" } } ] } }, { "type": "Microsoft.Network/networkSecurityGroups", "apiVersion": "2023-04-01", "name": "[parameters('vmSubnetNsgName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "securityRules": [ { "name": "AllowSshInbound", "properties": { "priority": 100, "access": "Allow", "direction": "Inbound", "destinationPortRange": "22", "protocol": "Tcp", "sourceAddressPrefix": "*", "sourcePortRange": "*", "destinationAddressPrefix": "*" } } ] } }, { "type": "Microsoft.Network/virtualNetworks", "apiVersion": "2023-04-01", "name": "[parameters('virtualNetworkName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "addressSpace": { "addressPrefixes": [ "[parameters('virtualNetworkAddressPrefixes')]" ] }, "subnets": "[variables('subnets')]" }, "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('bastionSubnetNsgName'))]", "[resourceId('Microsoft.Network/natGateways', parameters('natGatewayName'))]", "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('vmSubnetNsgName'))]" ] }, { "copy": { "name": "natGatewayPublicIp", "count": "[length(range(0, parameters('natGatewayPublicIps')))]" }, "condition": "[parameters('natGatewayEnabled')]", "type": "Microsoft.Network/publicIPAddresses", "apiVersion": "2023-04-01", "name": "[if(equals(parameters('natGatewayPublicIps'), 1), format('{0}PublicIp', parameters('natGatewayName')), format('{0}PublicIp{1}', parameters('natGatewayName'), add(range(0, parameters('natGatewayPublicIps'))[copyIndex()], 1)))]", "location": "[parameters('location')]", "sku": { "name": "Standard" }, "zones": "[if(not(empty(parameters('natGatewayZones'))), parameters('natGatewayZones'), createArray())]", "properties": { "publicIPAllocationMethod": "Static" } }, { "condition": "[parameters('natGatewayEnabled')]", "type": "Microsoft.Network/natGateways", "apiVersion": "2023-04-01", "name": "[parameters('natGatewayName')]", "location": "[parameters('location')]", "sku": { "name": "Standard" }, "zones": "[if(not(empty(parameters('natGatewayZones'))), parameters('natGatewayZones'), createArray())]", "properties": { "copy": [ { "name": "publicIpAddresses", "count": "[length(range(0, parameters('natGatewayPublicIps')))]", "input": { "id": "[resourceId('Microsoft.Network/publicIPAddresses', if(equals(parameters('natGatewayPublicIps'), 1), format('{0}PublicIp', parameters('natGatewayName')), format('{0}PublicIp{1}', parameters('natGatewayName'), add(range(0, parameters('natGatewayPublicIps'))[range(0, parameters('natGatewayPublicIps'))[copyIndex('publicIpAddresses')]], 1))))]" } } ], "idleTimeoutInMinutes": "[parameters('natGatewayIdleTimeoutMins')]" }, "dependsOn": [ "natGatewayPublicIp" ] }, { "condition": "[parameters('bastionHostEnabled')]", "type": "Microsoft.Network/publicIPAddresses", "apiVersion": "2023-04-01", "name": "[variables('bastionPublicIpAddressName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "sku": { "name": "Standard" }, "properties": { "publicIPAllocationMethod": "Static" } }, { "condition": "[parameters('bastionHostEnabled')]", "type": "Microsoft.Network/bastionHosts", "apiVersion": "2023-04-01", "name": "[parameters('bastionHostName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "disableCopyPaste": "[parameters('bastionHostDisableCopyPaste')]", "enableFileCopy": "[parameters('bastionHostEnableFileCopy')]", "enableIpConnect": "[parameters('bastionHostEnableIpConnect')]", "enableShareableLink": "[parameters('bastionHostEnableShareableLink')]", "enableTunneling": "[parameters('bastionHostEnableTunneling')]", "ipConfigurations": [ { "name": "IpConf", "properties": { "subnet": { "id": "[format('{0}/subnets/{1}', resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName')), variables('bastionSubnetName'))]" }, "publicIPAddress": { "id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('bastionPublicIpAddressName'))]" } } } ] }, "dependsOn": [ "[resourceId('Microsoft.Network/publicIPAddresses', variables('bastionPublicIpAddressName'))]", "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "type": "Microsoft.Network/privateDnsZones", "apiVersion": "2020-06-01", "name": "[format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'azurecr.us', 'azurecr.io'))]", "location": "global", "tags": "[parameters('tags')]" }, { "type": "Microsoft.Network/privateDnsZones", "apiVersion": "2020-06-01", "name": "[format('privatelink.blob.{0}', environment().suffixes.storage)]", "location": "global", "tags": "[parameters('tags')]" }, { "type": "Microsoft.Network/privateDnsZones", "apiVersion": "2020-06-01", "name": "[format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'vaultcore.usgovcloudapi.net', 'vaultcore.azure.net'))]", "location": "global", "tags": "[parameters('tags')]" }, { "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'azurecr.us', 'azurecr.io')), format('link_to_{0}', toLower(parameters('virtualNetworkName'))))]", "location": "global", "properties": { "registrationEnabled": false, "virtualNetwork": { "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" } }, "dependsOn": [ "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'azurecr.us', 'azurecr.io')))]", "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', format('privatelink.blob.{0}', environment().suffixes.storage), format('link_to_{0}', toLower(parameters('virtualNetworkName'))))]", "location": "global", "properties": { "registrationEnabled": false, "virtualNetwork": { "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" } }, "dependsOn": [ "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.blob.{0}', environment().suffixes.storage))]", "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'vaultcore.usgovcloudapi.net', 'vaultcore.azure.net')), format('link_to_{0}', toLower(parameters('virtualNetworkName'))))]", "location": "global", "properties": { "registrationEnabled": false, "virtualNetwork": { "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" } }, "dependsOn": [ "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'vaultcore.usgovcloudapi.net', 'vaultcore.azure.net')))]", "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('storageAccountPrivateEndpointName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "privateLinkServiceConnections": [ { "name": "[parameters('storageAccountPrivateEndpointName')]", "properties": { "privateLinkServiceId": "[parameters('storageAccountId')]", "groupIds": [ "blob" ] } } ], "subnet": { "id": "[format('{0}/subnets/{1}', resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName')), parameters('vmSubnetName'))]" } }, "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2023-04-01", "name": "[format('{0}/{1}', parameters('storageAccountPrivateEndpointName'), 'PrivateDnsZoneGroupName')]", "properties": { "privateDnsZoneConfigs": [ { "name": "dnsConfig", "properties": { "privateDnsZoneId": "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.blob.{0}', environment().suffixes.storage))]" } } ] }, "dependsOn": [ "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.blob.{0}', environment().suffixes.storage))]", "[resourceId('Microsoft.Network/privateEndpoints', parameters('storageAccountPrivateEndpointName'))]" ] }, { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('keyVaultPrivateEndpointName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "privateLinkServiceConnections": [ { "name": "[parameters('keyVaultPrivateEndpointName')]", "properties": { "privateLinkServiceId": "[parameters('keyVaultId')]", "groupIds": [ "vault" ] } } ], "subnet": { "id": "[format('{0}/subnets/{1}', resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName')), parameters('vmSubnetName'))]" } }, "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2023-04-01", "name": "[format('{0}/{1}', parameters('keyVaultPrivateEndpointName'), 'PrivateDnsZoneGroupName')]", "properties": { "privateDnsZoneConfigs": [ { "name": "dnsConfig", "properties": { "privateDnsZoneId": "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'vaultcore.usgovcloudapi.net', 'vaultcore.azure.net')))]" } } ] }, "dependsOn": [ "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'vaultcore.usgovcloudapi.net', 'vaultcore.azure.net')))]", "[resourceId('Microsoft.Network/privateEndpoints', parameters('keyVaultPrivateEndpointName'))]" ] }, { "condition": "[parameters('createAcrPrivateEndpoint')]", "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2023-04-01", "name": "[parameters('acrPrivateEndpointName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "privateLinkServiceConnections": [ { "name": "[parameters('acrPrivateEndpointName')]", "properties": { "privateLinkServiceId": "[parameters('acrId')]", "groupIds": [ "registry" ] } } ], "subnet": { "id": "[format('{0}/subnets/{1}', resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName')), parameters('vmSubnetName'))]" } }, "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "condition": "[parameters('createAcrPrivateEndpoint')]", "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2023-04-01", "name": "[format('{0}/{1}', parameters('acrPrivateEndpointName'), 'acrPrivateDnsZoneGroup')]", "properties": { "privateDnsZoneConfigs": [ { "name": "dnsConfig", "properties": { "privateDnsZoneId": "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'azurecr.us', 'azurecr.io')))]" } } ] }, "dependsOn": [ "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'azurecr.us', 'azurecr.io')))]", "[resourceId('Microsoft.Network/privateEndpoints', parameters('acrPrivateEndpointName'))]" ] }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('vmSubnetNsgName'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('nsgLogs')]" }, "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('vmSubnetNsgName'))]" ] }, { "condition": "[parameters('bastionHostEnabled')]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('bastionSubnetNsgName'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('nsgLogs')]" }, "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('bastionSubnetNsgName'))]" ] }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('virtualNetworkName'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('vnetLogs')]", "metrics": "[variables('vnetMetrics')]" }, "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "condition": "[parameters('bastionHostEnabled')]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/bastionHosts/{0}', parameters('bastionHostName'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('bastionLogs')]", "metrics": "[variables('bastionMetrics')]" }, "dependsOn": [ "[resourceId('Microsoft.Network/bastionHosts', parameters('bastionHostName'))]" ] } ], "outputs": { "virtualNetworkId": { "type": "string", "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" }, "virtualNetworkName": { "type": "string", "value": "[parameters('virtualNetworkName')]" }, "aksSubnetId": { "type": "string", "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('systemAgentPoolSubnetName'))]" }, "vmSubnetId": { "type": "string", "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('vmSubnetName'))]" }, "bastionSubnetId": { "type": "string", "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('bastionSubnetName'))]" }, "systemAgentPoolSubnetName": { "type": "string", "value": "[parameters('systemAgentPoolSubnetName')]" }, "vmSubnetName": { "type": "string", "value": "[parameters('vmSubnetName')]" }, "bastionSubnetName": { "type": "string", "value": "[variables('bastionSubnetName')]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'containerRegistry')]", "[resourceId('Microsoft.Resources/deployments', 'storageAccount')]", "[resourceId('Microsoft.Resources/deployments', 'workspace')]" ] }, { "condition": "[parameters('vmEnabled')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "jumpboxVirtualMachine", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "vmName": { "value": "[parameters('vmName')]" }, "vmSize": { "value": "[parameters('vmSize')]" }, "vmSubnetId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'network'), '2022-09-01').outputs.vmSubnetId.value]" }, "storageAccountName": "[if(parameters('vmEnabled'), createObject('value', reference(resourceId('Microsoft.Resources/deployments', 'storageAccount'), '2022-09-01').outputs.name.value), createObject('value', ''))]", "imagePublisher": { "value": "[parameters('imagePublisher')]" }, "imageOffer": { "value": "[parameters('imageOffer')]" }, "imageSku": { "value": "[parameters('imageSku')]" }, "authenticationType": { "value": "[parameters('authenticationType')]" }, "vmAdminUsername": { "value": "[parameters('vmAdminUsername')]" }, "vmAdminPasswordOrKey": { "value": "[parameters('vmAdminPasswordOrKey')]" }, "diskStorageAccountType": { "value": "[parameters('diskStorageAccountType')]" }, "numDataDisks": { "value": "[parameters('numDataDisks')]" }, "osDiskSize": { "value": "[parameters('osDiskSize')]" }, "dataDiskSize": { "value": "[parameters('dataDiskSize')]" }, "dataDiskCaching": { "value": "[parameters('dataDiskCaching')]" }, "managedIdentityName": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), createObject('value', format('{0}{1}AzureMonitorAgentManagedIdentity', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1))))), if(equals(parameters('letterCaseType'), 'CamelCase'), createObject('value', format('{0}AzureMonitorAgentManagedIdentity', toLower(parameters('prefix')))), createObject('value', format('{0}-azure-monitor-agent-managed-identity', toLower(parameters('prefix'))))))]", "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.25.53.49325", "templateHash": "16753703399332105364" } }, "parameters": { "vmName": { "type": "string", "defaultValue": "TestVm", "metadata": { "description": "Specifies the name of the virtual machine." } }, "vmSize": { "type": "string", "defaultValue": "Standard_DS3_v2", "metadata": { "description": "Specifies the size of the virtual machine." } }, "vmSubnetId": { "type": "string", "metadata": { "description": "Specifies the resource id of the subnet hosting the virtual machine." } }, "storageAccountName": { "type": "string", "metadata": { "description": "Specifies the name of the storage account where the bootstrap diagnostic logs of the virtual machine are stored." } }, "imagePublisher": { "type": "string", "defaultValue": "Canonical", "metadata": { "description": "Specifies the image publisher of the disk image used to create the virtual machine." } }, "imageOffer": { "type": "string", "defaultValue": "0001-com-ubuntu-server-jammy", "metadata": { "description": "Specifies the offer of the platform image or marketplace image used to create the virtual machine." } }, "imageSku": { "type": "string", "defaultValue": "22_04-lts-gen2", "metadata": { "description": "Specifies the Ubuntu version for the VM. This will pick a fully patched image of this given Ubuntu version." } }, "authenticationType": { "type": "string", "defaultValue": "password", "allowedValues": [ "sshPublicKey", "password" ], "metadata": { "description": "Specifies the type of authentication when accessing the Virtual Machine. SSH key is recommended." } }, "vmAdminUsername": { "type": "string", "metadata": { "description": "Specifies the name of the administrator account of the virtual machine." } }, "vmAdminPasswordOrKey": { "type": "securestring", "metadata": { "description": "Specifies the SSH Key or password for the virtual machine. SSH key is recommended." } }, "diskStorageAccountType": { "type": "string", "defaultValue": "Premium_LRS", "allowedValues": [ "Premium_LRS", "StandardSSD_LRS", "Standard_LRS", "UltraSSD_LRS" ], "metadata": { "description": "Specifies the storage account type for OS and data disk." } }, "numDataDisks": { "type": "int", "defaultValue": 1, "minValue": 0, "maxValue": 64, "metadata": { "description": "Specifies the number of data disks of the virtual machine." } }, "osDiskSize": { "type": "int", "defaultValue": 50, "metadata": { "description": "Specifies the size in GB of the OS disk of the VM." } }, "dataDiskSize": { "type": "int", "defaultValue": 50, "metadata": { "description": "Specifies the size in GB of the OS disk of the virtual machine." } }, "dataDiskCaching": { "type": "string", "defaultValue": "ReadWrite", "metadata": { "description": "Specifies the caching requirements for the data disks." } }, "managedIdentityName": { "type": "string", "metadata": { "description": "Specifies the name of the user-defined managed identity used by the Azure Monitor Agent." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "variables": { "vmNicName": "[format('{0}Nic', parameters('vmName'))]", "linuxConfiguration": { "disablePasswordAuthentication": true, "ssh": { "publicKeys": [ { "path": "[format('/home/{0}/.ssh/authorized_keys', parameters('vmAdminUsername'))]", "keyData": "[parameters('vmAdminPasswordOrKey')]" } ] }, "provisionVMAgent": true } }, "resources": [ { "type": "Microsoft.Network/networkInterfaces", "apiVersion": "2021-08-01", "name": "[variables('vmNicName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "ipConfigurations": [ { "name": "ipconfig1", "properties": { "privateIPAllocationMethod": "Dynamic", "subnet": { "id": "[parameters('vmSubnetId')]" } } } ] } }, { "type": "Microsoft.Compute/virtualMachines", "apiVersion": "2021-11-01", "name": "[parameters('vmName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "hardwareProfile": { "vmSize": "[parameters('vmSize')]" }, "osProfile": { "computerName": "[parameters('vmName')]", "adminUsername": "[parameters('vmAdminUsername')]", "adminPassword": "[parameters('vmAdminPasswordOrKey')]", "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), null(), variables('linuxConfiguration'))]" }, "storageProfile": { "copy": [ { "name": "dataDisks", "count": "[length(range(0, parameters('numDataDisks')))]", "input": { "caching": "[parameters('dataDiskCaching')]", "diskSizeGB": "[parameters('dataDiskSize')]", "lun": "[range(0, parameters('numDataDisks'))[copyIndex('dataDisks')]]", "name": "[format('{0}-DataDisk{1}', parameters('vmName'), range(0, parameters('numDataDisks'))[copyIndex('dataDisks')])]", "createOption": "Empty", "managedDisk": { "storageAccountType": "[parameters('diskStorageAccountType')]" } } } ], "imageReference": { "publisher": "[parameters('imagePublisher')]", "offer": "[parameters('imageOffer')]", "sku": "[parameters('imageSku')]", "version": "latest" }, "osDisk": { "name": "[format('{0}_OSDisk', parameters('vmName'))]", "caching": "ReadWrite", "createOption": "FromImage", "diskSizeGB": "[parameters('osDiskSize')]", "managedDisk": { "storageAccountType": "[parameters('diskStorageAccountType')]" } } }, "networkProfile": { "networkInterfaces": [ { "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('vmNicName'))]" } ] }, "diagnosticsProfile": { "bootDiagnostics": { "enabled": true, "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2021-09-01').primaryEndpoints.blob]" } } }, "dependsOn": [ "[resourceId('Microsoft.Network/networkInterfaces', variables('vmNicName'))]" ] }, { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2023-01-31", "name": "[parameters('managedIdentityName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]" }, { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2021-11-01", "name": "[format('{0}/{1}', parameters('vmName'), 'AzureMonitorLinuxAgent')]", "location": "[parameters('location')]", "properties": { "publisher": "Microsoft.Azure.Monitor", "type": "AzureMonitorLinuxAgent", "typeHandlerVersion": "1.21", "autoUpgradeMinorVersion": true, "enableAutomaticUpgrade": true, "settings": { "authentication": { "managedIdentity": { "identifier-name": "mi_res_id", "identifier-value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))]" } } } }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))]", "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]" ] } ] } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'network')]", "[resourceId('Microsoft.Resources/deployments', 'storageAccount')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "aksManageIdentity", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "managedIdentityName": { "value": "[format('{0}Identity', parameters('aksClusterName'))]" }, "virtualNetworkName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'network'), '2022-09-01').outputs.virtualNetworkName.value]" }, "systemAgentPoolSubnetName": { "value": "[parameters('systemAgentPoolSubnetName')]" }, "userAgentPoolSubnetName": { "value": "[parameters('userAgentPoolSubnetName')]" }, "podSubnetName": { "value": "[parameters('podSubnetName')]" }, "apiServerSubnetName": { "value": "[parameters('apiServerSubnetName')]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.25.53.49325", "templateHash": "14802532822694073810" } }, "parameters": { "managedIdentityName": { "type": "string", "metadata": { "description": "Specifies the name of the user-defined managed identity." } }, "virtualNetworkName": { "type": "string", "metadata": { "description": "Specifies the name of the existing virtual network." } }, "systemAgentPoolSubnetName": { "type": "string", "defaultValue": "SystemSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the worker nodes of the default system agent pool of the AKS cluster." } }, "userAgentPoolSubnetName": { "type": "string", "defaultValue": "UserSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the worker nodes of the user agent pool of the AKS cluster." } }, "podSubnetName": { "type": "string", "defaultValue": "PodSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the pods running in the AKS cluster." } }, "apiServerSubnetName": { "type": "string", "defaultValue": "ApiServerSubnet", "metadata": { "description": "Specifies the name of the subnet delegated to the API server when configuring the AKS cluster to use API server VNET integration." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "variables": { "networkContributorRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]" }, "resources": [ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2021-09-30-preview", "name": "[parameters('managedIdentityName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]" }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2020-10-01-preview", "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', parameters('virtualNetworkName'), parameters('systemAgentPoolSubnetName'))]", "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('systemAgentPoolSubnetName')), variables('networkContributorRoleDefinitionId'))]", "properties": { "roleDefinitionId": "[variables('networkContributorRoleDefinitionId')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), '2021-09-30-preview').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))]" ] }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2020-10-01-preview", "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', parameters('virtualNetworkName'), parameters('userAgentPoolSubnetName'))]", "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('userAgentPoolSubnetName')), variables('networkContributorRoleDefinitionId'))]", "properties": { "roleDefinitionId": "[variables('networkContributorRoleDefinitionId')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), '2021-09-30-preview').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))]" ] }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2020-10-01-preview", "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', parameters('virtualNetworkName'), parameters('podSubnetName'))]", "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('podSubnetName')), variables('networkContributorRoleDefinitionId'))]", "properties": { "roleDefinitionId": "[variables('networkContributorRoleDefinitionId')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), '2021-09-30-preview').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))]" ] }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2020-10-01-preview", "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', parameters('virtualNetworkName'), parameters('apiServerSubnetName'))]", "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('apiServerSubnetName')), variables('networkContributorRoleDefinitionId'))]", "properties": { "roleDefinitionId": "[variables('networkContributorRoleDefinitionId')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), '2021-09-30-preview').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))]" ] } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))]" }, "name": { "type": "string", "value": "[parameters('managedIdentityName')]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'network')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "kubeletManageIdentity", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "aksClusterName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksCluster'), '2022-09-01').outputs.name.value]" }, "acrName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'containerRegistry'), '2022-09-01').outputs.name.value]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.25.53.49325", "templateHash": "9114751619053619158" } }, "parameters": { "aksClusterName": { "type": "string", "metadata": { "description": "Specifies the name of the existing AKS cluster." } }, "acrName": { "type": "string", "metadata": { "description": "Specifies the name of the existing container registry." } } }, "variables": { "acrPullRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]" }, "resources": [ { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2020-10-01-preview", "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('acrName'))]", "name": "[guid(parameters('aksClusterName'), resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName')), variables('acrPullRoleDefinitionId'))]", "properties": { "roleDefinitionId": "[variables('acrPullRoleDefinitionId')]", "principalId": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName')), '2022-11-02-preview').identityProfile.kubeletidentity.objectId]", "principalType": "ServicePrincipal" } } ] } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'aksCluster')]", "[resourceId('Microsoft.Resources/deployments', 'containerRegistry')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "aksCluster", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('aksClusterName')]" }, "enableVnetIntegration": { "value": "[parameters('enableVnetIntegration')]" }, "virtualNetworkName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'network'), '2022-09-01').outputs.virtualNetworkName.value]" }, "systemAgentPoolSubnetName": { "value": "[parameters('systemAgentPoolSubnetName')]" }, "userAgentPoolSubnetName": { "value": "[parameters('userAgentPoolSubnetName')]" }, "podSubnetName": { "value": "[parameters('podSubnetName')]" }, "apiServerSubnetName": { "value": "[parameters('apiServerSubnetName')]" }, "managedIdentityName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksManageIdentity'), '2022-09-01').outputs.name.value]" }, "dnsPrefix": { "value": "[parameters('aksClusterDnsPrefix')]" }, "networkDataplane": { "value": "[parameters('aksClusterNetworkDataplane')]" }, "networkMode": { "value": "[parameters('aksClusterNetworkMode')]" }, "networkPlugin": { "value": "[parameters('aksClusterNetworkPlugin')]" }, "networkPluginMode": { "value": "[parameters('aksClusterNetworkPluginMode')]" }, "networkPolicy": { "value": "[parameters('aksClusterNetworkPolicy')]" }, "webAppRoutingEnabled": { "value": "[parameters('aksClusterWebAppRoutingEnabled')]" }, "podCidr": { "value": "[parameters('aksClusterPodCidr')]" }, "serviceCidr": { "value": "[parameters('aksClusterServiceCidr')]" }, "dnsServiceIP": { "value": "[parameters('aksClusterDnsServiceIP')]" }, "loadBalancerSku": { "value": "[parameters('aksClusterLoadBalancerSku')]" }, "monitoringEnabled": { "value": "[parameters('aksClusterMonitoringEnabled')]" }, "ipFamilies": { "value": "[parameters('aksClusterIpFamilies')]" }, "outboundType": { "value": "[parameters('aksClusterOutboundType')]" }, "skuTier": { "value": "[parameters('aksClusterSkuTier')]" }, "kubernetesVersion": { "value": "[parameters('aksClusterKubernetesVersion')]" }, "adminUsername": { "value": "[parameters('aksClusterAdminUsername')]" }, "sshPublicKey": { "value": "[parameters('aksClusterSshPublicKey')]" }, "aadProfileTenantId": { "value": "[parameters('aadProfileTenantId')]" }, "aadProfileAdminGroupObjectIDs": { "value": "[parameters('aadProfileAdminGroupObjectIDs')]" }, "aadProfileManaged": { "value": "[parameters('aadProfileManaged')]" }, "aadProfileEnableAzureRBAC": { "value": "[parameters('aadProfileEnableAzureRBAC')]" }, "nodeOSUpgradeChannel": { "value": "[parameters('aksClusterNodeOSUpgradeChannel')]" }, "upgradeChannel": { "value": "[parameters('aksClusterUpgradeChannel')]" }, "enablePrivateCluster": { "value": "[parameters('aksClusterEnablePrivateCluster')]" }, "privateDNSZone": { "value": "[parameters('aksPrivateDNSZone')]" }, "enablePrivateClusterPublicFQDN": { "value": "[parameters('aksEnablePrivateClusterPublicFQDN')]" }, "systemAgentPoolName": { "value": "[parameters('systemAgentPoolName')]" }, "systemAgentPoolVmSize": { "value": "[parameters('systemAgentPoolVmSize')]" }, "systemAgentPoolOsDiskSizeGB": { "value": "[parameters('systemAgentPoolOsDiskSizeGB')]" }, "systemAgentPoolOsDiskType": { "value": "[parameters('systemAgentPoolOsDiskType')]" }, "systemAgentPoolAgentCount": { "value": "[parameters('systemAgentPoolAgentCount')]" }, "systemAgentPoolOsSKU": { "value": "[parameters('systemAgentPoolOsSKU')]" }, "systemAgentPoolOsType": { "value": "[parameters('systemAgentPoolOsType')]" }, "systemAgentPoolMaxPods": { "value": "[parameters('systemAgentPoolMaxPods')]" }, "systemAgentPoolMaxCount": { "value": "[parameters('systemAgentPoolMaxCount')]" }, "systemAgentPoolMinCount": { "value": "[parameters('systemAgentPoolMinCount')]" }, "systemAgentPoolEnableAutoScaling": { "value": "[parameters('systemAgentPoolEnableAutoScaling')]" }, "systemAgentPoolScaleSetPriority": { "value": "[parameters('systemAgentPoolScaleSetPriority')]" }, "systemAgentPoolScaleSetEvictionPolicy": { "value": "[parameters('systemAgentPoolScaleSetEvictionPolicy')]" }, "systemAgentPoolNodeLabels": { "value": "[parameters('systemAgentPoolNodeLabels')]" }, "systemAgentPoolNodeTaints": { "value": "[parameters('systemAgentPoolNodeTaints')]" }, "systemAgentPoolType": { "value": "[parameters('systemAgentPoolType')]" }, "systemAgentPoolAvailabilityZones": { "value": "[parameters('systemAgentPoolAvailabilityZones')]" }, "systemAgentPoolKubeletDiskType": { "value": "[parameters('systemAgentPoolKubeletDiskType')]" }, "userAgentPoolName": { "value": "[parameters('userAgentPoolName')]" }, "userAgentPoolVmSize": { "value": "[parameters('userAgentPoolVmSize')]" }, "userAgentPoolOsDiskSizeGB": { "value": "[parameters('userAgentPoolOsDiskSizeGB')]" }, "userAgentPoolOsDiskType": { "value": "[parameters('userAgentPoolOsDiskType')]" }, "userAgentPoolAgentCount": { "value": "[parameters('userAgentPoolAgentCount')]" }, "userAgentPoolOsSKU": { "value": "[parameters('userAgentPoolOsSKU')]" }, "userAgentPoolOsType": { "value": "[parameters('userAgentPoolOsType')]" }, "userAgentPoolMaxPods": { "value": "[parameters('userAgentPoolMaxPods')]" }, "userAgentPoolMaxCount": { "value": "[parameters('userAgentPoolMaxCount')]" }, "userAgentPoolMinCount": { "value": "[parameters('userAgentPoolMinCount')]" }, "userAgentPoolEnableAutoScaling": { "value": "[parameters('userAgentPoolEnableAutoScaling')]" }, "userAgentPoolScaleSetPriority": { "value": "[parameters('userAgentPoolScaleSetPriority')]" }, "userAgentPoolScaleSetEvictionPolicy": { "value": "[parameters('userAgentPoolScaleSetEvictionPolicy')]" }, "userAgentPoolNodeLabels": { "value": "[parameters('userAgentPoolNodeLabels')]" }, "userAgentPoolNodeTaints": { "value": "[parameters('userAgentPoolNodeTaints')]" }, "userAgentPoolType": { "value": "[parameters('userAgentPoolType')]" }, "userAgentPoolAvailabilityZones": { "value": "[parameters('userAgentPoolAvailabilityZones')]" }, "userAgentPoolKubeletDiskType": { "value": "[parameters('userAgentPoolKubeletDiskType')]" }, "httpApplicationRoutingEnabled": { "value": "[parameters('httpApplicationRoutingEnabled')]" }, "istioServiceMeshEnabled": { "value": "[parameters('istioServiceMeshEnabled')]" }, "istioIngressGatewayEnabled": { "value": "[parameters('istioIngressGatewayEnabled')]" }, "istioIngressGatewayType": { "value": "[parameters('istioIngressGatewayType')]" }, "kedaEnabled": { "value": "[parameters('kedaEnabled')]" }, "daprEnabled": { "value": "[parameters('daprEnabled')]" }, "daprHaEnabled": { "value": "[parameters('daprHaEnabled')]" }, "fluxGitOpsEnabled": { "value": "[parameters('fluxGitOpsEnabled')]" }, "verticalPodAutoscalerEnabled": { "value": "[parameters('verticalPodAutoscalerEnabled')]" }, "aciConnectorLinuxEnabled": { "value": "[parameters('aciConnectorLinuxEnabled')]" }, "azurePolicyEnabled": { "value": "[parameters('azurePolicyEnabled')]" }, "azureKeyvaultSecretsProviderEnabled": { "value": "[parameters('azureKeyvaultSecretsProviderEnabled')]" }, "kubeDashboardEnabled": { "value": "[parameters('kubeDashboardEnabled')]" }, "autoScalerProfileScanInterval": { "value": "[parameters('autoScalerProfileScanInterval')]" }, "autoScalerProfileScaleDownDelayAfterAdd": { "value": "[parameters('autoScalerProfileScaleDownDelayAfterAdd')]" }, "autoScalerProfileScaleDownDelayAfterDelete": { "value": "[parameters('autoScalerProfileScaleDownDelayAfterDelete')]" }, "autoScalerProfileScaleDownDelayAfterFailure": { "value": "[parameters('autoScalerProfileScaleDownDelayAfterFailure')]" }, "autoScalerProfileScaleDownUnneededTime": { "value": "[parameters('autoScalerProfileScaleDownUnneededTime')]" }, "autoScalerProfileScaleDownUnreadyTime": { "value": "[parameters('autoScalerProfileScaleDownUnreadyTime')]" }, "autoScalerProfileUtilizationThreshold": { "value": "[parameters('autoScalerProfileUtilizationThreshold')]" }, "autoScalerProfileMaxGracefulTerminationSec": { "value": "[parameters('autoScalerProfileMaxGracefulTerminationSec')]" }, "blobCSIDriverEnabled": { "value": "[parameters('blobCSIDriverEnabled')]" }, "diskCSIDriverEnabled": { "value": "[parameters('diskCSIDriverEnabled')]" }, "fileCSIDriverEnabled": { "value": "[parameters('fileCSIDriverEnabled')]" }, "snapshotControllerEnabled": { "value": "[parameters('snapshotControllerEnabled')]" }, "defenderSecurityMonitoringEnabled": { "value": "[parameters('defenderSecurityMonitoringEnabled')]" }, "imageCleanerEnabled": { "value": "[parameters('imageCleanerEnabled')]" }, "imageCleanerIntervalHours": { "value": "[parameters('imageCleanerIntervalHours')]" }, "nodeRestrictionEnabled": { "value": "[parameters('nodeRestrictionEnabled')]" }, "workloadIdentityEnabled": { "value": "[parameters('workloadIdentityEnabled')]" }, "oidcIssuerProfileEnabled": { "value": "[parameters('oidcIssuerProfileEnabled')]" }, "podIdentityProfileEnabled": { "value": "[parameters('podIdentityProfileEnabled')]" }, "prometheusAndGrafanaEnabled": { "value": true }, "metricAnnotationsAllowList": { "value": "[parameters('metricAnnotationsAllowList')]" }, "metricLabelsAllowlist": { "value": "[parameters('metricLabelsAllowlist')]" }, "publicDnsZoneName": { "value": "[parameters('publicDnsZoneName')]" }, "publicDnsZoneResourceGroupName": { "value": "[parameters('publicDnsZoneResourceGroupName')]" }, "workspaceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'workspace'), '2022-09-01').outputs.id.value]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('clusterTags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.25.53.49325", "templateHash": "13886479134355414709" } }, "parameters": { "name": { "type": "string", "defaultValue": "[format('aks-{0}', uniqueString(resourceGroup().id))]", "metadata": { "description": "Specifies the name of the AKS cluster." } }, "enableVnetIntegration": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable API server VNET integration for the cluster or not." } }, "virtualNetworkName": { "type": "string", "metadata": { "description": "Specifies the name of the existing virtual network." } }, "systemAgentPoolSubnetName": { "type": "string", "defaultValue": "SystemSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the worker nodes of the default system agent pool of the AKS cluster." } }, "userAgentPoolSubnetName": { "type": "string", "defaultValue": "UserSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the worker nodes of the user agent pool of the AKS cluster." } }, "podSubnetName": { "type": "string", "defaultValue": "PodSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the pods running in the AKS cluster." } }, "apiServerSubnetName": { "type": "string", "defaultValue": "ApiServerSubnet", "metadata": { "description": "Specifies the name of the subnet delegated to the API server when configuring the AKS cluster to use API server VNET integration." } }, "managedIdentityName": { "type": "string", "metadata": { "description": "Specifies the name of the AKS user-defined managed identity." } }, "dnsPrefix": { "type": "string", "defaultValue": "[parameters('name')]", "metadata": { "description": "Specifies the DNS prefix specified when creating the managed cluster." } }, "networkPlugin": { "type": "string", "defaultValue": "azure", "allowedValues": [ "azure", "kubenet" ], "metadata": { "description": "Specifies the network plugin used for building Kubernetes network. - azure or kubenet." } }, "networkPluginMode": { "type": "string", "defaultValue": "", "allowedValues": [ "", "overlay" ], "metadata": { "description": "Specifies the Network plugin mode used for building the Kubernetes network." } }, "networkMode": { "type": "string", "defaultValue": "transparent", "allowedValues": [ "bridge", "transparent" ], "metadata": { "description": "Specifies the network mode. This cannot be specified if networkPlugin is anything other than azure." } }, "networkPolicy": { "type": "string", "defaultValue": "azure", "allowedValues": [ "azure", "calico" ], "metadata": { "description": "Specifies the network policy used for building Kubernetes network. - calico or azure" } }, "networkDataplane": { "type": "string", "defaultValue": "azure", "allowedValues": [ "azure", "cilium" ], "metadata": { "description": "Specifies the network dataplane used in the Kubernetes cluster.." } }, "podCidr": { "type": "string", "defaultValue": "192.168.0.0/16", "metadata": { "description": "Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used." } }, "serviceCidr": { "type": "string", "defaultValue": "172.16.0.0/16", "metadata": { "description": "A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges." } }, "dnsServiceIP": { "type": "string", "defaultValue": "172.16.0.10", "metadata": { "description": "Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr." } }, "loadBalancerSku": { "type": "string", "defaultValue": "standard", "allowedValues": [ "basic", "standard" ], "metadata": { "description": "Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools." } }, "monitoringEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether Network Observability is enabled or not. When enabled, network monitoring generates metrics in Prometheus format." } }, "outboundType": { "type": "string", "defaultValue": "loadBalancer", "allowedValues": [ "loadBalancer", "managedNATGateway", "userAssignedNATGateway", "userDefinedRouting" ], "metadata": { "description": "Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting." } }, "skuTier": { "type": "string", "defaultValue": "Free", "allowedValues": [ "Free", "Standard", "Premium" ], "metadata": { "description": "Specifies the tier of a managed cluster SKU: Paid or Free" } }, "kubernetesVersion": { "type": "string", "defaultValue": "1.18.8", "metadata": { "description": "Specifies the version of Kubernetes specified when creating the managed cluster." } }, "adminUsername": { "type": "string", "defaultValue": "azureuser", "metadata": { "description": "Specifies the administrator username of Linux virtual machines." } }, "sshPublicKey": { "type": "string", "metadata": { "description": "Specifies the SSH RSA public key string for the Linux nodes." } }, "aadProfileTenantId": { "type": "string", "defaultValue": "[subscription().tenantId]", "metadata": { "description": "Specifies the tenant id of the Azure Active Directory used by the AKS cluster for authentication." } }, "aadProfileAdminGroupObjectIDs": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the AAD group object IDs that will have admin role of the cluster." } }, "nodeOSUpgradeChannel": { "type": "string", "defaultValue": "Unmanaged", "allowedValues": [ "NodeImage", "None", "SecurityPatch", "Unmanaged" ], "metadata": { "description": "Specifies the node OS upgrade channel. The default is Unmanaged, but may change to either NodeImage or SecurityPatch at GA.\t." } }, "upgradeChannel": { "type": "string", "defaultValue": "stable", "allowedValues": [ "rapid", "stable", "patch", "node-image", "none" ], "metadata": { "description": "Specifies the upgrade channel for auto upgrade. Allowed values include rapid, stable, patch, node-image, none." } }, "enablePrivateCluster": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to create the cluster as a private cluster or not." } }, "privateDNSZone": { "type": "string", "defaultValue": "none", "metadata": { "description": "Specifies the Private DNS Zone mode for private cluster. When the value is equal to None, a Public DNS Zone is used in place of a Private DNS Zone" } }, "enablePrivateClusterPublicFQDN": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to create additional public FQDN for private cluster or not." } }, "aadProfileManaged": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable managed AAD integration." } }, "aadProfileEnableAzureRBAC": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to to enable Azure RBAC for Kubernetes authorization." } }, "systemAgentPoolName": { "type": "string", "defaultValue": "nodepool1", "metadata": { "description": "Specifies the unique name of of the system node pool profile in the context of the subscription and resource group." } }, "systemAgentPoolVmSize": { "type": "string", "defaultValue": "Standard_DS5_v2", "metadata": { "description": "Specifies the vm size of nodes in the system node pool." } }, "systemAgentPoolOsDiskSizeGB": { "type": "int", "defaultValue": 100, "metadata": { "description": "Specifies the OS Disk Size in GB to be used to specify the disk size for every machine in the system agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified." } }, "systemAgentPoolOsDiskType": { "type": "string", "defaultValue": "Ephemeral", "allowedValues": [ "Ephemeral", "Managed" ], "metadata": { "description": "Specifies the OS disk type to be used for machines in a given agent pool. Allowed values are 'Ephemeral' and 'Managed'. If unspecified, defaults to 'Ephemeral' when the VM supports ephemeral OS and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. - Managed or Ephemeral" } }, "systemAgentPoolAgentCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the number of agents (VMs) to host docker containers in the system node pool. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1." } }, "systemAgentPoolOsType": { "type": "string", "defaultValue": "Linux", "allowedValues": [ "Linux", "Windows" ], "metadata": { "description": "Specifies the OS type for the vms in the system node pool. Choose from Linux and Windows. Default to Linux." } }, "systemAgentPoolOsSKU": { "type": "string", "defaultValue": "Ubuntu", "allowedValues": [ "Ubuntu", "Windows2019", "Windows2022", "AzureLinux" ], "metadata": { "description": "Specifies the OS SKU used by the system agent pool. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated." } }, "systemAgentPoolMaxPods": { "type": "int", "defaultValue": 30, "metadata": { "description": "Specifies the maximum number of pods that can run on a node in the system node pool. The maximum number of pods per node in an AKS cluster is 250. The default maximum number of pods per node varies between kubenet and Azure CNI networking, and the method of cluster deployment." } }, "systemAgentPoolMaxCount": { "type": "int", "defaultValue": 5, "metadata": { "description": "Specifies the maximum number of nodes for auto-scaling for the system node pool." } }, "systemAgentPoolMinCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the minimum number of nodes for auto-scaling for the system node pool." } }, "systemAgentPoolEnableAutoScaling": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable auto-scaling for the system node pool." } }, "systemAgentPoolScaleSetPriority": { "type": "string", "defaultValue": "Regular", "allowedValues": [ "Spot", "Regular" ], "metadata": { "description": "Specifies the virtual machine scale set priority in the system node pool: Spot or Regular." } }, "systemAgentPoolScaleSetEvictionPolicy": { "type": "string", "defaultValue": "Delete", "allowedValues": [ "Delete", "Deallocate" ], "metadata": { "description": "Specifies the ScaleSetEvictionPolicy to be used to specify eviction policy for spot virtual machine scale set. Default to Delete. Allowed values are Delete or Deallocate." } }, "systemAgentPoolNodeLabels": { "type": "object", "defaultValue": {}, "metadata": { "description": "Specifies the Agent pool node labels to be persisted across all nodes in the system node pool." } }, "systemAgentPoolNodeTaints": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule." } }, "systemAgentPoolKubeletDiskType": { "type": "string", "defaultValue": "OS", "allowedValues": [ "OS", "Temporary" ], "metadata": { "description": "Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage." } }, "systemAgentPoolType": { "type": "string", "defaultValue": "VirtualMachineScaleSets", "allowedValues": [ "VirtualMachineScaleSets", "AvailabilitySet" ], "metadata": { "description": "Specifies the type for the system node pool: VirtualMachineScaleSets or AvailabilitySet" } }, "systemAgentPoolAvailabilityZones": { "type": "array", "defaultValue": [ "1", "2", "3" ], "metadata": { "description": "Specifies the availability zones for the agent nodes in the system node pool. Requirese the use of VirtualMachineScaleSets as node pool type." } }, "systemAgentPoolScaleDownMode": { "type": "string", "defaultValue": "Delete", "allowedValues": [ "Delete", "Deallocate" ], "metadata": { "description": "Specified the scale down mode that effects the cluster autoscaler behavior. If not specified, it defaults to Delete." } }, "systemAgentPoolSpotMaxPrice": { "type": "int", "defaultValue": -1, "metadata": { "description": "Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing" } }, "userAgentPoolName": { "type": "string", "defaultValue": "nodepool1", "metadata": { "description": "Specifies the unique name of of the user node pool profile in the context of the subscription and resource group." } }, "userAgentPoolVmSize": { "type": "string", "defaultValue": "Standard_DS5_v2", "metadata": { "description": "Specifies the vm size of nodes in the user node pool." } }, "userAgentPoolOsDiskSizeGB": { "type": "int", "defaultValue": 100, "metadata": { "description": "Specifies the OS Disk Size in GB to be used to specify the disk size for every machine in the system agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified.." } }, "userAgentPoolOsDiskType": { "type": "string", "defaultValue": "Ephemeral", "allowedValues": [ "Ephemeral", "Managed" ], "metadata": { "description": "Specifies the OS disk type to be used for machines in a given agent pool. Allowed values are 'Ephemeral' and 'Managed'. If unspecified, defaults to 'Ephemeral' when the VM supports ephemeral OS and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. - Managed or Ephemeral" } }, "userAgentPoolAgentCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the number of agents (VMs) to host docker containers in the user node pool. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1." } }, "userAgentPoolOsType": { "type": "string", "defaultValue": "Linux", "allowedValues": [ "Linux", "Windows" ], "metadata": { "description": "Specifies the OS type for the vms in the user node pool. Choose from Linux and Windows. Default to Linux." } }, "userAgentPoolOsSKU": { "type": "string", "defaultValue": "Ubuntu", "allowedValues": [ "Ubuntu", "Windows2019", "Windows2022", "AzureLinux" ], "metadata": { "description": "Specifies the OS SKU used by the system agent pool. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated." } }, "userAgentPoolMaxPods": { "type": "int", "defaultValue": 30, "metadata": { "description": "Specifies the maximum number of pods that can run on a node in the user node pool. The maximum number of pods per node in an AKS cluster is 250. The default maximum number of pods per node varies between kubenet and Azure CNI networking, and the method of cluster deployment." } }, "userAgentPoolMaxCount": { "type": "int", "defaultValue": 5, "metadata": { "description": "Specifies the maximum number of nodes for auto-scaling for the user node pool." } }, "userAgentPoolMinCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the minimum number of nodes for auto-scaling for the user node pool." } }, "userAgentPoolEnableAutoScaling": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable auto-scaling for the user node pool." } }, "userAgentPoolScaleSetPriority": { "type": "string", "defaultValue": "Regular", "allowedValues": [ "Spot", "Regular" ], "metadata": { "description": "Specifies the virtual machine scale set priority in the user node pool: Spot or Regular." } }, "userAgentPoolScaleSetEvictionPolicy": { "type": "string", "defaultValue": "Delete", "allowedValues": [ "Delete", "Deallocate" ], "metadata": { "description": "Specifies the ScaleSetEvictionPolicy to be used to specify eviction policy for spot virtual machine scale set. Default to Delete. Allowed values are Delete or Deallocate." } }, "userAgentPoolNodeLabels": { "type": "object", "defaultValue": {}, "metadata": { "description": "Specifies the Agent pool node labels to be persisted across all nodes in the user node pool." } }, "userAgentPoolNodeTaints": { "type": "array", "defaultValue": [], "allowedValues": [ "OS", "Temporary" ], "metadata": { "description": "Specifies the taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule." } }, "userAgentPoolKubeletDiskType": { "type": "string", "defaultValue": "OS", "metadata": { "description": "Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage." } }, "userAgentPoolType": { "type": "string", "defaultValue": "VirtualMachineScaleSets", "allowedValues": [ "VirtualMachineScaleSets", "AvailabilitySet" ], "metadata": { "description": "Specifies the type for the user node pool: VirtualMachineScaleSets or AvailabilitySet" } }, "userAgentPoolAvailabilityZones": { "type": "array", "defaultValue": [ "1", "2", "3" ], "metadata": { "description": "Specifies the availability zones for the agent nodes in the user node pool. Requirese the use of VirtualMachineScaleSets as node pool type." } }, "userAgentPoolScaleDownMode": { "type": "string", "defaultValue": "Delete", "allowedValues": [ "Delete", "Deallocate" ], "metadata": { "description": "Specified the scale down mode that effects the cluster autoscaler behavior. If not specified, it defaults to Delete." } }, "userAgentPoolSpotMaxPrice": { "type": "int", "defaultValue": -1, "metadata": { "description": "Possible values are any decimal value greater than zero or -1 which indicates the willingness to pay any on-demand price. For more details on spot pricing, see spot VMs pricing" } }, "httpApplicationRoutingEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the httpApplicationRouting add-on is enabled or not." } }, "istioServiceMeshEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Istio Service Mesh add-on is enabled or not." } }, "istioIngressGatewayEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Istio Ingress Gateway is enabled or not." } }, "istioIngressGatewayType": { "type": "string", "defaultValue": "External", "allowedValues": [ "Internal", "External" ], "metadata": { "description": "Specifies the type of the Istio Ingress Gateway." } }, "kedaEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Kubernetes Event-Driven Autoscaler (KEDA) add-on is enabled or not." } }, "daprEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Dapr extension is enabled or not." } }, "daprHaEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable high availability (HA) mode for the Dapr control plane" } }, "fluxGitOpsEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Flux V2 extension is enabled or not." } }, "verticalPodAutoscalerEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Vertical Pod Autoscaler is enabled or not." } }, "aciConnectorLinuxEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the aciConnectorLinux add-on is enabled or not." } }, "azurePolicyEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the azurepolicy add-on is enabled or not." } }, "azureKeyvaultSecretsProviderEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the Azure Key Vault Provider for Secrets Store CSI Driver addon is enabled or not." } }, "kubeDashboardEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the kubeDashboard add-on is enabled or not." } }, "podIdentityProfileEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the pod identity addon is enabled.." } }, "oidcIssuerProfileEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the OIDC issuer is enabled." } }, "autoScalerProfileScanInterval": { "type": "string", "defaultValue": "10s", "metadata": { "description": "Specifies the scan interval of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownDelayAfterAdd": { "type": "string", "defaultValue": "10m", "metadata": { "description": "Specifies the scale down delay after add of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownDelayAfterDelete": { "type": "string", "defaultValue": "20s", "metadata": { "description": "Specifies the scale down delay after delete of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownDelayAfterFailure": { "type": "string", "defaultValue": "3m", "metadata": { "description": "Specifies scale down delay after failure of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownUnneededTime": { "type": "string", "defaultValue": "10m", "metadata": { "description": "Specifies the scale down unneeded time of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownUnreadyTime": { "type": "string", "defaultValue": "20m", "metadata": { "description": "Specifies the scale down unready time of the auto-scaler of the AKS cluster." } }, "autoScalerProfileUtilizationThreshold": { "type": "string", "defaultValue": "0.5", "metadata": { "description": "Specifies the utilization threshold of the auto-scaler of the AKS cluster." } }, "autoScalerProfileMaxGracefulTerminationSec": { "type": "string", "defaultValue": "600", "metadata": { "description": "Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster." } }, "autoScalerProfileExpander": { "type": "string", "defaultValue": "random", "allowedValues": [ "least-waste", "most-pods", "priority", "random" ], "metadata": { "description": "Specifies the type of node pool expander to be used in scale up. Possible values: most-pods, random, least-waste, priority." } }, "workspaceId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Log Analytics workspace." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } }, "blobCSIDriverEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to enable the Azure Blob CSI Driver. The default value is false." } }, "diskCSIDriverEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable the Azure Disk CSI Driver. The default value is true." } }, "fileCSIDriverEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable the Azure File CSI Driver. The default value is true." } }, "snapshotControllerEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable the Snapshot Controller. The default value is true." } }, "defenderSecurityMonitoringEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to enable Defender threat detection. The default value is false." } }, "imageCleanerEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to enable ImageCleaner on AKS cluster. The default value is false." } }, "imageCleanerIntervalHours": { "type": "int", "defaultValue": 24, "metadata": { "description": "Specifies whether ImageCleaner scanning interval in hours." } }, "nodeRestrictionEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to enable Node Restriction. The default value is false." } }, "workloadIdentityEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to enable Workload Identity. The default value is false." } }, "prometheusAndGrafanaEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to create or not Azure Monitor managed service for Prometheus and Azure Managed Grafana resources." } }, "metricAnnotationsAllowList": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies a comma-separated list of additional Kubernetes label keys that will be used in the resource labels metric." } }, "metricLabelsAllowlist": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies a comma-separated list of Kubernetes annotations keys that will be used in the resource labels metric." } }, "ipFamilies": { "type": "array", "defaultValue": [ "IPv4" ], "metadata": { "description": "Specifies the IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6." } }, "webAppRoutingEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the managed NGINX Ingress Controller application routing addon is enabled." } }, "publicDnsZoneName": { "type": "string", "metadata": { "description": "Specifies the name of the public DNS zone used by the managed NGINX Ingress Controller, when enabled." } }, "publicDnsZoneResourceGroupName": { "type": "string", "metadata": { "description": "Specifies the resource group name of the public DNS zone used by the managed NGINX Ingress Controller, when enabled." } } }, "variables": { "copy": [ { "name": "logs", "count": "[length(variables('logCategories'))]", "input": { "category": "[variables('logCategories')[copyIndex('logs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } }, { "name": "metrics", "count": "[length(variables('metricCategories'))]", "input": { "category": "[variables('metricCategories')[copyIndex('metrics')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } } ], "diagnosticSettingsName": "diagnosticSettings", "logCategories": [ "kube-apiserver", "kube-audit", "kube-audit-admin", "kube-controller-manager", "kube-scheduler", "cluster-autoscaler", "cloud-controller-manager", "guard", "csi-azuredisk-controller", "csi-azurefile-controller", "csi-snapshot-controller" ], "metricCategories": [ "AllMetrics" ] }, "resources": [ { "type": "Microsoft.ContainerService/managedClusters", "apiVersion": "2024-01-02-preview", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "sku": { "name": "Base", "tier": "[parameters('skuTier')]" }, "identity": { "type": "UserAssigned", "userAssignedIdentities": { "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')))]": {} } }, "properties": { "kubernetesVersion": "[parameters('kubernetesVersion')]", "dnsPrefix": "[parameters('dnsPrefix')]", "agentPoolProfiles": [ { "name": "[toLower(parameters('systemAgentPoolName'))]", "count": "[parameters('systemAgentPoolAgentCount')]", "vmSize": "[parameters('systemAgentPoolVmSize')]", "vnetSubnetID": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('systemAgentPoolSubnetName'))]", "podSubnetID": "[if(equals(parameters('networkPluginMode'), 'overlay'), null(), resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('podSubnetName')))]", "maxPods": "[parameters('systemAgentPoolMaxPods')]", "osDiskSizeGB": "[parameters('systemAgentPoolOsDiskSizeGB')]", "osDiskType": "[parameters('systemAgentPoolOsDiskType')]", "osSKU": "[parameters('systemAgentPoolOsSKU')]", "osType": "[parameters('systemAgentPoolOsType')]", "maxCount": "[parameters('systemAgentPoolMaxCount')]", "minCount": "[parameters('systemAgentPoolMinCount')]", "scaleDownMode": "[parameters('systemAgentPoolScaleDownMode')]", "scaleSetPriority": "[parameters('systemAgentPoolScaleSetPriority')]", "scaleSetEvictionPolicy": "[if(equals(parameters('systemAgentPoolScaleSetEvictionPolicy'), 'Spot'), parameters('systemAgentPoolScaleSetEvictionPolicy'), null())]", "spotMaxPrice": "[if(equals(parameters('systemAgentPoolScaleSetEvictionPolicy'), 'Spot'), parameters('systemAgentPoolSpotMaxPrice'), null())]", "enableAutoScaling": "[parameters('systemAgentPoolEnableAutoScaling')]", "mode": "System", "type": "[parameters('systemAgentPoolType')]", "availabilityZones": "[parameters('systemAgentPoolAvailabilityZones')]", "nodeLabels": "[parameters('systemAgentPoolNodeLabels')]", "nodeTaints": "[parameters('systemAgentPoolNodeTaints')]", "kubeletDiskType": "[parameters('systemAgentPoolKubeletDiskType')]" }, { "name": "[toLower(parameters('userAgentPoolName'))]", "count": "[parameters('userAgentPoolAgentCount')]", "vmSize": "[parameters('userAgentPoolVmSize')]", "vnetSubnetID": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('userAgentPoolSubnetName'))]", "podSubnetID": "[if(equals(parameters('networkPluginMode'), 'overlay'), null(), resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('podSubnetName')))]", "maxPods": "[parameters('userAgentPoolMaxPods')]", "osDiskSizeGB": "[parameters('userAgentPoolOsDiskSizeGB')]", "osDiskType": "[parameters('userAgentPoolOsDiskType')]", "osSKU": "[parameters('userAgentPoolOsSKU')]", "osType": "[parameters('userAgentPoolOsType')]", "maxCount": "[parameters('userAgentPoolMaxCount')]", "minCount": "[parameters('userAgentPoolMinCount')]", "scaleDownMode": "[parameters('userAgentPoolScaleDownMode')]", "scaleSetPriority": "[parameters('userAgentPoolScaleSetPriority')]", "scaleSetEvictionPolicy": "[if(equals(parameters('userAgentPoolScaleSetEvictionPolicy'), 'Spot'), parameters('userAgentPoolScaleSetEvictionPolicy'), null())]", "spotMaxPrice": "[if(equals(parameters('userAgentPoolScaleSetEvictionPolicy'), 'Spot'), parameters('userAgentPoolSpotMaxPrice'), null())]", "enableAutoScaling": "[parameters('userAgentPoolEnableAutoScaling')]", "mode": "User", "type": "[parameters('userAgentPoolType')]", "availabilityZones": "[parameters('userAgentPoolAvailabilityZones')]", "nodeLabels": "[parameters('userAgentPoolNodeLabels')]", "nodeTaints": "[parameters('userAgentPoolNodeTaints')]", "kubeletDiskType": "[parameters('userAgentPoolKubeletDiskType')]" } ], "linuxProfile": { "adminUsername": "[parameters('adminUsername')]", "ssh": { "publicKeys": [ { "keyData": "[parameters('sshPublicKey')]" } ] } }, "addonProfiles": { "httpApplicationRouting": { "enabled": "[parameters('httpApplicationRoutingEnabled')]" }, "omsagent": { "enabled": true, "config": { "logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]" } }, "aciConnectorLinux": { "enabled": "[parameters('aciConnectorLinuxEnabled')]" }, "azurepolicy": { "enabled": "[parameters('azurePolicyEnabled')]", "config": { "version": "v2" } }, "kubeDashboard": { "enabled": "[parameters('kubeDashboardEnabled')]" }, "azureKeyvaultSecretsProvider": { "config": { "enableSecretRotation": "false" }, "enabled": "[parameters('azureKeyvaultSecretsProviderEnabled')]" } }, "podIdentityProfile": { "enabled": "[parameters('podIdentityProfileEnabled')]" }, "oidcIssuerProfile": { "enabled": "[parameters('oidcIssuerProfileEnabled')]" }, "enableRBAC": true, "ingressProfile": { "webAppRouting": { "enabled": "[parameters('webAppRoutingEnabled')]", "dnsZoneResourceIds": [ "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('publicDnsZoneResourceGroupName')), 'Microsoft.Network/dnsZones', parameters('publicDnsZoneName'))]" ] } }, "networkProfile": { "networkDataplane": "[parameters('networkDataplane')]", "networkMode": "[if(equals(parameters('networkPlugin'), 'azure'), parameters('networkMode'), '')]", "networkPlugin": "[parameters('networkPlugin')]", "networkPluginMode": "[if(equals(parameters('networkPlugin'), 'azure'), parameters('networkPluginMode'), '')]", "networkPolicy": "[parameters('networkPolicy')]", "podCidr": "[if(or(equals(parameters('networkPlugin'), 'kubenet'), equals(parameters('networkPluginMode'), 'overlay')), parameters('podCidr'), null())]", "serviceCidr": "[parameters('serviceCidr')]", "dnsServiceIP": "[parameters('dnsServiceIP')]", "outboundType": "[parameters('outboundType')]", "loadBalancerSku": "[parameters('loadBalancerSku')]", "monitoring": "[if(parameters('monitoringEnabled'), createObject('enabled', true()), null())]", "loadBalancerProfile": null, "ipFamilies": "[parameters('ipFamilies')]" }, "workloadAutoScalerProfile": { "keda": { "enabled": "[parameters('kedaEnabled')]" }, "verticalPodAutoscaler": { "enabled": "[parameters('verticalPodAutoscalerEnabled')]" } }, "aadProfile": { "clientAppID": null, "serverAppID": null, "serverAppSecret": null, "managed": "[parameters('aadProfileManaged')]", "enableAzureRBAC": "[parameters('aadProfileEnableAzureRBAC')]", "adminGroupObjectIDs": "[parameters('aadProfileAdminGroupObjectIDs')]", "tenantID": "[parameters('aadProfileTenantId')]" }, "autoUpgradeProfile": { "nodeOSUpgradeChannel": "[parameters('nodeOSUpgradeChannel')]", "upgradeChannel": "[parameters('upgradeChannel')]" }, "azureMonitorProfile": { "metrics": { "enabled": "[parameters('prometheusAndGrafanaEnabled')]", "kubeStateMetrics": { "metricAnnotationsAllowList": "[parameters('metricAnnotationsAllowList')]", "metricLabelsAllowlist": "[parameters('metricLabelsAllowlist')]" } } }, "autoScalerProfile": { "scan-interval": "[parameters('autoScalerProfileScanInterval')]", "scale-down-delay-after-add": "[parameters('autoScalerProfileScaleDownDelayAfterAdd')]", "scale-down-delay-after-delete": "[parameters('autoScalerProfileScaleDownDelayAfterDelete')]", "scale-down-delay-after-failure": "[parameters('autoScalerProfileScaleDownDelayAfterFailure')]", "scale-down-unneeded-time": "[parameters('autoScalerProfileScaleDownUnneededTime')]", "scale-down-unready-time": "[parameters('autoScalerProfileScaleDownUnreadyTime')]", "scale-down-utilization-threshold": "[parameters('autoScalerProfileUtilizationThreshold')]", "max-graceful-termination-sec": "[parameters('autoScalerProfileMaxGracefulTerminationSec')]", "expander": "[parameters('autoScalerProfileExpander')]" }, "apiServerAccessProfile": { "enablePrivateCluster": "[parameters('enablePrivateCluster')]", "enableVnetIntegration": "[parameters('enableVnetIntegration')]", "privateDNSZone": "[if(parameters('enablePrivateCluster'), parameters('privateDNSZone'), null())]", "enablePrivateClusterPublicFQDN": "[parameters('enablePrivateClusterPublicFQDN')]", "subnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('apiServerSubnetName'))]" }, "securityProfile": { "defender": { "logAnalyticsWorkspaceResourceId": "[parameters('workspaceId')]", "securityMonitoring": { "enabled": "[parameters('defenderSecurityMonitoringEnabled')]" } }, "imageCleaner": { "enabled": "[parameters('imageCleanerEnabled')]", "intervalHours": "[parameters('imageCleanerIntervalHours')]" }, "nodeRestriction": { "enabled": "[parameters('nodeRestrictionEnabled')]" }, "workloadIdentity": { "enabled": "[parameters('workloadIdentityEnabled')]" } }, "serviceMeshProfile": "[if(parameters('istioServiceMeshEnabled'), createObject('istio', createObject('components', createObject('ingressGateways', if(parameters('istioIngressGatewayEnabled'), createArray(createObject('enabled', true(), 'mode', parameters('istioIngressGatewayType'))), null()))), 'mode', 'Istio'), null())]", "storageProfile": { "blobCSIDriver": { "enabled": "[parameters('blobCSIDriverEnabled')]" }, "diskCSIDriver": { "enabled": "[parameters('diskCSIDriverEnabled')]" }, "fileCSIDriver": { "enabled": "[parameters('fileCSIDriverEnabled')]" }, "snapshotController": { "enabled": "[parameters('snapshotControllerEnabled')]" } } } }, { "condition": "[parameters('daprEnabled')]", "type": "Microsoft.KubernetesConfiguration/extensions", "apiVersion": "2022-04-02-preview", "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", "name": "dapr", "properties": { "extensionType": "Microsoft.Dapr", "autoUpgradeMinorVersion": true, "releaseTrain": "Stable", "configurationSettings": { "global.ha.enabled": "[format('{0}', parameters('daprHaEnabled'))]" }, "scope": { "cluster": { "releaseNamespace": "dapr-system" } }, "configurationProtectedSettings": {} }, "dependsOn": [ "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" ] }, { "condition": "[parameters('fluxGitOpsEnabled')]", "type": "Microsoft.KubernetesConfiguration/extensions", "apiVersion": "2022-04-02-preview", "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", "name": "flux", "properties": { "extensionType": "microsoft.flux", "autoUpgradeMinorVersion": true, "releaseTrain": "Stable", "scope": { "cluster": { "releaseNamespace": "flux-system" } }, "configurationProtectedSettings": {} }, "dependsOn": [ "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]", "[extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), 'Microsoft.KubernetesConfiguration/extensions', 'dapr')]" ] }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('logs')]", "metrics": "[variables('metrics')]" }, "dependsOn": [ "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" ] } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" }, "fqdn": { "type": "string", "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2024-01-02-preview').fqdn]" }, "nodeResourceGroup": { "type": "string", "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2024-01-02-preview').nodeResourceGroup]" }, "azureKeyvaultSecretsProviderIdentity": { "type": "object", "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2024-01-02-preview').addonProfiles.azureKeyvaultSecretsProvider.identity]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'aksManageIdentity')]", "[resourceId('Microsoft.Resources/deployments', 'network')]", "[resourceId('Microsoft.Resources/deployments', 'workspace')]" ] }, { "condition": "[parameters('actionGroupEnabled')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "actionGroup", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('actionGroupName')]" }, "enabled": { "value": "[parameters('actionGroupEnabled')]" }, "groupShortName": { "value": "[parameters('actionGroupShortName')]" }, "emailAddress": { "value": "[parameters('actionGroupEmailAddress')]" }, "useCommonAlertSchema": { "value": "[parameters('actionGroupUseCommonAlertSchema')]" }, "countryCode": { "value": "[parameters('actionGroupCountryCode')]" }, "phoneNumber": { "value": "[parameters('actionGroupPhoneNumber')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.25.53.49325", "templateHash": "4617201979628324293" } }, "parameters": { "name": { "type": "string", "metadata": { "description": "Specifies the name of the Action Group resource." } }, "groupShortName": { "type": "string", "defaultValue": "AksAlerts", "metadata": { "description": "Specifies the short name of the action group. This will be used in SMS messages.." } }, "enabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether this action group is enabled. If an action group is not enabled, then none of its receivers will receive communications." } }, "emailAddress": { "type": "string", "metadata": { "description": "Specifies the email address of the receiver." } }, "useCommonAlertSchema": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to use common alert schema.." } }, "countryCode": { "type": "string", "defaultValue": "39", "metadata": { "description": "Specifies the country code of the SMS receiver." } }, "phoneNumber": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies the phone number of the SMS receiver." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "resources": [ { "type": "Microsoft.Insights/actionGroups", "apiVersion": "2023-01-01", "name": "[parameters('name')]", "location": "Global", "tags": "[parameters('tags')]", "properties": { "groupShortName": "[parameters('groupShortName')]", "enabled": "[parameters('enabled')]", "emailReceivers": "[if(not(empty(parameters('emailAddress'))), createArray(createObject('name', 'EmailAndTextMessageOthers_-EmailAction-', 'emailAddress', parameters('emailAddress'), 'useCommonAlertSchema', parameters('useCommonAlertSchema'))), createArray())]", "smsReceivers": "[if(and(not(empty(parameters('countryCode'))), not(empty(parameters('phoneNumber')))), createArray(createObject('name', 'EmailAndTextMessageOthers_-SMSAction-', 'countryCode', parameters('countryCode'), 'phoneNumber', parameters('phoneNumber'))), createArray())]", "armRoleReceivers": [ { "name": "EmailOwner", "roleId": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", "useCommonAlertSchema": false } ] } } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.Insights/actionGroups', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" } } } } }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "managedPrometheus", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('prometheusName')]" }, "publicNetworkAccess": { "value": "[parameters('prometheusPublicNetworkAccess')]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" }, "clusterName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksCluster'), '2022-09-01').outputs.name.value]" }, "actionGroupId": "[if(parameters('actionGroupEnabled'), createObject('value', reference(resourceId('Microsoft.Resources/deployments', 'actionGroup'), '2022-09-01').outputs.id.value), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.25.53.49325", "templateHash": "15050851764041061007" } }, "parameters": { "name": { "type": "string", "metadata": { "description": "Specifies the name of the Azure Monitor managed service for Prometheus resource." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location of the Azure Monitor managed service for Prometheus resource." } }, "clusterName": { "type": "string", "metadata": { "description": "Specifies the name of the AKS cluster." } }, "publicNetworkAccess": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Enabled", "Disabled" ], "metadata": { "description": "Specifies whether or not public endpoint access is allowed for the Azure Monitor managed service for Prometheus resource." } }, "actionGroupId": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies the resource id of an Action Group resource. If empty, no action is specifies for metric alerts." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags for the Azure Monitor managed service for Prometheus resource." } } }, "variables": { "nodeRecordingRuleGroupPrefix": "NodeRecordingRulesRuleGroup-", "nodeRecordingRuleGroupName": "[format('{0}{1}', variables('nodeRecordingRuleGroupPrefix'), parameters('clusterName'))]", "nodeRecordingRuleGroupDescription": "Node Recording Rules RuleGroup", "kubernetesRecordingRuleGrouPrefix": "KubernetesRecordingRulesRuleGroup-", "kubernetesRecordingRuleGroupName": "[format('{0}{1}', variables('kubernetesRecordingRuleGrouPrefix'), parameters('clusterName'))]", "kubernetesRecordingRuleGroupDescription": "Kubernetes Recording Rules RuleGroup", "nodeRecordingRuleGroupWin": "NodeRecordingRulesRuleGroup-Win-", "nodeAndKubernetesRecordingRuleGroupWin": "NodeAndKubernetesRecordingRulesRuleGroup-Win-", "nodeRecordingRuleGroupNameWinName": "[format('{0}{1}', variables('nodeRecordingRuleGroupWin'), parameters('clusterName'))]", "nodeAndKubernetesRecordingRuleGroupWinName": "[format('{0}{1}', variables('nodeAndKubernetesRecordingRuleGroupWin'), parameters('clusterName'))]", "RecordingRuleGroupDescriptionWin": "Recording Rules RuleGroup for Win", "version": " - 0.1" }, "resources": [ { "type": "Microsoft.Monitor/accounts", "apiVersion": "2023-04-03", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]" }, { "type": "Microsoft.Insights/dataCollectionEndpoints", "apiVersion": "2022-06-01", "name": "[format('MSProm-{0}-{1}', parameters('location'), parameters('clusterName'))]", "location": "[parameters('location')]", "kind": "Linux", "tags": "[parameters('tags')]", "properties": { "networkAcls": { "publicNetworkAccess": "[parameters('publicNetworkAccess')]" } } }, { "type": "Microsoft.Insights/dataCollectionRules", "apiVersion": "2022-06-01", "name": "[format('MSProm-{0}-{1}', parameters('location'), parameters('clusterName'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "dataCollectionEndpointId": "[resourceId('Microsoft.Insights/dataCollectionEndpoints', format('MSProm-{0}-{1}', parameters('location'), parameters('clusterName')))]", "dataSources": { "prometheusForwarder": [ { "name": "PrometheusDataSource", "streams": [ "Microsoft-PrometheusMetrics" ], "labelIncludeFilter": {} } ] }, "destinations": { "monitoringAccounts": [ { "accountResourceId": "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]", "name": "MonitoringAccount1" } ] }, "dataFlows": [ { "streams": [ "Microsoft-PrometheusMetrics" ], "destinations": [ "MonitoringAccount1" ] } ] }, "dependsOn": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]", "[resourceId('Microsoft.Insights/dataCollectionEndpoints', format('MSProm-{0}-{1}', parameters('location'), parameters('clusterName')))]" ] }, { "type": "Microsoft.Insights/dataCollectionRuleAssociations", "apiVersion": "2022-06-01", "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('clusterName'))]", "name": "[format('MSProm-{0}-{1}', parameters('location'), parameters('clusterName'))]", "properties": { "dataCollectionRuleId": "[resourceId('Microsoft.Insights/dataCollectionRules', format('MSProm-{0}-{1}', parameters('location'), parameters('clusterName')))]", "description": "Association of data collection rule. Deleting this association will break the data collection for this AKS Cluster." }, "dependsOn": [ "[resourceId('Microsoft.Insights/dataCollectionRules', format('MSProm-{0}-{1}', parameters('location'), parameters('clusterName')))]" ] }, { "type": "Microsoft.AlertsManagement/prometheusRuleGroups", "apiVersion": "2023-03-01", "name": "[variables('nodeRecordingRuleGroupName')]", "location": "[parameters('location')]", "properties": { "description": "[format('{0}{1}', variables('nodeRecordingRuleGroupDescription'), variables('version'))]", "scopes": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" ], "enabled": true, "clusterName": "[parameters('clusterName')]", "interval": "PT1M", "rules": [ { "record": "instance:node_num_cpu:sum", "expression": "count without (cpu, mode) ( node_cpu_seconds_total{job=\"node\",mode=\"idle\"})" }, { "record": "instance:node_cpu_utilisation:rate5m", "expression": "1 - avg without (cpu) ( sum without (mode) (rate(node_cpu_seconds_total{job=\"node\", mode=~\"idle|iowait|steal\"}[5m])))" }, { "record": "instance:node_load1_per_cpu:ratio", "expression": "( node_load1{job=\"node\"}/ instance:node_num_cpu:sum{job=\"node\"})" }, { "record": "instance:node_memory_utilisation:ratio", "expression": "1 - ( ( node_memory_MemAvailable_bytes{job=\"node\"} or ( node_memory_Buffers_bytes{job=\"node\"} + node_memory_Cached_bytes{job=\"node\"} + node_memory_MemFree_bytes{job=\"node\"} + node_memory_Slab_bytes{job=\"node\"} ) )/ node_memory_MemTotal_bytes{job=\"node\"})" }, { "record": "instance:node_vmstat_pgmajfault:rate5m", "expression": "rate(node_vmstat_pgmajfault{job=\"node\"}[5m])" }, { "record": "instance_device:node_disk_io_time_seconds:rate5m", "expression": "rate(node_disk_io_time_seconds_total{job=\"node\", device!=\"\"}[5m])" }, { "record": "instance_device:node_disk_io_time_weighted_seconds:rate5m", "expression": "rate(node_disk_io_time_weighted_seconds_total{job=\"node\", device!=\"\"}[5m])" }, { "record": "instance:node_network_receive_bytes_excluding_lo:rate5m", "expression": "sum without (device) ( rate(node_network_receive_bytes_total{job=\"node\", device!=\"lo\"}[5m]))" }, { "record": "instance:node_network_transmit_bytes_excluding_lo:rate5m", "expression": "sum without (device) ( rate(node_network_transmit_bytes_total{job=\"node\", device!=\"lo\"}[5m]))" }, { "record": "instance:node_network_receive_drop_excluding_lo:rate5m", "expression": "sum without (device) ( rate(node_network_receive_drop_total{job=\"node\", device!=\"lo\"}[5m]))" }, { "record": "instance:node_network_transmit_drop_excluding_lo:rate5m", "expression": "sum without (device) ( rate(node_network_transmit_drop_total{job=\"node\", device!=\"lo\"}[5m]))" } ] }, "dependsOn": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" ] }, { "type": "Microsoft.AlertsManagement/prometheusRuleGroups", "apiVersion": "2023-03-01", "name": "[variables('kubernetesRecordingRuleGroupName')]", "location": "[parameters('location')]", "properties": { "description": "[format('{0}{1}', variables('kubernetesRecordingRuleGroupDescription'), variables('version'))]", "scopes": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" ], "enabled": true, "clusterName": "[parameters('clusterName')]", "interval": "PT1M", "rules": [ { "record": "node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate", "expression": "sum by (cluster, namespace, pod, container) ( irate(container_cpu_usage_seconds_total{job=\"cadvisor\", image!=\"\"}[5m])) * on (cluster, namespace, pod) group_left(node) topk by (cluster, namespace, pod) ( 1, max by(cluster, namespace, pod, node) (kube_pod_info{node!=\"\"}))" }, { "record": "node_namespace_pod_container:container_memory_working_set_bytes", "expression": "container_memory_working_set_bytes{job=\"cadvisor\", image!=\"\"}* on (namespace, pod) group_left(node) topk by(namespace, pod) (1, max by(namespace, pod, node) (kube_pod_info{node!=\"\"}))" }, { "record": "node_namespace_pod_container:container_memory_rss", "expression": "container_memory_rss{job=\"cadvisor\", image!=\"\"}* on (namespace, pod) group_left(node) topk by(namespace, pod) (1, max by(namespace, pod, node) (kube_pod_info{node!=\"\"}))" }, { "record": "node_namespace_pod_container:container_memory_cache", "expression": "container_memory_cache{job=\"cadvisor\", image!=\"\"}* on (namespace, pod) group_left(node) topk by(namespace, pod) (1, max by(namespace, pod, node) (kube_pod_info{node!=\"\"}))" }, { "record": "node_namespace_pod_container:container_memory_swap", "expression": "container_memory_swap{job=\"cadvisor\", image!=\"\"}* on (namespace, pod) group_left(node) topk by(namespace, pod) (1, max by(namespace, pod, node) (kube_pod_info{node!=\"\"}))" }, { "record": "cluster:namespace:pod_memory:active:kube_pod_container_resource_requests", "expression": "kube_pod_container_resource_requests{resource=\"memory\",job=\"kube-state-metrics\"} * on (namespace, pod, cluster)group_left() max by (namespace, pod, cluster) ( (kube_pod_status_phase{phase=~\"Pending|Running\"} == 1))" }, { "record": "namespace_memory:kube_pod_container_resource_requests:sum", "expression": "sum by (namespace, cluster) ( sum by (namespace, pod, cluster) ( max by (namespace, pod, container, cluster) ( kube_pod_container_resource_requests{resource=\"memory\",job=\"kube-state-metrics\"} ) * on(namespace, pod, cluster) group_left() max by (namespace, pod, cluster) ( kube_pod_status_phase{phase=~\"Pending|Running\"} == 1 ) ))" }, { "record": "cluster:namespace:pod_cpu:active:kube_pod_container_resource_requests", "expression": "kube_pod_container_resource_requests{resource=\"cpu\",job=\"kube-state-metrics\"} * on (namespace, pod, cluster)group_left() max by (namespace, pod, cluster) ( (kube_pod_status_phase{phase=~\"Pending|Running\"} == 1))" }, { "record": "namespace_cpu:kube_pod_container_resource_requests:sum", "expression": "sum by (namespace, cluster) ( sum by (namespace, pod, cluster) ( max by (namespace, pod, container, cluster) ( kube_pod_container_resource_requests{resource=\"cpu\",job=\"kube-state-metrics\"} ) * on(namespace, pod, cluster) group_left() max by (namespace, pod, cluster) ( kube_pod_status_phase{phase=~\"Pending|Running\"} == 1 ) ))" }, { "record": "cluster:namespace:pod_memory:active:kube_pod_container_resource_limits", "expression": "kube_pod_container_resource_limits{resource=\"memory\",job=\"kube-state-metrics\"} * on (namespace, pod, cluster)group_left() max by (namespace, pod, cluster) ( (kube_pod_status_phase{phase=~\"Pending|Running\"} == 1))" }, { "record": "namespace_memory:kube_pod_container_resource_limits:sum", "expression": "sum by (namespace, cluster) ( sum by (namespace, pod, cluster) ( max by (namespace, pod, container, cluster) ( kube_pod_container_resource_limits{resource=\"memory\",job=\"kube-state-metrics\"} ) * on(namespace, pod, cluster) group_left() max by (namespace, pod, cluster) ( kube_pod_status_phase{phase=~\"Pending|Running\"} == 1 ) ))" }, { "record": "cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits", "expression": "kube_pod_container_resource_limits{resource=\"cpu\",job=\"kube-state-metrics\"} * on (namespace, pod, cluster)group_left() max by (namespace, pod, cluster) ( (kube_pod_status_phase{phase=~\"Pending|Running\"} == 1) )" }, { "record": "namespace_cpu:kube_pod_container_resource_limits:sum", "expression": "sum by (namespace, cluster) ( sum by (namespace, pod, cluster) ( max by (namespace, pod, container, cluster) ( kube_pod_container_resource_limits{resource=\"cpu\",job=\"kube-state-metrics\"} ) * on(namespace, pod, cluster) group_left() max by (namespace, pod, cluster) ( kube_pod_status_phase{phase=~\"Pending|Running\"} == 1 ) ))" }, { "record": "namespace_workload_pod:kube_pod_owner:relabel", "expression": "max by (cluster, namespace, workload, pod) ( label_replace( label_replace( kube_pod_owner{job=\"kube-state-metrics\", owner_kind=\"ReplicaSet\"}, \"replicaset\", \"$1\", \"owner_name\", \"(.*)\" ) * on(replicaset, namespace) group_left(owner_name) topk by(replicaset, namespace) ( 1, max by (replicaset, namespace, owner_name) ( kube_replicaset_owner{job=\"kube-state-metrics\"} ) ), \"workload\", \"$1\", \"owner_name\", \"(.*)\" ))", "labels": { "workload_type": "deployment" } }, { "record": "namespace_workload_pod:kube_pod_owner:relabel", "expression": "max by (cluster, namespace, workload, pod) ( label_replace( kube_pod_owner{job=\"kube-state-metrics\", owner_kind=\"DaemonSet\"}, \"workload\", \"$1\", \"owner_name\", \"(.*)\" ))", "labels": { "workload_type": "daemonset" } }, { "record": "namespace_workload_pod:kube_pod_owner:relabel", "expression": "max by (cluster, namespace, workload, pod) ( label_replace( kube_pod_owner{job=\"kube-state-metrics\", owner_kind=\"StatefulSet\"}, \"workload\", \"$1\", \"owner_name\", \"(.*)\" ))", "labels": { "workload_type": "statefulset" } }, { "record": "namespace_workload_pod:kube_pod_owner:relabel", "expression": "max by (cluster, namespace, workload, pod) ( label_replace( kube_pod_owner{job=\"kube-state-metrics\", owner_kind=\"Job\"}, \"workload\", \"$1\", \"owner_name\", \"(.*)\" ))", "labels": { "workload_type": "job" } }, { "record": ":node_memory_MemAvailable_bytes:sum", "expression": "sum( node_memory_MemAvailable_bytes{job=\"node\"} or ( node_memory_Buffers_bytes{job=\"node\"} + node_memory_Cached_bytes{job=\"node\"} + node_memory_MemFree_bytes{job=\"node\"} + node_memory_Slab_bytes{job=\"node\"} )) by (cluster)" }, { "record": "cluster:node_cpu:ratio_rate5m", "expression": "sum(rate(node_cpu_seconds_total{job=\"node\",mode!=\"idle\",mode!=\"iowait\",mode!=\"steal\"}[5m])) by (cluster) /count(sum(node_cpu_seconds_total{job=\"node\"}) by (cluster, instance, cpu)) by (cluster)" } ] }, "dependsOn": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" ] }, { "type": "Microsoft.AlertsManagement/prometheusRuleGroups", "apiVersion": "2023-03-01", "name": "[variables('nodeRecordingRuleGroupNameWinName')]", "location": "[parameters('location')]", "properties": { "description": "[format('{0}{1}', variables('RecordingRuleGroupDescriptionWin'), variables('version'))]", "scopes": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" ], "enabled": true, "clusterName": "[parameters('clusterName')]", "interval": "PT1M", "rules": [ { "record": "node:windows_node:sum", "expression": "count (windows_system_system_up_time{job=\"windows-exporter\"})" }, { "record": "node:windows_node_num_cpu:sum", "expression": "count by (instance) (sum by (instance, core) (windows_cpu_time_total{job=\"windows-exporter\"}))" }, { "record": ":windows_node_cpu_utilisation:avg5m", "expression": "1 - avg(rate(windows_cpu_time_total{job=\"windows-exporter\",mode=\"idle\"}[5m]))" }, { "record": "node:windows_node_cpu_utilisation:avg5m", "expression": "1 - avg by (instance) (rate(windows_cpu_time_total{job=\"windows-exporter\",mode=\"idle\"}[5m]))" }, { "record": ":windows_node_memory_utilisation:", "expression": "1 -sum(windows_memory_available_bytes{job=\"windows-exporter\"})/sum(windows_os_visible_memory_bytes{job=\"windows-exporter\"})" }, { "record": ":windows_node_memory_MemFreeCached_bytes:sum", "expression": "sum(windows_memory_available_bytes{job=\"windows-exporter\"} + windows_memory_cache_bytes{job=\"windows-exporter\"})" }, { "record": "node:windows_node_memory_totalCached_bytes:sum", "expression": "(windows_memory_cache_bytes{job=\"windows-exporter\"} + windows_memory_modified_page_list_bytes{job=\"windows-exporter\"} + windows_memory_standby_cache_core_bytes{job=\"windows-exporter\"} + windows_memory_standby_cache_normal_priority_bytes{job=\"windows-exporter\"} + windows_memory_standby_cache_reserve_bytes{job=\"windows-exporter\"})" }, { "record": ":windows_node_memory_MemTotal_bytes:sum", "expression": "sum(windows_os_visible_memory_bytes{job=\"windows-exporter\"})" }, { "record": "node:windows_node_memory_bytes_available:sum", "expression": "sum by (instance) ((windows_memory_available_bytes{job=\"windows-exporter\"}))" }, { "record": "node:windows_node_memory_bytes_total:sum", "expression": "sum by (instance) (windows_os_visible_memory_bytes{job=\"windows-exporter\"})" }, { "record": "node:windows_node_memory_utilisation:ratio", "expression": "(node:windows_node_memory_bytes_total:sum - node:windows_node_memory_bytes_available:sum) / scalar(sum(node:windows_node_memory_bytes_total:sum))" }, { "record": "node:windows_node_memory_utilisation:", "expression": "1 - (node:windows_node_memory_bytes_available:sum / node:windows_node_memory_bytes_total:sum)" }, { "record": "node:windows_node_memory_swap_io_pages:irate", "expression": "irate(windows_memory_swap_page_operations_total{job=\"windows-exporter\"}[5m])" }, { "record": ":windows_node_disk_utilisation:avg_irate", "expression": "avg(irate(windows_logical_disk_read_seconds_total{job=\"windows-exporter\"}[5m]) + irate(windows_logical_disk_write_seconds_total{job=\"windows-exporter\"}[5m]))" }, { "record": "node:windows_node_disk_utilisation:avg_irate", "expression": "avg by (instance) ((irate(windows_logical_disk_read_seconds_total{job=\"windows-exporter\"}[5m]) + irate(windows_logical_disk_write_seconds_total{job=\"windows-exporter\"}[5m])))" } ] }, "dependsOn": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" ] }, { "type": "Microsoft.AlertsManagement/prometheusRuleGroups", "apiVersion": "2023-03-01", "name": "[variables('nodeAndKubernetesRecordingRuleGroupWinName')]", "location": "[parameters('location')]", "properties": { "description": "[format('{0}{1}', variables('RecordingRuleGroupDescriptionWin'), variables('version'))]", "scopes": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" ], "enabled": true, "clusterName": "[parameters('clusterName')]", "interval": "PT1M", "rules": [ { "record": "node:windows_node_filesystem_usage:", "expression": "max by (instance,volume)((windows_logical_disk_size_bytes{job=\"windows-exporter\"} - windows_logical_disk_free_bytes{job=\"windows-exporter\"}) / windows_logical_disk_size_bytes{job=\"windows-exporter\"})" }, { "record": "node:windows_node_filesystem_avail:", "expression": "max by (instance, volume) (windows_logical_disk_free_bytes{job=\"windows-exporter\"} / windows_logical_disk_size_bytes{job=\"windows-exporter\"})" }, { "record": ":windows_node_net_utilisation:sum_irate", "expression": "sum(irate(windows_net_bytes_total{job=\"windows-exporter\"}[5m]))" }, { "record": "node:windows_node_net_utilisation:sum_irate", "expression": "sum by (instance) ((irate(windows_net_bytes_total{job=\"windows-exporter\"}[5m])))" }, { "record": ":windows_node_net_saturation:sum_irate", "expression": "sum(irate(windows_net_packets_received_discarded_total{job=\"windows-exporter\"}[5m])) + sum(irate(windows_net_packets_outbound_discarded_total{job=\"windows-exporter\"}[5m]))" }, { "record": "node:windows_node_net_saturation:sum_irate", "expression": "sum by (instance) ((irate(windows_net_packets_received_discarded_total{job=\"windows-exporter\"}[5m]) + irate(windows_net_packets_outbound_discarded_total{job=\"windows-exporter\"}[5m])))" }, { "record": "windows_pod_container_available", "expression": "windows_container_available{job=\"windows-exporter\", container_id != \"\"} * on(container_id) group_left(container, pod, namespace) max(kube_pod_container_info{job=\"kube-state-metrics\", container_id != \"\"}) by(container, container_id, pod, namespace)" }, { "record": "windows_container_total_runtime", "expression": "windows_container_cpu_usage_seconds_total{job=\"windows-exporter\", container_id != \"\"} * on(container_id) group_left(container, pod, namespace) max(kube_pod_container_info{job=\"kube-state-metrics\", container_id != \"\"}) by(container, container_id, pod, namespace)" }, { "record": "windows_container_memory_usage", "expression": "windows_container_memory_usage_commit_bytes{job=\"windows-exporter\", container_id != \"\"} * on(container_id) group_left(container, pod, namespace) max(kube_pod_container_info{job=\"kube-state-metrics\", container_id != \"\"}) by(container, container_id, pod, namespace)" }, { "record": "windows_container_private_working_set_usage", "expression": "windows_container_memory_usage_private_working_set_bytes{job=\"windows-exporter\", container_id != \"\"} * on(container_id) group_left(container, pod, namespace) max(kube_pod_container_info{job=\"kube-state-metrics\", container_id != \"\"}) by(container, container_id, pod, namespace)" }, { "record": "windows_container_network_received_bytes_total", "expression": "windows_container_network_receive_bytes_total{job=\"windows-exporter\", container_id != \"\"} * on(container_id) group_left(container, pod, namespace) max(kube_pod_container_info{job=\"kube-state-metrics\", container_id != \"\"}) by(container, container_id, pod, namespace)" }, { "record": "windows_container_network_transmitted_bytes_total", "expression": "windows_container_network_transmit_bytes_total{job=\"windows-exporter\", container_id != \"\"} * on(container_id) group_left(container, pod, namespace) max(kube_pod_container_info{job=\"kube-state-metrics\", container_id != \"\"}) by(container, container_id, pod, namespace)" }, { "record": "kube_pod_windows_container_resource_memory_request", "expression": "max by (namespace, pod, container) (kube_pod_container_resource_requests{resource=\"memory\",job=\"kube-state-metrics\"}) * on(container,pod,namespace) (windows_pod_container_available)" }, { "record": "kube_pod_windows_container_resource_memory_limit", "expression": "kube_pod_container_resource_limits{resource=\"memory\",job=\"kube-state-metrics\"} * on(container,pod,namespace) (windows_pod_container_available)" }, { "record": "kube_pod_windows_container_resource_cpu_cores_request", "expression": "max by (namespace, pod, container) ( kube_pod_container_resource_requests{resource=\"cpu\",job=\"kube-state-metrics\"}) * on(container,pod,namespace) (windows_pod_container_available)" }, { "record": "kube_pod_windows_container_resource_cpu_cores_limit", "expression": "kube_pod_container_resource_limits{resource=\"cpu\",job=\"kube-state-metrics\"} * on(container,pod,namespace) (windows_pod_container_available)" }, { "record": "namespace_pod_container:windows_container_cpu_usage_seconds_total:sum_rate", "expression": "sum by (namespace, pod, container) (rate(windows_container_total_runtime{}[5m]))" } ] }, "dependsOn": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" ] }, { "type": "Microsoft.AlertsManagement/prometheusRuleGroups", "apiVersion": "2021-07-22-preview", "name": "[format('CommunityCIAlerts-{0}', parameters('clusterName'))]", "location": "[parameters('location')]", "properties": { "description": "Kubernetes Alert RuleGroup-communityCIAlerts - 0.1", "scopes": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" ], "clusterName": "[parameters('clusterName')]", "enabled": true, "interval": "PT1M", "rules": [ { "alert": "KubePodCrashLooping", "expression": "max_over_time(kube_pod_container_status_waiting_reason{reason=\"CrashLoopBackOff\", job=\"kube-state-metrics\"}[5m]) >= 1", "for": "PT15M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubePodNotReady", "expression": "sum by (namespace, pod, cluster) ( max by(namespace, pod, cluster) ( kube_pod_status_phase{job=\"kube-state-metrics\", phase=~\"Pending|Unknown\"} ) * on(namespace, pod, cluster) group_left(owner_kind) topk by(namespace, pod, cluster) ( 1, max by(namespace, pod, owner_kind, cluster) (kube_pod_owner{owner_kind!=\"Job\"}) )) > 0", "for": "PT15M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeDeploymentReplicasMismatch", "expression": "( kube_deployment_spec_replicas{job=\"kube-state-metrics\"} > kube_deployment_status_replicas_available{job=\"kube-state-metrics\"}) and ( changes(kube_deployment_status_replicas_updated{job=\"kube-state-metrics\"}[10m]) == 0)", "for": "PT15M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeStatefulSetReplicasMismatch", "expression": "( kube_statefulset_status_replicas_ready{job=\"kube-state-metrics\"} != kube_statefulset_status_replicas{job=\"kube-state-metrics\"}) and ( changes(kube_statefulset_status_replicas_updated{job=\"kube-state-metrics\"}[10m]) == 0)", "for": "PT15M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeJobNotCompleted", "expression": "time() - max by(namespace, job_name, cluster) (kube_job_status_start_time{job=\"kube-state-metrics\"} and kube_job_status_active{job=\"kube-state-metrics\"} > 0) > 43200", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeJobFailed", "expression": "kube_job_failed{job=\"kube-state-metrics\"} > 0", "for": "PT15M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeHpaReplicasMismatch", "expression": "(kube_horizontalpodautoscaler_status_desired_replicas{job=\"kube-state-metrics\"} !=kube_horizontalpodautoscaler_status_current_replicas{job=\"kube-state-metrics\"}) and(kube_horizontalpodautoscaler_status_current_replicas{job=\"kube-state-metrics\"} >kube_horizontalpodautoscaler_spec_min_replicas{job=\"kube-state-metrics\"}) and(kube_horizontalpodautoscaler_status_current_replicas{job=\"kube-state-metrics\"} 1.5", "for": "PT5M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeMemoryQuotaOvercommit", "expression": "sum(min without(resource) (kube_resourcequota{job=\"kube-state-metrics\", type=\"hard\", resource=~\"(memory|requests.memory)\"})) /sum(kube_node_status_allocatable{resource=\"memory\", job=\"kube-state-metrics\"}) > 1.5", "for": "PT5M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeQuotaAlmostFull", "expression": "kube_resourcequota{job=\"kube-state-metrics\", type=\"used\"} / ignoring(instance, job, type)(kube_resourcequota{job=\"kube-state-metrics\", type=\"hard\"} > 0) > 0.9 < 1", "for": "PT15M", "labels": { "severity": "info" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeVersionMismatch", "expression": "count by (cluster) (count by (git_version, cluster) (label_replace(kubernetes_build_info{job!~\"kube-dns|coredns\"},\"git_version\",\"$1\",\"git_version\",\"(v[0-9]*.[0-9]*).*\"))) > 1", "for": "PT15M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeNodeNotReady", "expression": "kube_node_status_condition{job=\"kube-state-metrics\",condition=\"Ready\",status=\"true\"} == 0", "for": "PT15M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeNodeUnreachable", "expression": "(kube_node_spec_taint{job=\"kube-state-metrics\",key=\"node.kubernetes.io/unreachable\",effect=\"NoSchedule\"} unless ignoring(key,value) kube_node_spec_taint{job=\"kube-state-metrics\",key=~\"ToBeDeletedByClusterAutoscaler|cloud.google.com/impending-node-termination|aws-node-termination-handler/spot-itn\"}) == 1", "for": "PT15M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeletTooManyPods", "expression": "count by(cluster, node) ( (kube_pod_status_phase{job=\"kube-state-metrics\",phase=\"Running\"} == 1) * on(instance,pod,namespace,cluster) group_left(node) topk by(instance,pod,namespace,cluster) (1, kube_pod_info{job=\"kube-state-metrics\"}))/max by(cluster, node) ( kube_node_status_capacity{job=\"kube-state-metrics\",resource=\"pods\"} != 1) > 0.95", "for": "PT15M", "labels": { "severity": "info" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeNodeReadinessFlapping", "expression": "sum(changes(kube_node_status_condition{status=\"true\",condition=\"Ready\"}[15m])) by (cluster, node) > 2", "for": "PT15M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] } ] }, "dependsOn": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" ] } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" }, "location": { "type": "string", "value": "[reference(resourceId('Microsoft.Monitor/accounts', parameters('name')), '2023-04-03', 'full').location]" }, "accountId": { "type": "string", "value": "[reference(resourceId('Microsoft.Monitor/accounts', parameters('name')), '2023-04-03').accountId]" }, "prometheusQueryEndpoint": { "type": "string", "value": "[reference(resourceId('Microsoft.Monitor/accounts', parameters('name')), '2023-04-03').metrics.prometheusQueryEndpoint]" }, "internalId": { "type": "string", "value": "[reference(resourceId('Microsoft.Monitor/accounts', parameters('name')), '2023-04-03').metrics.internalId]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'actionGroup')]", "[resourceId('Microsoft.Resources/deployments', 'aksCluster')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "managedGrafana", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('grafanaName')]" }, "skuName": { "value": "[parameters('grafanaSkuName')]" }, "apiKey": { "value": "[parameters('grafanaApiKey')]" }, "autoGeneratedDomainNameLabelScope": { "value": "[parameters('grafanaAutoGeneratedDomainNameLabelScope')]" }, "deterministicOutboundIP": { "value": "[parameters('grafanaDeterministicOutboundIP')]" }, "publicNetworkAccess": { "value": "[parameters('grafanaPublicNetworkAccess')]" }, "zoneRedundancy": { "value": "[parameters('grafanaZoneRedundancy')]" }, "prometheusName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'managedPrometheus'), '2022-09-01').outputs.name.value]" }, "userId": { "value": "[parameters('userId')]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.25.53.49325", "templateHash": "1169185918037322465" } }, "parameters": { "prometheusName": { "type": "string", "metadata": { "description": "Specifies the name of the Azure Monitor managed service for Prometheus resource." } }, "name": { "type": "string", "metadata": { "description": "Specifies the name of the Azure Managed Grafana resource." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location of the Azure Managed Grafana resource." } }, "skuName": { "type": "string", "defaultValue": "Standard", "metadata": { "description": "Specifies the sku of the Azure Managed Grafana resource." } }, "apiKey": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Disabled", "Enabled" ], "metadata": { "description": "Specifies the api key setting of the Azure Managed Grafana resource." } }, "autoGeneratedDomainNameLabelScope": { "type": "string", "defaultValue": "TenantReuse", "allowedValues": [ "TenantReuse" ], "metadata": { "description": "Specifies the scope for dns deterministic name hash calculation." } }, "deterministicOutboundIP": { "type": "string", "defaultValue": "Disabled", "allowedValues": [ "Disabled", "Enabled" ], "metadata": { "description": "Specifies whether the Azure Managed Grafana resource uses deterministic outbound IPs." } }, "publicNetworkAccess": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Disabled", "Enabled" ], "metadata": { "description": "Specifies the the state for enable or disable traffic over the public interface for the the Azure Managed Grafana resource." } }, "zoneRedundancy": { "type": "string", "defaultValue": "Disabled", "allowedValues": [ "Disabled", "Enabled" ], "metadata": { "description": "The zone redundancy setting of the Azure Managed Grafana resource." } }, "userId": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies the object id of an Azure Active Directory user. In general, this the object id of the system administrator who deploys the Azure resources." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags for the Azure Monitor managed service for Prometheus resource." } } }, "resources": [ { "type": "Microsoft.Dashboard/grafana", "apiVersion": "2022-08-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "sku": { "name": "[parameters('skuName')]" }, "identity": { "type": "SystemAssigned" }, "properties": { "apiKey": "[parameters('apiKey')]", "autoGeneratedDomainNameLabelScope": "[parameters('autoGeneratedDomainNameLabelScope')]", "deterministicOutboundIP": "[parameters('deterministicOutboundIP')]", "grafanaIntegrations": { "azureMonitorWorkspaceIntegrations": [ { "azureMonitorWorkspaceResourceId": "[resourceId('Microsoft.Monitor/accounts', parameters('prometheusName'))]" } ] }, "publicNetworkAccess": "[parameters('publicNetworkAccess')]", "zoneRedundancy": "[parameters('zoneRedundancy')]" } }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.Monitor/accounts/{0}', parameters('prometheusName'))]", "name": "[guid(parameters('name'), parameters('prometheusName'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", "principalId": "[reference(resourceId('Microsoft.Dashboard/grafana', parameters('name')), '2022-08-01', 'full').identity.principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.Dashboard/grafana', parameters('name'))]" ] }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.Monitor/accounts/{0}', parameters('prometheusName'))]", "name": "[guid(parameters('name'), parameters('prometheusName'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b0d8363b-8ddd-447d-831f-62ca05bff136'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b0d8363b-8ddd-447d-831f-62ca05bff136')]", "principalId": "[reference(resourceId('Microsoft.Dashboard/grafana', parameters('name')), '2022-08-01', 'full').identity.principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.Dashboard/grafana', parameters('name'))]" ] }, { "condition": "[not(empty(parameters('userId')))]", "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.Dashboard/grafana/{0}', parameters('name'))]", "name": "[guid(parameters('name'), parameters('userId'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '22926164-76b3-42b3-bc55-97df8dab3e41'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '22926164-76b3-42b3-bc55-97df8dab3e41')]", "principalId": "[parameters('userId')]", "principalType": "User" }, "dependsOn": [ "[resourceId('Microsoft.Dashboard/grafana', parameters('name'))]" ] } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.Dashboard/grafana', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" }, "location": { "type": "string", "value": "[reference(resourceId('Microsoft.Dashboard/grafana', parameters('name')), '2022-08-01', 'full').location]" }, "principalId": { "type": "string", "value": "[reference(resourceId('Microsoft.Dashboard/grafana', parameters('name')), '2022-08-01', 'full').identity.principalId]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'managedPrometheus')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "modules-private-link-service", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('privateLinkServiceName')]" }, "loadBalancerName": { "value": "[variables('loadBalancerName')]" }, "loadBalancerResourceGroupName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksCluster'), '2022-09-01').outputs.nodeResourceGroup.value]" }, "subnetId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'network'), '2022-09-01').outputs.vmSubnetId.value]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.25.53.49325", "templateHash": "17423315259850411431" } }, "parameters": { "name": { "type": "string", "metadata": { "description": "Specifies the name of the private link service." } }, "location": { "type": "string", "metadata": { "description": "Specifies the location of the private link service." } }, "loadBalancerName": { "type": "string", "metadata": { "description": "Specifies the name of the load balancer." } }, "loadBalancerResourceGroupName": { "type": "string", "metadata": { "description": "Specifies the name of the resource group containing the load balancer." } }, "subnetId": { "type": "string", "metadata": { "description": "Specifies the resource Id of the subnet where the private link service will be created." } }, "privateIPAllocationMethod": { "type": "string", "defaultValue": "Dynamic", "allowedValues": [ "Static", "Dynamic" ], "metadata": { "description": "Specifies the private IP address allocation method. Possible values are Static or Dynamic. Default is Dynamic." } }, "privateIPAddressVersion": { "type": "string", "defaultValue": "IPv4", "allowedValues": [ "IPv4", "IPv6" ], "metadata": { "description": "Specifies the private IP address version to use. Possible values are IPv4 or IPv6. Default is IPv4." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "resources": [ { "type": "Microsoft.Network/privateLinkServices", "apiVersion": "2023-04-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "autoApproval": { "subscriptions": [ "[subscription().subscriptionId]" ] }, "visibility": { "subscriptions": [ "[subscription().subscriptionId]" ] }, "fqdns": [], "enableProxyProtocol": false, "loadBalancerFrontendIpConfigurations": [ { "id": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('loadBalancerResourceGroupName')), 'Microsoft.Network/loadBalancers', parameters('loadBalancerName')), '2023-04-01').frontendIPConfigurations[0].id]" } ], "ipConfigurations": [ { "name": "Default", "properties": { "privateIPAllocationMethod": "[parameters('privateIPAllocationMethod')]", "subnet": { "id": "[parameters('subnetId')]" }, "primary": true, "privateIPAddressVersion": "[parameters('privateIPAddressVersion')]" } } ] } } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.Network/privateLinkServices', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'aksCluster')]", "[resourceId('Microsoft.Resources/deployments', 'deploymentScript')]", "[resourceId('Microsoft.Resources/deployments', 'network')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "frontDoor", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "frontDoorName": { "value": "[parameters('frontDoorName')]" }, "frontDoorSkuName": { "value": "[parameters('frontDoorSkuName')]" }, "originResponseTimeoutSeconds": { "value": "[parameters('originResponseTimeoutSeconds')]" }, "originGroupName": { "value": "[parameters('originGroupName')]" }, "originName": { "value": "[parameters('originName')]" }, "originEnabledState": { "value": "[parameters('originEnabledState')]" }, "originPath": { "value": "[parameters('originPath')]" }, "hostName": { "value": "[variables('hostName')]" }, "httpPort": { "value": "[parameters('httpPort')]" }, "httpsPort": { "value": "[parameters('httpsPort')]" }, "originHostHeader": { "value": "[variables('hostName')]" }, "priority": { "value": "[parameters('priority')]" }, "weight": { "value": "[parameters('weight')]" }, "privateLinkResourceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'modules-private-link-service'), '2022-09-01').outputs.id.value]" }, "sampleSize": { "value": "[parameters('sampleSize')]" }, "successfulSamplesRequired": { "value": "[parameters('successfulSamplesRequired')]" }, "additionalLatencyInMilliseconds": { "value": "[parameters('additionalLatencyInMilliseconds')]" }, "probePath": { "value": "[parameters('probePath')]" }, "probeRequestType": { "value": "[parameters('probeRequestType')]" }, "probeProtocol": { "value": "[parameters('probeProtocol')]" }, "probeIntervalInSeconds": { "value": "[parameters('probeIntervalInSeconds')]" }, "sessionAffinityState": { "value": "[parameters('sessionAffinityState')]" }, "autoGeneratedDomainNameLabelScope": { "value": "[parameters('autoGeneratedDomainNameLabelScope')]" }, "routeName": { "value": "[parameters('routeName')]" }, "ruleSets": { "value": "[parameters('ruleSets')]" }, "supportedProtocols": { "value": "[parameters('supportedProtocols')]" }, "routePatternsToMatch": { "value": "[parameters('routePatternsToMatch')]" }, "forwardingProtocol": { "value": "[parameters('forwardingProtocol')]" }, "linkToDefaultDomain": { "value": "[parameters('linkToDefaultDomain')]" }, "httpsRedirect": { "value": "[parameters('httpsRedirect')]" }, "endpointName": { "value": "[parameters('endpointName')]" }, "endpointEnabledState": { "value": "[parameters('endpointEnabledState')]" }, "wafPolicyName": { "value": "[parameters('wafPolicyName')]" }, "wafPolicyMode": { "value": "[parameters('wafPolicyMode')]" }, "wafPolicyEnabledState": { "value": "[parameters('wafPolicyEnabledState')]" }, "wafManagedRuleSets": { "value": "[parameters('wafManagedRuleSets')]" }, "wafCustomRules": { "value": "[parameters('wafCustomRules')]" }, "wafPolicyRequestBodyCheck": { "value": "[parameters('wafPolicyRequestBodyCheck')]" }, "securityPolicyName": { "value": "[parameters('securityPolicyName')]" }, "securityPolicyPatternsToMatch": { "value": "[parameters('securityPolicyPatternsToMatch')]" }, "keyVaultName": { "value": "[parameters('keyVaultName')]" }, "keyVaultCertificateName": { "value": "[parameters('keyVaultCertificateName')]" }, "customDomainName": { "value": "[variables('hostName')]" }, "workspaceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'workspace'), '2022-09-01').outputs.id.value]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.25.53.49325", "templateHash": "12933615522096771912" } }, "parameters": { "frontDoorName": { "type": "string", "metadata": { "description": "Specifies the name of the Azure Front Door." } }, "frontDoorSkuName": { "type": "string", "defaultValue": "Premium_AzureFrontDoor", "allowedValues": [ "Standard_AzureFrontDoor", "Premium_AzureFrontDoor" ], "metadata": { "description": "The name of the SKU to use when creating the Front Door profile." } }, "originResponseTimeoutSeconds": { "type": "int", "defaultValue": 30, "metadata": { "description": "Specifies the send and receive timeout on forwarding request to the origin. When timeout is reached, the request fails and returns." } }, "originGroupName": { "type": "string", "metadata": { "description": "Specifies the name of the Azure Front Door Origin Group for the web application." } }, "originName": { "type": "string", "metadata": { "description": "Specifies the name of the Azure Front Door Origin for the web application." } }, "hostName": { "type": "string", "metadata": { "description": "Specifies the address of the origin. Domain names, IPv4 addresses, and IPv6 addresses are supported.This should be unique across all origins in an endpoint." } }, "httpPort": { "type": "int", "defaultValue": 80, "metadata": { "description": "Specifies the value of the HTTP port. Must be between 1 and 65535." } }, "httpsPort": { "type": "int", "defaultValue": 443, "metadata": { "description": "Specifies the value of the HTTPS port. Must be between 1 and 65535." } }, "originHostHeader": { "type": "string", "metadata": { "description": "Specifies the host header value sent to the origin with each request. If you leave this blank, the request hostname determines this value. Azure Front Door origins, such as Web Apps, Blob Storage, and Cloud Services require this host header value to match the origin hostname by default. This overrides the host header defined at Endpoint." } }, "priority": { "type": "int", "defaultValue": 1, "minValue": 1, "maxValue": 5, "metadata": { "description": "Specifies the priority of origin in given origin group for load balancing. Higher priorities will not be used for load balancing if any lower priority origin is healthy.Must be between 1 and 5." } }, "weight": { "type": "int", "defaultValue": 1000, "minValue": 1, "maxValue": 1000, "metadata": { "description": "Specifies the weight of the origin in a given origin group for load balancing. Must be between 1 and 1000." } }, "originEnabledState": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Enabled", "Disabled" ], "metadata": { "description": "Specifies whether to enable health probes to be made against backends defined under backendPools. Health probes can only be disabled if there is a single enabled backend in single enabled backend pool." } }, "privateLinkResourceId": { "type": "string", "metadata": { "description": "Specifies the resource id of a private link service." } }, "sampleSize": { "type": "int", "defaultValue": 4, "metadata": { "description": "Specifies the number of samples to consider for load balancing decisions." } }, "successfulSamplesRequired": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the number of samples within the sample period that must succeed." } }, "additionalLatencyInMilliseconds": { "type": "int", "defaultValue": 50, "metadata": { "description": "Specifies the additional latency in milliseconds for probes to fall into the lowest latency bucket." } }, "probePath": { "type": "string", "defaultValue": "/", "metadata": { "description": "Specifies path relative to the origin that is used to determine the health of the origin." } }, "customDomainName": { "type": "string", "metadata": { "description": "The custom domain name to associate with your Front Door endpoint." } }, "probeRequestType": { "type": "string", "defaultValue": "GET", "allowedValues": [ "GET", "HEAD", "NotSet" ], "metadata": { "description": "Specifies the health probe request type." } }, "probeProtocol": { "type": "string", "defaultValue": "Http", "allowedValues": [ "Http", "Https", "NotSet" ], "metadata": { "description": "Specifies the health probe protocol." } }, "probeIntervalInSeconds": { "type": "int", "defaultValue": 60, "metadata": { "description": "Specifies the number of seconds between health probes.Default is 240 seconds." } }, "sessionAffinityState": { "type": "string", "defaultValue": "Disabled", "allowedValues": [ "Enabled", "Disabled" ], "metadata": { "description": "Specifies whether to allow session affinity on this host. Valid options are Enabled or Disabled." } }, "autoGeneratedDomainNameLabelScope": { "type": "string", "defaultValue": "TenantReuse", "allowedValues": [ "NoReuse", "ResourceGroupReuse", "SubscriptionReuse", "TenantReuse" ], "metadata": { "description": "Specifies the endpoint name reuse scope. The default value is TenantReuse." } }, "routeName": { "type": "string", "metadata": { "description": "Specifies the name of the Azure Front Door Route for the web application." } }, "originPath": { "type": "string", "defaultValue": "/", "metadata": { "description": "Specifies a directory path on the origin that Azure Front Door can use to retrieve content from, e.g. contoso.cloudapp.net/originpath." } }, "ruleSets": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the rule sets referenced by this endpoint." } }, "supportedProtocols": { "type": "array", "defaultValue": [ "Http", "Https" ], "metadata": { "description": "Specifies the list of supported protocols for this route" } }, "routePatternsToMatch": { "type": "array", "defaultValue": [ "/*" ], "metadata": { "description": "Specifies the route patterns of the rule." } }, "forwardingProtocol": { "type": "string", "defaultValue": "HttpsOnly", "allowedValues": [ "HttpOnly", "HttpsOnly", "MatchRequest" ], "metadata": { "description": "Specifies the protocol this rule will use when forwarding traffic to backends." } }, "linkToDefaultDomain": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Enabled", "Disabled" ], "metadata": { "description": "Specifies whether this route will be linked to the default endpoint domain." } }, "httpsRedirect": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Enabled", "Disabled" ], "metadata": { "description": "Specifies whether to automatically redirect HTTP traffic to HTTPS traffic. Note that this is a easy way to set up this rule and it will be the first rule that gets executed." } }, "endpointName": { "type": "string", "metadata": { "description": "Specifies the name of the Azure Front Door Endpoint for the web application." } }, "endpointEnabledState": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Enabled", "Disabled" ], "metadata": { "description": "Specifies whether to enable use of this rule. Permitted values are Enabled or Disabled" } }, "wafPolicyName": { "type": "string", "metadata": { "description": "Specifies the name of the Azure Front Door WAF policy." } }, "wafPolicyMode": { "type": "string", "defaultValue": "Prevention", "allowedValues": [ "Detection", "Prevention" ], "metadata": { "description": "Specifies the WAF policy is in detection mode or prevention mode." } }, "wafPolicyEnabledState": { "type": "string", "defaultValue": "Enabled", "metadata": { "description": "Specifies if the policy is in enabled or disabled state. Defaults to Enabled if not specified." } }, "wafManagedRuleSets": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the list of managed rule sets to configure on the WAF." } }, "wafCustomRules": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the list of custom rulesto configure on the WAF." } }, "wafPolicyRequestBodyCheck": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Enabled", "Disabled" ], "metadata": { "description": "Specifies if the WAF policy managed rules will inspect the request body content." } }, "securityPolicyName": { "type": "string", "metadata": { "description": "Specifies name of the security policy." } }, "securityPolicyPatternsToMatch": { "type": "array", "defaultValue": [ "/*" ], "metadata": { "description": "Specifies the list of patterns to match by the security policy." } }, "workspaceId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Log Analytics workspace." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } }, "keyVaultResourceGroupName": { "type": "string", "defaultValue": "[resourceGroup().name]", "metadata": { "description": "Specifies the name of the resource group that contains the key vault with custom domain's certificate." } }, "keyVaultName": { "type": "string", "metadata": { "description": "Specifies the name of the Key Vault that contains the custom domain certificate." } }, "keyVaultCertificateName": { "type": "string", "metadata": { "description": "Specifies the name of the Key Vault secret that contains the custom domain certificate." } }, "keyVaultCertificateVersion": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies the version of the Key Vault secret that contains the custom domain certificate. Set the value to an empty string to use the latest version." } }, "minimumTlsVersion": { "type": "string", "defaultValue": "TLS12", "metadata": { "description": "Specifies the TLS protocol version that will be used for Https" } } }, "variables": { "copy": [ { "name": "logs", "count": "[length(variables('logCategories'))]", "input": { "category": "[variables('logCategories')[copyIndex('logs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } }, { "name": "metrics", "count": "[length(variables('metricCategories'))]", "input": { "category": "[variables('metricCategories')[copyIndex('metrics')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } } ], "diagnosticSettingsName": "diagnosticSettings", "logCategories": [ "FrontDoorAccessLog", "FrontDoorHealthProbeLog", "FrontDoorWebApplicationFirewallLog" ], "metricCategories": [ "AllMetrics" ] }, "resources": [ { "type": "Microsoft.Cdn/profiles", "apiVersion": "2022-11-01-preview", "name": "[parameters('frontDoorName')]", "location": "Global", "tags": "[parameters('tags')]", "sku": { "name": "[parameters('frontDoorSkuName')]" }, "properties": { "originResponseTimeoutSeconds": "[parameters('originResponseTimeoutSeconds')]" } }, { "type": "Microsoft.Cdn/profiles/originGroups", "apiVersion": "2022-11-01-preview", "name": "[format('{0}/{1}', parameters('frontDoorName'), parameters('originGroupName'))]", "properties": { "loadBalancingSettings": { "sampleSize": "[parameters('sampleSize')]", "successfulSamplesRequired": "[parameters('successfulSamplesRequired')]", "additionalLatencyInMilliseconds": "[parameters('additionalLatencyInMilliseconds')]" }, "healthProbeSettings": { "probePath": "[parameters('probePath')]", "probeRequestType": "[parameters('probeRequestType')]", "probeProtocol": "[parameters('probeProtocol')]", "probeIntervalInSeconds": "[parameters('probeIntervalInSeconds')]" }, "sessionAffinityState": "[parameters('sessionAffinityState')]" }, "dependsOn": [ "[resourceId('Microsoft.Cdn/profiles', parameters('frontDoorName'))]" ] }, { "type": "Microsoft.Cdn/profiles/originGroups/origins", "apiVersion": "2022-11-01-preview", "name": "[format('{0}/{1}/{2}', parameters('frontDoorName'), parameters('originGroupName'), parameters('originName'))]", "properties": { "hostName": "[parameters('hostName')]", "httpPort": "[parameters('httpPort')]", "httpsPort": "[parameters('httpsPort')]", "originHostHeader": "[parameters('originHostHeader')]", "priority": "[parameters('priority')]", "weight": "[parameters('weight')]", "enabledState": "[parameters('originEnabledState')]", "sharedPrivateLinkResource": "[if(empty(parameters('privateLinkResourceId')), createObject(), createObject('privateLink', createObject('id', parameters('privateLinkResourceId')), 'privateLinkLocation', parameters('location'), 'status', 'Approved', 'requestMessage', 'Please approve this request to allow Front Door to access the container app'))]", "enforceCertificateNameCheck": true }, "dependsOn": [ "[resourceId('Microsoft.Cdn/profiles/originGroups', parameters('frontDoorName'), parameters('originGroupName'))]" ] }, { "type": "Microsoft.Cdn/profiles/afdEndpoints", "apiVersion": "2022-11-01-preview", "name": "[format('{0}/{1}', parameters('frontDoorName'), parameters('endpointName'))]", "location": "Global", "properties": { "autoGeneratedDomainNameLabelScope": "[toUpper(parameters('autoGeneratedDomainNameLabelScope'))]", "enabledState": "[parameters('endpointEnabledState')]" }, "dependsOn": [ "[resourceId('Microsoft.Cdn/profiles', parameters('frontDoorName'))]" ] }, { "type": "Microsoft.Cdn/profiles/afdEndpoints/routes", "apiVersion": "2022-11-01-preview", "name": "[format('{0}/{1}/{2}', parameters('frontDoorName'), parameters('endpointName'), parameters('routeName'))]", "properties": { "customDomains": [ { "id": "[resourceId('Microsoft.Cdn/profiles/customDomains', parameters('frontDoorName'), replace(parameters('customDomainName'), '.', '-'))]" } ], "originGroup": { "id": "[resourceId('Microsoft.Cdn/profiles/originGroups', parameters('frontDoorName'), parameters('originGroupName'))]" }, "originPath": "[parameters('originPath')]", "ruleSets": "[parameters('ruleSets')]", "supportedProtocols": "[parameters('supportedProtocols')]", "patternsToMatch": "[parameters('routePatternsToMatch')]", "forwardingProtocol": "[parameters('forwardingProtocol')]", "linkToDefaultDomain": "[parameters('linkToDefaultDomain')]", "httpsRedirect": "[parameters('httpsRedirect')]" }, "dependsOn": [ "[resourceId('Microsoft.Cdn/profiles/customDomains', parameters('frontDoorName'), replace(parameters('customDomainName'), '.', '-'))]", "[resourceId('Microsoft.Cdn/profiles/afdEndpoints', parameters('frontDoorName'), parameters('endpointName'))]", "[resourceId('Microsoft.Cdn/profiles/originGroups/origins', parameters('frontDoorName'), parameters('originGroupName'), parameters('originName'))]", "[resourceId('Microsoft.Cdn/profiles/originGroups', parameters('frontDoorName'), parameters('originGroupName'))]" ] }, { "type": "Microsoft.Cdn/profiles/secrets", "apiVersion": "2023-07-01-preview", "name": "[format('{0}/{1}', parameters('frontDoorName'), toLower(format('{0}-{1}-latest', parameters('keyVaultName'), parameters('keyVaultCertificateName'))))]", "properties": { "parameters": { "type": "CustomerCertificate", "useLatestVersion": "[equals(parameters('keyVaultCertificateVersion'), '')]", "secretVersion": "[parameters('keyVaultCertificateVersion')]", "secretSource": { "id": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('keyVaultResourceGroupName')), 'Microsoft.KeyVault/vaults/secrets', parameters('keyVaultName'), parameters('keyVaultCertificateName'))]" } } }, "dependsOn": [ "[resourceId('Microsoft.Cdn/profiles', parameters('frontDoorName'))]" ] }, { "type": "Microsoft.Cdn/profiles/customDomains", "apiVersion": "2023-07-01-preview", "name": "[format('{0}/{1}', parameters('frontDoorName'), replace(parameters('customDomainName'), '.', '-'))]", "properties": { "hostName": "[parameters('customDomainName')]", "tlsSettings": { "certificateType": "CustomerCertificate", "minimumTlsVersion": "[parameters('minimumTlsVersion')]", "secret": { "id": "[resourceId('Microsoft.Cdn/profiles/secrets', parameters('frontDoorName'), toLower(format('{0}-{1}-latest', parameters('keyVaultName'), parameters('keyVaultCertificateName'))))]" } } }, "dependsOn": [ "[resourceId('Microsoft.Cdn/profiles', parameters('frontDoorName'))]", "[resourceId('Microsoft.Cdn/profiles/secrets', parameters('frontDoorName'), toLower(format('{0}-{1}-latest', parameters('keyVaultName'), parameters('keyVaultCertificateName'))))]" ] }, { "type": "Microsoft.Network/FrontDoorWebApplicationFirewallPolicies", "apiVersion": "2022-05-01", "name": "[parameters('wafPolicyName')]", "location": "Global", "tags": "[parameters('tags')]", "sku": { "name": "[parameters('frontDoorSkuName')]" }, "properties": { "policySettings": { "enabledState": "[parameters('wafPolicyEnabledState')]", "mode": "[parameters('wafPolicyMode')]", "requestBodyCheck": "[parameters('wafPolicyRequestBodyCheck')]" }, "managedRules": { "managedRuleSets": "[parameters('wafManagedRuleSets')]" }, "customRules": { "rules": "[parameters('wafCustomRules')]" } } }, { "type": "Microsoft.Cdn/profiles/securityPolicies", "apiVersion": "2022-11-01-preview", "name": "[format('{0}/{1}', parameters('frontDoorName'), parameters('securityPolicyName'))]", "properties": { "parameters": { "type": "WebApplicationFirewall", "wafPolicy": { "id": "[resourceId('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies', parameters('wafPolicyName'))]" }, "associations": [ { "domains": [ { "id": "[resourceId('Microsoft.Cdn/profiles/afdEndpoints', parameters('frontDoorName'), parameters('endpointName'))]" }, { "id": "[resourceId('Microsoft.Cdn/profiles/customDomains', parameters('frontDoorName'), replace(parameters('customDomainName'), '.', '-'))]" } ], "patternsToMatch": "[parameters('securityPolicyPatternsToMatch')]" } ] } }, "dependsOn": [ "[resourceId('Microsoft.Cdn/profiles/customDomains', parameters('frontDoorName'), replace(parameters('customDomainName'), '.', '-'))]", "[resourceId('Microsoft.Cdn/profiles/afdEndpoints', parameters('frontDoorName'), parameters('endpointName'))]", "[resourceId('Microsoft.Cdn/profiles', parameters('frontDoorName'))]", "[resourceId('Microsoft.Network/FrontDoorWebApplicationFirewallPolicies', parameters('wafPolicyName'))]" ] }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Cdn/profiles/{0}', parameters('frontDoorName'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('logs')]", "metrics": "[variables('metrics')]" }, "dependsOn": [ "[resourceId('Microsoft.Cdn/profiles', parameters('frontDoorName'))]" ] } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.Cdn/profiles', parameters('frontDoorName'))]" }, "name": { "type": "string", "value": "[parameters('frontDoorName')]" }, "frontDoorEndpointFqdn": { "type": "string", "value": "[reference(resourceId('Microsoft.Cdn/profiles/afdEndpoints', parameters('frontDoorName'), parameters('endpointName')), '2022-11-01-preview').hostName]" }, "customDomainValidationDnsTxtRecordValue": { "type": "string", "value": "[if(not(equals(reference(resourceId('Microsoft.Cdn/profiles/customDomains', parameters('frontDoorName'), replace(parameters('customDomainName'), '.', '-')), '2023-07-01-preview').validationProperties.validationToken, null())), reference(resourceId('Microsoft.Cdn/profiles/customDomains', parameters('frontDoorName'), replace(parameters('customDomainName'), '.', '-')), '2023-07-01-preview').validationProperties.validationToken, '')]" }, "customDomainValidationExpiry": { "type": "string", "value": "[reference(resourceId('Microsoft.Cdn/profiles/customDomains', parameters('frontDoorName'), replace(parameters('customDomainName'), '.', '-')), '2023-07-01-preview').validationProperties.expirationDate]" }, "customDomainDeploymentStatus": { "type": "string", "value": "[reference(resourceId('Microsoft.Cdn/profiles/customDomains', parameters('frontDoorName'), replace(parameters('customDomainName'), '.', '-')), '2023-07-01-preview').deploymentStatus]" }, "customDomainValidationState": { "type": "string", "value": "[reference(resourceId('Microsoft.Cdn/profiles/customDomains', parameters('frontDoorName'), replace(parameters('customDomainName'), '.', '-')), '2023-07-01-preview').domainValidationState]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'modules-private-link-service')]", "[resourceId('Microsoft.Resources/deployments', 'workspace')]" ] }, { "condition": "[parameters('createMetricAlerts')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "aksmetricalerts", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "aksClusterName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksCluster'), '2022-09-01').outputs.name.value]" }, "metricAlertsEnabled": { "value": "[parameters('metricAlertsEnabled')]" }, "evalFrequency": { "value": "[parameters('metricAlertsEvalFrequency')]" }, "windowSize": { "value": "[parameters('metricAlertsWindowsSize')]" }, "alertSeverity": { "value": "Informational" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.25.53.49325", "templateHash": "17032059649794667959" } }, "parameters": { "aksClusterName": { "type": "string", "metadata": { "description": "The name of the AKS Cluster to configure the alerts on." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } }, "evalFrequency": { "type": "string", "defaultValue": "PT1M", "allowedValues": [ "PT1M", "PT15M" ], "metadata": { "description": "Select the frequency on how often the alert rule should be run. Selecting frequency smaller than granularity of datapoints grouping will result in sliding window evaluation" } }, "metricAlertsEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether metric alerts as either enabled or disabled." } }, "windowSize": { "type": "string", "defaultValue": "PT5M", "allowedValues": [ "PT5M", "PT1H" ], "metadata": { "description": "Defines the interval over which datapoints are grouped using the aggregation type function" } }, "alertSeverity": { "type": "string", "defaultValue": "Informational", "allowedValues": [ "Critical", "Error", "Warning", "Informational", "Verbose" ] } }, "variables": { "alertServerityLookup": { "Critical": 0, "Error": 1, "Warning": 2, "Informational": 3, "Verbose": 4 }, "alertSeverityNumber": "[variables('alertServerityLookup')[parameters('alertSeverity')]]", "AksResourceId": "[resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName'))]" }, "resources": [ { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Node CPU utilization high', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "host", "operator": "Include", "values": [ "*" ] } ], "metricName": "cpuUsagePercentage", "metricNamespace": "Insights.Container/nodes", "name": "Metric1", "operator": "GreaterThan", "threshold": 80, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "Node CPU utilization across the cluster.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Node working set memory utilization high', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "host", "operator": "Include", "values": [ "*" ] } ], "metricName": "memoryWorkingSetPercentage", "metricNamespace": "Insights.Container/nodes", "name": "Metric1", "operator": "GreaterThan", "threshold": 80, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "Node working set memory utilization across the cluster.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Jobs completed more than 6 hours ago', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "controllerName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] } ], "metricName": "completedJobsCount", "metricNamespace": "Insights.Container/pods", "name": "Metric1", "operator": "GreaterThan", "threshold": 0, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors completed jobs (more than 6 hours ago).", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Container CPU usage high', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "controllerName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] } ], "metricName": "cpuExceededPercentage", "metricNamespace": "Insights.Container/containers", "name": "Metric1", "operator": "GreaterThan", "threshold": 90, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors container CPU utilization.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Container working set memory usage high', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "controllerName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] } ], "metricName": "memoryWorkingSetExceededPercentage", "metricNamespace": "Insights.Container/containers", "name": "Metric1", "operator": "GreaterThan", "threshold": 90, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors container working set memory utilization.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Pods in failed state', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "phase", "operator": "Include", "values": [ "Failed" ] } ], "metricName": "podCount", "metricNamespace": "Insights.Container/pods", "name": "Metric1", "operator": "GreaterThan", "threshold": 0, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "Pod status monitoring.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Disk usage high', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "host", "operator": "Include", "values": [ "*" ] }, { "name": "device", "operator": "Include", "values": [ "*" ] } ], "metricName": "DiskUsedPercentage", "metricNamespace": "Insights.Container/nodes", "name": "Metric1", "operator": "GreaterThan", "threshold": 80, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors disk usage for all nodes and storage devices.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Nodes in not ready state', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "status", "operator": "Include", "values": [ "NotReady" ] } ], "metricName": "nodesCount", "metricNamespace": "Insights.Container/nodes", "name": "Metric1", "operator": "GreaterThan", "threshold": 0, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "Node status monitoring.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Containers getting OOM killed', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] }, { "name": "controllerName", "operator": "Include", "values": [ "*" ] } ], "metricName": "oomKilledContainerCount", "metricNamespace": "Insights.Container/pods", "name": "Metric1", "operator": "GreaterThan", "threshold": 0, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors number of containers killed due to out of memory (OOM) error.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Persistent volume usage high', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "podName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetesNamespace", "operator": "Include", "values": [ "*" ] } ], "metricName": "pvUsageExceededPercentage", "metricNamespace": "Insights.Container/persistentvolumes", "name": "Metric1", "operator": "GreaterThan", "threshold": 80, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors persistent volume utilization.", "enabled": false, "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Pods not in ready state', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "controllerName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] } ], "metricName": "PodReadyPercentage", "metricNamespace": "Insights.Container/pods", "name": "Metric1", "operator": "LessThan", "threshold": 80, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors for excessive pods not in the ready state.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Restarting container count', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] }, { "name": "controllerName", "operator": "Include", "values": [ "*" ] } ], "metricName": "restartingContainerCount", "metricNamespace": "Insights.Container/pods", "name": "Metric1", "operator": "GreaterThan", "threshold": 0, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors number of containers restarting across the cluster.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('AksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "Microsoft.ContainerService/managedClusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Container CPU usage violates the configured threshold', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "description": "This alert monitors container CPU usage. It uses the threshold defined in the config map.", "severity": "[variables('alertSeverityNumber')]", "enabled": true, "scopes": [ "[variables('AksResourceId')]" ], "evaluationFrequency": "[parameters('evalFrequency')]", "windowSize": "[parameters('windowSize')]", "criteria": { "allOf": [ { "threshold": 0, "name": "Metric1", "metricNamespace": "Insights.Container/containers", "metricName": "cpuThresholdViolated", "dimensions": [ { "name": "controllerName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] } ], "operator": "GreaterThan", "timeAggregation": "Average", "skipMetricValidation": true, "criterionType": "StaticThresholdCriterion" } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" } } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Container working set memory usage violates the configured threshold', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "description": "This alert monitors container working set memory usage. It uses the threshold defined in the config map.", "severity": "[variables('alertSeverityNumber')]", "enabled": "[parameters('metricAlertsEnabled')]", "scopes": [ "[variables('AksResourceId')]" ], "evaluationFrequency": "[parameters('evalFrequency')]", "windowSize": "[parameters('windowSize')]", "criteria": { "allOf": [ { "threshold": 0, "name": "Metric1", "metricNamespace": "Insights.Container/containers", "metricName": "memoryWorkingSetThresholdViolated", "dimensions": [ { "name": "controllerName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] } ], "operator": "GreaterThan", "timeAggregation": "Average", "skipMetricValidation": true, "criterionType": "StaticThresholdCriterion" } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" } } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Persistent Volume usage violates the configured threshold', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "description": "This alert monitors Persistent Volume usage. It uses the threshold defined in the config map.", "severity": "[variables('alertSeverityNumber')]", "enabled": "[parameters('metricAlertsEnabled')]", "scopes": [ "[variables('AksResourceId')]" ], "evaluationFrequency": "[parameters('evalFrequency')]", "windowSize": "[parameters('windowSize')]", "criteria": { "allOf": [ { "threshold": 0, "name": "Metric1", "metricNamespace": "Insights.Container/persistentvolumes", "metricName": "pvUsageThresholdViolated", "dimensions": [ { "name": "podName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetesNamespace", "operator": "Include", "values": [ "*" ] } ], "operator": "GreaterThan", "timeAggregation": "Average", "skipMetricValidation": true, "criterionType": "StaticThresholdCriterion" } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" } } } ] } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'aksCluster')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "deploymentScript", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('deploymentScripName')]" }, "clusterName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksCluster'), '2022-09-01').outputs.name.value]" }, "hostName": { "value": "[variables('hostName')]" }, "secretProviderClassName": { "value": "[parameters('secretProviderClassName')]" }, "secretName": { "value": "[parameters('secretName')]" }, "namespace": { "value": "[parameters('namespace')]" }, "keyVaultCertificateName": { "value": "[parameters('keyVaultCertificateName')]" }, "keyVaultName": { "value": "[parameters('keyVaultName')]" }, "clientId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksCluster'), '2022-09-01').outputs.azureKeyvaultSecretsProviderIdentity.value.clientId]" }, "tenantId": { "value": "[parameters('tenantId')]" }, "email": { "value": "[parameters('email')]" }, "primaryScriptUri": { "value": "[parameters('deploymentScriptUri')]" }, "resourceGroupName": { "value": "[resourceGroup().name]" }, "subscriptionId": { "value": "[subscription().subscriptionId]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.25.53.49325", "templateHash": "15095836146349999255" } }, "parameters": { "name": { "type": "string", "defaultValue": "BashScript", "metadata": { "description": "Specifies the name of the deployment script uri." } }, "primaryScriptUri": { "type": "string", "metadata": { "description": "Specifies the primary script URI." } }, "clusterName": { "type": "string", "metadata": { "description": "Specifies the name of the AKS cluster." } }, "resourceGroupName": { "type": "string", "defaultValue": "[resourceGroup().name]", "metadata": { "description": "Specifies the resource group name" } }, "subscriptionId": { "type": "string", "defaultValue": "[subscription().subscriptionId]", "metadata": { "description": "Specifies the subscription id." } }, "hostName": { "type": "string", "metadata": { "description": "Specifies the hostname of the application." } }, "secretProviderClassName": { "type": "string", "metadata": { "description": "Specifies the secret provider class name that reads the certificate from key vault and creates a TLS secret in the Kubernetes cluster." } }, "secretName": { "type": "string", "metadata": { "description": "Specifies the secret name containing the TLS certificate." } }, "namespace": { "type": "string", "metadata": { "description": "Specifies the namespace of the application." } }, "keyVaultName": { "type": "string", "metadata": { "description": "Specifies the name of the existing Key Vault resource holding the TLS certificate." } }, "keyVaultCertificateName": { "type": "string", "metadata": { "description": "Specifies the name of the existing TLS certificate." } }, "clientId": { "type": "string", "metadata": { "description": "Specifies the client id of the Key Vault CSI Driver user-assigned managed identity." } }, "tenantId": { "type": "string", "metadata": { "description": "Specifies the tenantId." } }, "email": { "type": "string", "defaultValue": "admin@contoso.com", "metadata": { "description": "Specifies the email address for the cert-manager cluster issuer." } }, "utcValue": { "type": "string", "defaultValue": "[utcNow()]", "metadata": { "description": "Specifies the current datetime" } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "variables": { "clusterAdminRoleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]" }, "resources": [ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2021-09-30-preview", "name": "scriptManagedIdentity", "location": "[parameters('location')]", "tags": "[parameters('tags')]" }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2020-10-01-preview", "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('clusterName'))]", "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'scriptManagedIdentity'), resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), variables('clusterAdminRoleDefinitionId'))]", "properties": { "roleDefinitionId": "[variables('clusterAdminRoleDefinitionId')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'scriptManagedIdentity'), '2021-09-30-preview').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'scriptManagedIdentity')]" ] }, { "type": "Microsoft.Resources/deploymentScripts", "apiVersion": "2020-10-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "kind": "AzureCLI", "identity": { "type": "UserAssigned", "userAssignedIdentities": { "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'scriptManagedIdentity'))]": {} } }, "properties": { "forceUpdateTag": "[parameters('utcValue')]", "azCliVersion": "2.42.0", "timeout": "PT30M", "environmentVariables": [ { "name": "clusterName", "value": "[parameters('clusterName')]" }, { "name": "resourceGroupName", "value": "[parameters('resourceGroupName')]" }, { "name": "subscriptionId", "value": "[parameters('subscriptionId')]" }, { "name": "hostname", "value": "[parameters('hostName')]" }, { "name": "secretProviderClassName", "value": "[parameters('secretProviderClassName')]" }, { "name": "secretName", "value": "[parameters('secretName')]" }, { "name": "namespace", "value": "[parameters('namespace')]" }, { "name": "keyVaultName", "value": "[parameters('keyVaultName')]" }, { "name": "keyVaultCertificateName", "value": "[parameters('keyVaultCertificateName')]" }, { "name": "clientId", "value": "[parameters('clientId')]" }, { "name": "tenantId", "value": "[parameters('tenantId')]" }, { "name": "email", "value": "[parameters('email')]" } ], "primaryScriptUri": "[parameters('primaryScriptUri')]", "cleanupPreference": "OnSuccess", "retentionInterval": "P1D" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'scriptManagedIdentity')]" ] } ], "outputs": { "result": { "type": "object", "value": "[reference(resourceId('Microsoft.Resources/deploymentScripts', parameters('name')), '2020-10-01').outputs]" }, "certManager": { "type": "string", "value": "[reference(resourceId('Microsoft.Resources/deploymentScripts', parameters('name')), '2020-10-01').outputs.certManager]" }, "nginxIngressController": { "type": "string", "value": "[reference(resourceId('Microsoft.Resources/deploymentScripts', parameters('name')), '2020-10-01').outputs.nginxIngressController]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'aksCluster')]", "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('keyVaultResourceGroupName')), 'Microsoft.Resources/deployments', 'keyVault')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "dnsZone", "resourceGroup": "[parameters('dnsZoneResourceGroupName')]", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('dnsZoneName')]" }, "cnameRecordName": { "value": "[parameters('subdomain')]" }, "ttl": { "value": "[parameters('cnameRecordTtl')]" }, "hostName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'frontDoor'), '2022-09-01').outputs.frontDoorEndpointFqdn.value]" }, "validationToken": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'frontDoor'), '2022-09-01').outputs.customDomainValidationDnsTxtRecordValue.value]" }, "domainValidationState": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'frontDoor'), '2022-09-01').outputs.customDomainValidationState.value]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.25.53.49325", "templateHash": "5652873898514230827" } }, "parameters": { "name": { "type": "string", "metadata": { "description": "Specifies the name of an existing public DNS zone." } }, "cnameRecordName": { "type": "string", "metadata": { "description": "Specifies the name of the CNAME record to create within the DNS zone. The record will be an alias to your Front Door endpoint." } }, "ttl": { "type": "int", "defaultValue": 3600, "metadata": { "description": "Specifies the time-to-live (TTL) value for the CNAME record." } }, "hostName": { "type": "string", "metadata": { "description": "Specifies the Front Door endpoint to which the CNAME record will point." } }, "domainValidationState": { "type": "string", "metadata": { "description": "Specifies the validation state of the custom domain." } }, "validationToken": { "type": "string", "metadata": { "description": "Specifies the validation token of the custom domain." } } }, "resources": [ { "type": "Microsoft.Network/dnsZones/CNAME", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('name'), parameters('cnameRecordName'))]", "properties": { "TTL": "[parameters('ttl')]", "CNAMERecord": { "cname": "[parameters('hostName')]" } } }, { "condition": "[not(equals(parameters('domainValidationState'), 'Approved'))]", "type": "Microsoft.Network/dnsZones/TXT", "apiVersion": "2018-05-01", "name": "[format('{0}/{1}', parameters('name'), format('_dnsauth.{0}', parameters('cnameRecordName')))]", "properties": { "TTL": "[parameters('ttl')]", "TXTRecords": [ { "value": [ "[parameters('validationToken')]" ] } ] } } ], "outputs": { "dnsZoneId": { "type": "string", "value": "[resourceId('Microsoft.Network/dnsZones', parameters('name'))]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'frontDoor')]" ] } ], "outputs": { "aksClusterName": { "type": "string", "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksCluster'), '2022-09-01').outputs.name.value]" }, "aksClusterFqdn": { "type": "string", "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksCluster'), '2022-09-01').outputs.fqdn.value]" }, "acrName": { "type": "string", "value": "[reference(resourceId('Microsoft.Resources/deployments', 'containerRegistry'), '2022-09-01').outputs.name.value]" }, "keyVaultName": { "type": "string", "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, parameters('keyVaultResourceGroupName')), 'Microsoft.Resources/deployments', 'keyVault'), '2022-09-01').outputs.name.value]" }, "logAnalyticsWorkspaceName": { "type": "string", "value": "[reference(resourceId('Microsoft.Resources/deployments', 'workspace'), '2022-09-01').outputs.name.value]" }, "frontDoorName": { "type": "string", "value": "[reference(resourceId('Microsoft.Resources/deployments', 'frontDoor'), '2022-09-01').outputs.name.value]" }, "frontDoorEndpointFqdn": { "type": "string", "value": "[reference(resourceId('Microsoft.Resources/deployments', 'frontDoor'), '2022-09-01').outputs.frontDoorEndpointFqdn.value]" }, "privateLinkServiceName": { "type": "string", "value": "[reference(resourceId('Microsoft.Resources/deployments', 'modules-private-link-service'), '2022-09-01').outputs.name.value]" }, "customDomainValidationDnsTxtRecordValue": { "type": "string", "value": "[reference(resourceId('Microsoft.Resources/deployments', 'frontDoor'), '2022-09-01').outputs.customDomainValidationDnsTxtRecordValue.value]" }, "customDomainValidationExpiry": { "type": "string", "value": "[reference(resourceId('Microsoft.Resources/deployments', 'frontDoor'), '2022-09-01').outputs.customDomainValidationExpiry.value]" } } }