{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.20.4.51522", "templateHash": "8991687477124331026" } }, "parameters": { "prefix": { "type": "string", "defaultValue": "$uniqueString(resourceGroup().id)", "metadata": { "description": "Specifies the name prefix." } }, "userId": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies the object id of an Azure Active Directory user. In general, this the object id of the system administrator who deploys the Azure resources." } }, "letterCaseType": { "type": "string", "defaultValue": "UpperCamelCase", "allowedValues": [ "CamelCase", "UpperCamelCase", "KebabCase" ], "metadata": { "description": "Specifies whether name resources are in CamelCase, UpperCamelCase, or KebabCase." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location of the AKS cluster." } }, "aksClusterName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}Aks', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}Aks', toLower(parameters('prefix'))), format('{0}-aks', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the AKS cluster." } }, "createMetricAlerts": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to create metric alerts or not." } }, "metricAlertsEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether metric alerts as either enabled or disabled." } }, "metricAlertsEvalFrequency": { "type": "string", "defaultValue": "PT1M", "metadata": { "description": "Specifies metric alerts eval frequency." } }, "metricAlertsWindowsSize": { "type": "string", "defaultValue": "PT1H", "metadata": { "description": "Specifies metric alerts window size." } }, "aksClusterDnsPrefix": { "type": "string", "defaultValue": "[parameters('aksClusterName')]", "metadata": { "description": "Specifies the DNS prefix specified when creating the managed cluster." } }, "aksClusterNetworkPlugin": { "type": "string", "defaultValue": "azure", "allowedValues": [ "azure", "kubenet" ], "metadata": { "description": "Specifies the network plugin used for building Kubernetes network. - azure or kubenet." } }, "aksClusterNetworkPluginMode": { "type": "string", "defaultValue": "", "allowedValues": [ "", "Overlay" ], "metadata": { "description": "Specifies the Network plugin mode used for building the Kubernetes network." } }, "aksClusterNetworkPolicy": { "type": "string", "defaultValue": "azure", "allowedValues": [ "azure", "calico" ], "metadata": { "description": "Specifies the network policy used for building Kubernetes network. - calico or azure" } }, "aksClusterPodCidr": { "type": "string", "defaultValue": "192.168.0.0/16", "metadata": { "description": "Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used." } }, "aksClusterServiceCidr": { "type": "string", "defaultValue": "172.16.0.0/16", "metadata": { "description": "A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges." } }, "aksClusterDnsServiceIP": { "type": "string", "defaultValue": "172.16.0.10", "metadata": { "description": "Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr." } }, "aksClusterLoadBalancerSku": { "type": "string", "defaultValue": "standard", "allowedValues": [ "basic", "standard" ], "metadata": { "description": "Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools." } }, "aksClusterMonitoringEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether Network Observability is enabled or not. When enabled, network monitoring generates metrics in Prometheus format." } }, "aksClusterIpFamilies": { "type": "array", "defaultValue": [ "IPv4" ], "metadata": { "description": "Specifies the IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6." } }, "aksClusterOutboundType": { "type": "string", "defaultValue": "loadBalancer", "allowedValues": [ "loadBalancer", "managedNATGateway", "userAssignedNATGateway", "userDefinedRouting" ], "metadata": { "description": "Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting." } }, "aksClusterSkuTier": { "type": "string", "defaultValue": "Standard", "allowedValues": [ "Standard", "Free" ], "metadata": { "description": "Specifies the tier of a managed cluster SKU: Paid or Free" } }, "aksClusterKubernetesVersion": { "type": "string", "defaultValue": "1.18.8", "metadata": { "description": "Specifies the version of Kubernetes specified when creating the managed cluster." } }, "aksClusterAdminUsername": { "type": "string", "defaultValue": "azureuser", "metadata": { "description": "Specifies the administrator username of Linux virtual machines." } }, "aksClusterSshPublicKey": { "type": "string", "metadata": { "description": "Specifies the SSH RSA public key string for the Linux nodes." } }, "aadProfileTenantId": { "type": "string", "defaultValue": "[subscription().tenantId]", "metadata": { "description": "Specifies the tenant id of the Azure Active Directory used by the AKS cluster for authentication." } }, "aadProfileAdminGroupObjectIDs": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the AAD group object IDs that will have admin role of the cluster." } }, "aksClusterNodeOSUpgradeChannel": { "type": "string", "defaultValue": "Unmanaged", "allowedValues": [ "NodeImage", "None", "SecurityPatch", "Unmanaged" ], "metadata": { "description": "Specifies the node OS upgrade channel. The default is Unmanaged, but may change to either NodeImage or SecurityPatch at GA.\t." } }, "aksClusterUpgradeChannel": { "type": "string", "defaultValue": "stable", "allowedValues": [ "rapid", "stable", "patch", "node-image", "none" ], "metadata": { "description": "Specifies the upgrade channel for auto upgrade. Allowed values include rapid, stable, patch, node-image, none." } }, "aksClusterEnablePrivateCluster": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to create the cluster as a private cluster or not." } }, "aksPrivateDNSZone": { "type": "string", "defaultValue": "none", "metadata": { "description": "Specifies the Private DNS Zone mode for private cluster. When the value is equal to None, a Public DNS Zone is used in place of a Private DNS Zone" } }, "aksEnablePrivateClusterPublicFQDN": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to create additional public FQDN for private cluster or not." } }, "aadProfileManaged": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable managed AAD integration." } }, "aadProfileEnableAzureRBAC": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to to enable Azure RBAC for Kubernetes authorization." } }, "systemAgentPoolName": { "type": "string", "defaultValue": "nodepool1", "metadata": { "description": "Specifies the unique name of of the system node pool profile in the context of the subscription and resource group." } }, "systemAgentPoolVmSize": { "type": "string", "defaultValue": "Standard_DS5_v2", "metadata": { "description": "Specifies the vm size of nodes in the system node pool." } }, "systemAgentPoolOsDiskSizeGB": { "type": "int", "defaultValue": 100, "metadata": { "description": "Specifies the OS Disk Size in GB to be used to specify the disk size for every machine in the system agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified." } }, "systemAgentPoolOsDiskType": { "type": "string", "defaultValue": "Ephemeral", "allowedValues": [ "Ephemeral", "Managed" ], "metadata": { "description": "Specifies the OS disk type to be used for machines in a given agent pool. Allowed values are 'Ephemeral' and 'Managed'. If unspecified, defaults to 'Ephemeral' when the VM supports ephemeral OS and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. - Managed or Ephemeral" } }, "systemAgentPoolAgentCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the number of agents (VMs) to host docker containers in the system node pool. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1." } }, "systemAgentPoolOsType": { "type": "string", "defaultValue": "Linux", "allowedValues": [ "Linux", "Windows" ], "metadata": { "description": "Specifies the OS type for the vms in the system node pool. Choose from Linux and Windows. Default to Linux." } }, "systemAgentPoolOsSKU": { "type": "string", "defaultValue": "Ubuntu", "allowedValues": [ "Ubuntu", "Windows2019", "Windows2022", "AzureLinux" ], "metadata": { "description": "Specifies the OS SKU used by the system agent pool. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated." } }, "systemAgentPoolMaxPods": { "type": "int", "defaultValue": 30, "metadata": { "description": "Specifies the maximum number of pods that can run on a node in the system node pool. The maximum number of pods per node in an AKS cluster is 250. The default maximum number of pods per node varies between kubenet and Azure CNI networking, and the method of cluster deployment." } }, "systemAgentPoolMaxCount": { "type": "int", "defaultValue": 5, "metadata": { "description": "Specifies the maximum number of nodes for auto-scaling for the system node pool." } }, "systemAgentPoolMinCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the minimum number of nodes for auto-scaling for the system node pool." } }, "systemAgentPoolEnableAutoScaling": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable auto-scaling for the system node pool." } }, "systemAgentPoolScaleSetPriority": { "type": "string", "defaultValue": "Regular", "allowedValues": [ "Spot", "Regular" ], "metadata": { "description": "Specifies the virtual machine scale set priority in the system node pool: Spot or Regular." } }, "systemAgentPoolScaleSetEvictionPolicy": { "type": "string", "defaultValue": "Delete", "allowedValues": [ "Delete", "Deallocate" ], "metadata": { "description": "Specifies the ScaleSetEvictionPolicy to be used to specify eviction policy for spot virtual machine scale set. Default to Delete. Allowed values are Delete or Deallocate." } }, "systemAgentPoolNodeLabels": { "type": "object", "defaultValue": {}, "metadata": { "description": "Specifies the Agent pool node labels to be persisted across all nodes in the system node pool." } }, "systemAgentPoolNodeTaints": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule." } }, "systemAgentPoolKubeletDiskType": { "type": "string", "defaultValue": "OS", "allowedValues": [ "OS", "Temporary" ], "metadata": { "description": "Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage." } }, "systemAgentPoolType": { "type": "string", "defaultValue": "VirtualMachineScaleSets", "allowedValues": [ "VirtualMachineScaleSets", "AvailabilitySet" ], "metadata": { "description": "Specifies the type for the system node pool: VirtualMachineScaleSets or AvailabilitySet" } }, "systemAgentPoolAvailabilityZones": { "type": "array", "defaultValue": [ "1", "2", "3" ], "metadata": { "description": "Specifies the availability zones for the agent nodes in the system node pool. Requirese the use of VirtualMachineScaleSets as node pool type." } }, "userAgentPoolName": { "type": "string", "defaultValue": "nodepool1", "metadata": { "description": "Specifies the unique name of of the user node pool profile in the context of the subscription and resource group." } }, "userAgentPoolVmSize": { "type": "string", "defaultValue": "Standard_DS5_v2", "metadata": { "description": "Specifies the vm size of nodes in the user node pool." } }, "userAgentPoolOsDiskSizeGB": { "type": "int", "defaultValue": 100, "metadata": { "description": "Specifies the OS Disk Size in GB to be used to specify the disk size for every machine in the system agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified.." } }, "userAgentPoolOsDiskType": { "type": "string", "defaultValue": "Ephemeral", "allowedValues": [ "Ephemeral", "Managed" ], "metadata": { "description": "Specifies the OS disk type to be used for machines in a given agent pool. Allowed values are 'Ephemeral' and 'Managed'. If unspecified, defaults to 'Ephemeral' when the VM supports ephemeral OS and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. - Managed or Ephemeral" } }, "userAgentPoolAgentCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the number of agents (VMs) to host docker containers in the user node pool. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1." } }, "userAgentPoolOsType": { "type": "string", "defaultValue": "Linux", "allowedValues": [ "Linux", "Windows" ], "metadata": { "description": "Specifies the OS type for the vms in the user node pool. Choose from Linux and Windows. Default to Linux." } }, "userAgentPoolOsSKU": { "type": "string", "defaultValue": "Ubuntu", "allowedValues": [ "Ubuntu", "Windows2019", "Windows2022", "AzureLinux" ], "metadata": { "description": "Specifies the OS SKU used by the user agent pool. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated." } }, "userAgentPoolMaxPods": { "type": "int", "defaultValue": 30, "metadata": { "description": "Specifies the maximum number of pods that can run on a node in the user node pool. The maximum number of pods per node in an AKS cluster is 250. The default maximum number of pods per node varies between kubenet and Azure CNI networking, and the method of cluster deployment." } }, "userAgentPoolMaxCount": { "type": "int", "defaultValue": 5, "metadata": { "description": "Specifies the maximum number of nodes for auto-scaling for the user node pool." } }, "userAgentPoolMinCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the minimum number of nodes for auto-scaling for the user node pool." } }, "userAgentPoolEnableAutoScaling": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable auto-scaling for the user node pool." } }, "userAgentPoolScaleSetPriority": { "type": "string", "defaultValue": "Regular", "allowedValues": [ "Spot", "Regular" ], "metadata": { "description": "Specifies the virtual machine scale set priority in the user node pool: Spot or Regular." } }, "userAgentPoolScaleSetEvictionPolicy": { "type": "string", "defaultValue": "Delete", "allowedValues": [ "Delete", "Deallocate" ], "metadata": { "description": "Specifies the ScaleSetEvictionPolicy to be used to specify eviction policy for spot virtual machine scale set. Default to Delete. Allowed values are Delete or Deallocate." } }, "userAgentPoolNodeLabels": { "type": "object", "defaultValue": {}, "metadata": { "description": "Specifies the Agent pool node labels to be persisted across all nodes in the user node pool." } }, "userAgentPoolNodeTaints": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule." } }, "userAgentPoolKubeletDiskType": { "type": "string", "defaultValue": "OS", "allowedValues": [ "OS", "Temporary" ], "metadata": { "description": "Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage." } }, "userAgentPoolType": { "type": "string", "defaultValue": "VirtualMachineScaleSets", "allowedValues": [ "VirtualMachineScaleSets", "AvailabilitySet" ], "metadata": { "description": "Specifies the type for the user node pool: VirtualMachineScaleSets or AvailabilitySet" } }, "userAgentPoolAvailabilityZones": { "type": "array", "defaultValue": [ "1", "2", "3" ], "metadata": { "description": "Specifies the availability zones for the agent nodes in the user node pool. Requirese the use of VirtualMachineScaleSets as node pool type." } }, "windowsAgentPoolEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to create a Windows agent pool." } }, "windowsAgentPoolName": { "type": "string", "defaultValue": "win", "metadata": { "description": "Specifies the name of the agent pool." } }, "windowsAgentPoolMode": { "type": "string", "defaultValue": "User", "allowedValues": [ "System", "User" ], "metadata": { "description": "Specifies the mode of the agent pool." } }, "windowsAgentPoolAvailabilityZones": { "type": "array", "defaultValue": [ "1", "2", "3" ], "metadata": { "description": "Specifies the availability zones for the agent pool." } }, "windowsAgentPoolOsDiskType": { "type": "string", "defaultValue": "Ephemeral", "metadata": { "description": "Specifies thr OS disk type of the agent pool." } }, "windowsAgentPoolVmSize": { "type": "string", "defaultValue": "Standard_DS5_v2", "metadata": { "description": "Specifies the VM sku of the agent nodes." } }, "windowsAgentPoolOsDiskSizeGB": { "type": "int", "defaultValue": 100, "metadata": { "description": "Specifies the disk size in GB of the agent nodes." } }, "windowsAgentPoolCount": { "type": "int", "defaultValue": 1, "metadata": { "description": "Specifies the number of agents for the user agent pool" } }, "windowsAgentPoolMinCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the minimum number of nodes for the user agent pool." } }, "windowsAgentPoolMaxCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the maximum number of nodes for the user agent pool." } }, "windowsAgentPoolMaxPods": { "type": "int", "defaultValue": 30, "metadata": { "description": "Specifies the maximum number of pods per node." } }, "windowsAgentPoolNodeTaints": { "type": "array", "defaultValue": [ "os=windows:NoSchedule" ], "metadata": { "description": "Specifies the taints that should be applied to the agent pool." } }, "windowsAgentPoolNodeLabels": { "type": "object", "defaultValue": {}, "metadata": { "description": "Specifies the labels that should be applied to the agent pool." } }, "windowsAgentPoolOsType": { "type": "string", "defaultValue": "Windows", "allowedValues": [ "Linux", "Windows" ], "metadata": { "description": "Specifies the OS Type for the agent pool." } }, "windowsAgentPoolOsSKU": { "type": "string", "defaultValue": "Windows2022", "allowedValues": [ "Ubuntu", "Windows2019", "Windows2022", "AzureLinux" ] }, "windowsAgentPoolEnableNodePublicIP": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether assign a public IP per agent node." } }, "windowsAgentPoolEnableAutoScaling": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable auto-scaling for the agent pool." } }, "httpApplicationRoutingEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the httpApplicationRouting add-on is enabled or not." } }, "openServiceMeshEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Open Service Mesh add-on is enabled or not." } }, "istioServiceMeshEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Istio Service Mesh add-on is enabled or not." } }, "istioIngressGatewayEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Istio Ingress Gateway is enabled or not." } }, "istioIngressGatewayType": { "type": "string", "defaultValue": "External", "allowedValues": [ "Internal", "External" ], "metadata": { "description": "Specifies the type of the Istio Ingress Gateway." } }, "kedaEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Kubernetes Event-Driven Autoscaler (KEDA) add-on is enabled or not." } }, "daprEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Dapr extension is enabled or not." } }, "daprHaEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable high availability (HA) mode for the Dapr control plane" } }, "fluxGitOpsEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Flux V2 extension is enabled or not." } }, "verticalPodAutoscalerEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Vertical Pod Autoscaler is enabled or not." } }, "aciConnectorLinuxEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the aciConnectorLinux add-on is enabled or not." } }, "azurePolicyEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the azurepolicy add-on is enabled or not." } }, "azureKeyvaultSecretsProviderEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the Azure Key Vault Provider for Secrets Store CSI Driver addon is enabled or not." } }, "kubeDashboardEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the kubeDashboard add-on is enabled or not." } }, "podIdentityProfileEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the pod identity addon is enabled.." } }, "autoScalerProfileScanInterval": { "type": "string", "defaultValue": "10s", "metadata": { "description": "Specifies the scan interval of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownDelayAfterAdd": { "type": "string", "defaultValue": "10m", "metadata": { "description": "Specifies the scale down delay after add of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownDelayAfterDelete": { "type": "string", "defaultValue": "20s", "metadata": { "description": "Specifies the scale down delay after delete of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownDelayAfterFailure": { "type": "string", "defaultValue": "3m", "metadata": { "description": "Specifies scale down delay after failure of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownUnneededTime": { "type": "string", "defaultValue": "10m", "metadata": { "description": "Specifies the scale down unneeded time of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownUnreadyTime": { "type": "string", "defaultValue": "20m", "metadata": { "description": "Specifies the scale down unready time of the auto-scaler of the AKS cluster." } }, "autoScalerProfileUtilizationThreshold": { "type": "string", "defaultValue": "0.5", "metadata": { "description": "Specifies the utilization threshold of the auto-scaler of the AKS cluster." } }, "autoScalerProfileMaxGracefulTerminationSec": { "type": "string", "defaultValue": "600", "metadata": { "description": "Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster." } }, "enableVnetIntegration": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable API server VNET integration for the cluster or not." } }, "virtualNetworkName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}Vnet', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}Vnet', toLower(parameters('prefix'))), format('{0}-vnet', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the virtual network." } }, "virtualNetworkAddressPrefixes": { "type": "string", "defaultValue": "10.0.0.0/8", "metadata": { "description": "Specifies the address prefixes of the virtual network." } }, "systemAgentPoolSubnetName": { "type": "string", "defaultValue": "SystemSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the worker nodes of the default system agent pool of the AKS cluster." } }, "systemAgentPoolSubnetAddressPrefix": { "type": "string", "defaultValue": "10.0.0.0/16", "metadata": { "description": "Specifies the address prefix of the subnet hosting the worker nodes of the default system agent pool of the AKS cluster." } }, "userAgentPoolSubnetName": { "type": "string", "defaultValue": "UserSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the worker nodes of the user agent pool of the AKS cluster." } }, "userAgentPoolSubnetAddressPrefix": { "type": "string", "defaultValue": "10.1.0.0/16", "metadata": { "description": "Specifies the address prefix of the subnet hosting the worker nodes of the user agent pool of the AKS cluster." } }, "windowsAgentPoolSubnetName": { "type": "string", "defaultValue": "WindowsSubnet", "metadata": { "description": "Specifies the address prefix of the subnet hosting the pods running in the AKS cluster." } }, "windowsAgentPoolSubnetAddressPrefix": { "type": "string", "defaultValue": "10.4.0.0/16", "metadata": { "description": "Specifies the address prefix of the subnet hosting the pods running in the AKS cluster." } }, "blobCSIDriverEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to enable the Azure Blob CSI Driver. The default value is false." } }, "diskCSIDriverEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable the Azure Disk CSI Driver. The default value is true." } }, "fileCSIDriverEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable the Azure File CSI Driver. The default value is true." } }, "snapshotControllerEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable the Snapshot Controller. The default value is true." } }, "defenderSecurityMonitoringEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to enable Defender threat detection. The default value is false." } }, "imageCleanerEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to enable ImageCleaner on AKS cluster. The default value is false." } }, "imageCleanerIntervalHours": { "type": "int", "defaultValue": 24, "metadata": { "description": "Specifies whether ImageCleaner scanning interval in hours." } }, "nodeRestrictionEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to enable Node Restriction. The default value is false." } }, "workloadIdentityEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable Workload Identity. The default value is false." } }, "oidcIssuerProfileEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the OIDC issuer is enabled." } }, "podSubnetName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), 'PodSubnet', if(equals(parameters('letterCaseType'), 'CamelCase'), 'podSubnet', 'pod-subnet'))]", "metadata": { "description": "Specifies the name of the subnet hosting the pods running in the AKS cluster." } }, "podSubnetAddressPrefix": { "type": "string", "defaultValue": "10.2.0.0/16", "metadata": { "description": "Specifies the address prefix of the subnet hosting the pods running in the AKS cluster." } }, "apiServerSubnetName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), 'ApiServerSubnet', if(equals(parameters('letterCaseType'), 'CamelCase'), 'apiServerSubnet', 'api-server-subnet'))]", "metadata": { "description": "Specifies the name of the subnet delegated to the API server when configuring the AKS cluster to use API server VNET integration." } }, "apiServerSubnetAddressPrefix": { "type": "string", "defaultValue": "10.3.0.0/28", "metadata": { "description": "Specifies the address prefix of the subnet delegated to the API server when configuring the AKS cluster to use API server VNET integration." } }, "vmSubnetName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), 'VmSubnet', if(equals(parameters('letterCaseType'), 'CamelCase'), 'vmSubnet', 'vm-subnet'))]", "metadata": { "description": "Specifies the name of the subnet which contains the virtual machine." } }, "vmSubnetAddressPrefix": { "type": "string", "defaultValue": "10.3.1.0/24", "metadata": { "description": "Specifies the address prefix of the subnet which contains the virtual machine." } }, "bastionSubnetAddressPrefix": { "type": "string", "defaultValue": "10.3.2.0/24", "metadata": { "description": "Specifies the Bastion subnet IP prefix. This prefix must be within vnet IP prefix address space." } }, "applicationGatewaySubnetName": { "type": "string", "defaultValue": "AppGatewaySubnet", "metadata": { "description": "Specifies the name of the subnet which contains the Application Gateway." } }, "applicationGatewaySubnetAddressPrefix": { "type": "string", "defaultValue": "10.3.3.0/24", "metadata": { "description": "Specifies the address prefix of the subnet which contains the Application Gateway." } }, "logAnalyticsWorkspaceName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}Workspace', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}Workspace', toLower(parameters('prefix'))), format('{0}-workspace', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Log Analytics Workspace." } }, "logAnalyticsSku": { "type": "string", "defaultValue": "PerNode", "allowedValues": [ "Free", "Standalone", "PerNode", "PerGB2018" ], "metadata": { "description": "Specifies the service tier of the workspace: Free, Standalone, PerNode, Per-GB." } }, "vmEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether creating or not a jumpbox virtual machine in the AKS cluster virtual network." } }, "vmName": { "type": "string", "defaultValue": "TestVm", "metadata": { "description": "Specifies the name of the virtual machine." } }, "vmSize": { "type": "string", "defaultValue": "Standard_DS3_v2", "metadata": { "description": "Specifies the size of the virtual machine." } }, "imagePublisher": { "type": "string", "defaultValue": "Canonical", "metadata": { "description": "Specifies the image publisher of the disk image used to create the virtual machine." } }, "imageOffer": { "type": "string", "defaultValue": "0001-com-ubuntu-server-jammy", "metadata": { "description": "Specifies the offer of the platform image or marketplace image used to create the virtual machine." } }, "imageSku": { "type": "string", "defaultValue": "22_04-lts-gen2", "metadata": { "description": "Specifies the Ubuntu version for the VM. This will pick a fully patched image of this given Ubuntu version." } }, "authenticationType": { "type": "string", "defaultValue": "password", "allowedValues": [ "sshPublicKey", "password" ], "metadata": { "description": "Specifies the type of authentication when accessing the Virtual Machine. SSH key is recommended." } }, "vmAdminUsername": { "type": "string", "metadata": { "description": "Specifies the name of the administrator account of the virtual machine." } }, "vmAdminPasswordOrKey": { "type": "securestring", "metadata": { "description": "Specifies the SSH Key or password for the virtual machine. SSH key is recommended." } }, "diskStorageAccountType": { "type": "string", "defaultValue": "Premium_LRS", "allowedValues": [ "Premium_LRS", "StandardSSD_LRS", "Standard_LRS", "UltraSSD_LRS" ], "metadata": { "description": "Specifies the storage account type for OS and data disk." } }, "numDataDisks": { "type": "int", "defaultValue": 1, "minValue": 0, "maxValue": 64, "metadata": { "description": "Specifies the number of data disks of the virtual machine." } }, "osDiskSize": { "type": "int", "defaultValue": 50, "metadata": { "description": "Specifies the size in GB of the OS disk of the VM." } }, "dataDiskSize": { "type": "int", "defaultValue": 50, "metadata": { "description": "Specifies the size in GB of the OS disk of the virtual machine." } }, "dataDiskCaching": { "type": "string", "defaultValue": "ReadWrite", "metadata": { "description": "Specifies the caching requirements for the data disks." } }, "blobStorageAccountName": { "type": "string", "defaultValue": "[format('serverboot{0}', uniqueString(resourceGroup().id))]", "metadata": { "description": "Specifies the globally unique name for the storage account used to store the boot diagnostics logs of the virtual machine." } }, "blobStorageAccountPrivateEndpointName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), 'BlobStorageAccountPrivateEndpoint', if(equals(parameters('letterCaseType'), 'CamelCase'), 'blobStorageAccountPrivateEndpoint', 'blob-storage-account-private-endpoint'))]", "metadata": { "description": "Specifies the name of the private endpoint to the boot diagnostics storage account." } }, "acrPrivateEndpointName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), 'AcrPrivateEndpoint', if(equals(parameters('letterCaseType'), 'CamelCase'), 'acrPrivateEndpoint', 'acr-private-endpoint'))]", "metadata": { "description": "Specifies the name of the private link to the Azure Container Registry." } }, "acrName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}Acr', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}Acr', toLower(parameters('prefix'))), format('{0}-acr', toLower(parameters('prefix')))))]", "minLength": 5, "maxLength": 50, "metadata": { "description": "Name of your Azure Container Registry" } }, "acrAdminUserEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable admin user that have push / pull permission to the registry." } }, "acrSku": { "type": "string", "defaultValue": "Premium", "allowedValues": [ "Basic", "Standard", "Premium" ], "metadata": { "description": "Tier of your Azure Container Registry." } }, "bastionHostEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether Azure Bastion should be created." } }, "bastionHostName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}Bastion', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}Bastion', toLower(parameters('prefix'))), format('{0}-bastion', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Azure Bastion resource." } }, "applicationGatewayEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether creating the Application Gateway and enabling the Application Gateway Ingress Controller or not." } }, "applicationGatewayName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}ApplicationGateway', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}ApplicationGateway', toLower(parameters('prefix'))), format('{0}-application-gateway', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Application Gateway." } }, "applicationGatewaySkuName": { "type": "string", "defaultValue": "WAF_v2", "metadata": { "description": "Specifies the sku of the Application Gateway." } }, "applicationGatewayFrontendIpConfigurationType": { "type": "string", "defaultValue": "Public", "allowedValues": [ "Public", "Private", "Both" ], "metadata": { "description": "Specifies the frontend IP configuration type." } }, "applicationGatewayPrivateIpAddress": { "type": "string", "metadata": { "description": "Specifies the private IP address of the Application Gateway." } }, "applicationGatewayPublicIpAddressName": { "type": "string", "defaultValue": "[format('{0}PublicIp', parameters('applicationGatewayName'))]", "metadata": { "description": "Specifies the name of the public IP adddress used by the Application Gateway." } }, "applicationGatewayAvailabilityZones": { "type": "array", "defaultValue": [ "1", "2", "3" ], "metadata": { "description": "Specifies the availability zones of the Application Gateway." } }, "applicationGatewayMinCapacity": { "type": "int", "defaultValue": 1, "metadata": { "description": "Specifies the lower bound on number of Application Gateway capacity." } }, "applicationGatewayMaxCapacity": { "type": "int", "defaultValue": 10, "metadata": { "description": "Specifies the upper bound on number of Application Gateway capacity." } }, "applicationGatewayPrivateLinkEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether create or not a Private Link for the Application Gateway." } }, "wafPolicyName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}WafPolicy', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}WafPolicy', toLower(parameters('prefix'))), format('{0}-waf-policy', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the WAF policy" } }, "wafPolicyMode": { "type": "string", "defaultValue": "Prevention", "allowedValues": [ "Detection", "Prevention" ], "metadata": { "description": "Specifies the mode of the WAF policy." } }, "wafPolicyState": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Enabled", "Disabled " ], "metadata": { "description": "Specifies the state of the WAF policy." } }, "wafPolicyFileUploadLimitInMb": { "type": "int", "defaultValue": 100, "metadata": { "description": "Specifies the maximum file upload size in Mb for the WAF policy." } }, "wafPolicyMaxRequestBodySizeInKb": { "type": "int", "defaultValue": 128, "metadata": { "description": "Specifies the maximum request body size in Kb for the WAF policy." } }, "wafPolicyRequestBodyCheck": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies the whether to allow WAF to check request Body." } }, "wafPolicyRuleSetType": { "type": "string", "defaultValue": "OWASP", "metadata": { "description": "Specifies the rule set type." } }, "wafPolicyRuleSetVersion": { "type": "string", "defaultValue": "3.2", "metadata": { "description": "Specifies the rule set version." } }, "natGatewayName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}NatGateway', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}NatGateway', toLower(parameters('prefix'))), format('{0}-nat-gateway', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Azure NAT Gateway." } }, "natGatewayZones": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies a list of availability zones denoting the zone in which Nat Gateway should be deployed." } }, "natGatewayPublicIps": { "type": "int", "defaultValue": 1, "metadata": { "description": "Specifies the number of Public IPs to create for the Azure NAT Gateway." } }, "natGatewayIdleTimeoutMins": { "type": "int", "defaultValue": 30, "metadata": { "description": "Specifies the idle timeout in minutes for the Azure NAT Gateway." } }, "keyVaultPrivateEndpointName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), 'KeyVaultPrivateEndpoint', if(equals(parameters('letterCaseType'), 'CamelCase'), 'keyVaultPrivateEndpoint', 'key-vault-private-endpoint'))]", "metadata": { "description": "Specifies the name of the private link to the Key Vault." } }, "keyVaultName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}KeyVault', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}KeyVault', toLower(parameters('prefix'))), format('{0}-key-vault', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Key Vault resource." } }, "keyVaultNetworkAclsDefaultAction": { "type": "string", "defaultValue": "Allow", "allowedValues": [ "Allow", "Deny" ], "metadata": { "description": "The default action of allow or deny when no other rules match. Allowed values: Allow or Deny" } }, "keyVaultEnabledForDeployment": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the Azure Key Vault resource is enabled for deployments." } }, "keyVaultEnabledForDiskEncryption": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the Azure Key Vault resource is enabled for disk encryption." } }, "keyVaultEnabledForTemplateDeployment": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the Azure Key Vault resource is enabled for template deployment." } }, "keyVaultEnableSoftDelete": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the soft deelete is enabled for this Azure Key Vault resource." } }, "keyVaultObjectIds": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the object ID ofthe service principals to configure in Key Vault access policies." } }, "openAiEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether creating the Azure OpenAi resource or not." } }, "openAiName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}OpenAi', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}OpenAi', toLower(parameters('prefix'))), format('{0}-openai', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Azure OpenAI resource." } }, "openAiSku": { "type": "object", "defaultValue": { "name": "S0" }, "metadata": { "description": "Specifies the resource model definition representing SKU." } }, "openAiIdentity": { "type": "object", "defaultValue": { "type": "SystemAssigned" }, "metadata": { "description": "Specifies the identity of the OpenAI resource." } }, "openAiCustomSubDomainName": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies an optional subdomain name used for token-based authentication." } }, "openAiPublicNetworkAccess": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Enabled", "Disabled" ], "metadata": { "description": "Specifies whether or not public endpoint access is allowed for this account.." } }, "openAiDeployments": { "type": "array", "defaultValue": [ { "name": "text-embedding-ada-002", "version": "2", "raiPolicyName": "", "capacity": null, "scaleType": "Standard" }, { "name": "gpt-35-turbo", "version": "0301", "raiPolicyName": "", "capacity": null, "scaleType": "Standard" }, { "name": "text-davinci-003", "version": "1", "raiPolicyName": "", "capacity": null, "scaleType": "Standard" } ], "metadata": { "description": "Specifies the OpenAI deployments to create." } }, "openAiPrivateEndpointName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), 'OpenAiPrivateEndpoint', if(equals(parameters('letterCaseType'), 'CamelCase'), 'OpenAiPrivateEndpoint', 'openai-private-endpoint'))]", "metadata": { "description": "Specifies the name of the private link to the Azure OpenAI resource." } }, "tags": { "type": "object", "defaultValue": { "IaC": "Bicep" }, "metadata": { "description": "Specifies the resource tags." } }, "clusterTags": { "type": "object", "defaultValue": { "IaC": "Bicep", "ApiServerVnetIntegration": true, "PodSubnet": false, "PerAgentPoolSubnet": true, "NetworkPolicy": "Azure", "NetworkPlugin": "Azure" }, "metadata": { "description": "Specifies the resource tags." } }, "actionGroupName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}ActionGroup', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}ActionGroup', toLower(parameters('prefix'))), format('{0}-action-group', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Action Group." } }, "actionGroupShortName": { "type": "string", "defaultValue": "AksAlerts", "metadata": { "description": "Specifies the short name of the action group. This will be used in SMS messages.." } }, "actionGroupEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether this action group is enabled. If an action group is not enabled, then none of its receivers will receive communications." } }, "actionGroupEmailAddress": { "type": "string", "metadata": { "description": "Specifies the email address of the receiver." } }, "actionGroupUseCommonAlertSchema": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to use common alert schema.." } }, "actionGroupCountryCode": { "type": "string", "defaultValue": "39", "metadata": { "description": "Specifies the country code of the SMS receiver." } }, "actionGroupPhoneNumber": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies the phone number of the SMS receiver." } }, "prometheusAndGrafanaEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether create or not Azure Monitor managed service for Prometheus and Azure Managed Grafana resources." } }, "metricAnnotationsAllowList": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies a comma-separated list of additional Kubernetes label keys that will be used in the resource labels metric." } }, "metricLabelsAllowlist": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies a comma-separated list of Kubernetes annotations keys that will be used in the resource labels metric." } }, "prometheusName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}Prometheus', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}Prometheus', toLower(parameters('prefix'))), format('{0}-prometheus', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Azure Monitor managed service for Prometheus resource." } }, "prometheusPublicNetworkAccess": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Enabled", "Disabled" ], "metadata": { "description": "Specifies whether or not public endpoint access is allowed for the Azure Monitor managed service for Prometheus resource." } }, "grafanaName": { "type": "string", "defaultValue": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}Grafana', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}Grafana', toLower(parameters('prefix'))), format('{0}-grafana', toLower(parameters('prefix')))))]", "metadata": { "description": "Specifies the name of the Azure Managed Grafana resource." } }, "grafanaSkuName": { "type": "string", "defaultValue": "Standard", "metadata": { "description": "Specifies the sku of the Azure Managed Grafana resource." } }, "grafanaApiKey": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Disabled", "Enabled" ], "metadata": { "description": "Specifies the api key setting of the Azure Managed Grafana resource." } }, "grafanaAutoGeneratedDomainNameLabelScope": { "type": "string", "defaultValue": "TenantReuse", "allowedValues": [ "TenantReuse" ], "metadata": { "description": "Specifies the scope for dns deterministic name hash calculation." } }, "grafanaDeterministicOutboundIP": { "type": "string", "defaultValue": "Disabled", "allowedValues": [ "Disabled", "Enabled" ], "metadata": { "description": "Specifies whether the Azure Managed Grafana resource uses deterministic outbound IPs." } }, "grafanaPublicNetworkAccess": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Disabled", "Enabled" ], "metadata": { "description": "Specifies the the state for enable or disable traffic over the public interface for the the Azure Managed Grafana resource." } }, "grafanaZoneRedundancy": { "type": "string", "defaultValue": "Disabled", "allowedValues": [ "Disabled", "Enabled" ], "metadata": { "description": "The zone redundancy setting of the Azure Managed Grafana resource." } }, "subdomain": { "type": "string", "defaultValue": "magic8ball", "metadata": { "description": "Specifies the subdomain of the Kubernetes ingress object." } }, "domain": { "type": "string", "defaultValue": "contoso.internal", "metadata": { "description": "Specifies the domain of the Kubernetes ingress object." } }, "namespace": { "type": "string", "defaultValue": "magic8ball", "metadata": { "description": "Specifies the namespace of the application." } }, "serviceAccountName": { "type": "string", "defaultValue": "magic8ball-sa", "metadata": { "description": "Specifies the service account of the application." } }, "email": { "type": "string", "defaultValue": "admin@contoso.com", "metadata": { "description": "Specifies the email address for the cert-manager cluster issuer." } }, "deploymentScripName": { "type": "string", "defaultValue": "BashScript", "metadata": { "description": "Specifies the name of the deployment script uri." } }, "deploymentScriptUri": { "type": "string", "metadata": { "description": "Specifies the deployment script uri." } } }, "variables": { "hostName": "[format('{0}.{1}', parameters('subdomain'), parameters('domain'))]" }, "resources": [ { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "keyVault", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('keyVaultName')]" }, "networkAclsDefaultAction": { "value": "[parameters('keyVaultNetworkAclsDefaultAction')]" }, "enabledForDeployment": { "value": "[parameters('keyVaultEnabledForDeployment')]" }, "enabledForDiskEncryption": { "value": "[parameters('keyVaultEnabledForDiskEncryption')]" }, "enabledForTemplateDeployment": { "value": "[parameters('keyVaultEnabledForTemplateDeployment')]" }, "enableSoftDelete": { "value": "[parameters('keyVaultEnableSoftDelete')]" }, "objectIds": { "value": "[parameters('keyVaultObjectIds')]" }, "workspaceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'workspace'), '2022-09-01').outputs.id.value]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.20.4.51522", "templateHash": "2255992187056873905" } }, "parameters": { "name": { "type": "string", "metadata": { "description": "Specifies the name of the Key Vault resource." } }, "skuName": { "type": "string", "defaultValue": "standard", "allowedValues": [ "premium", "standard" ], "metadata": { "description": "Specifies the sku name of the Key Vault resource." } }, "tenantId": { "type": "string", "defaultValue": "[subscription().tenantId]", "metadata": { "description": "Specifies the Azure Active Directory tenant ID that should be used for authenticating requests to the key vault." } }, "networkAclsDefaultAction": { "type": "string", "defaultValue": "Allow", "allowedValues": [ "Allow", "Deny" ], "metadata": { "description": "The default action of allow or deny when no other rules match. Allowed values: Allow or Deny" } }, "enabledForDeployment": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the Azure Key Vault resource is enabled for deployments." } }, "enabledForDiskEncryption": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the Azure Key Vault resource is enabled for disk encryption." } }, "enabledForTemplateDeployment": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the Azure Key Vault resource is enabled for template deployment." } }, "enableSoftDelete": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the soft deelete is enabled for this Azure Key Vault resource." } }, "objectIds": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the object ID ofthe service principals to configure in Key Vault access policies." } }, "workspaceId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Log Analytics workspace." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "variables": { "copy": [ { "name": "logs", "count": "[length(variables('logCategories'))]", "input": { "category": "[variables('logCategories')[copyIndex('logs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } }, { "name": "metrics", "count": "[length(variables('metricCategories'))]", "input": { "category": "[variables('metricCategories')[copyIndex('metrics')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } } ], "diagnosticSettingsName": "diagnosticSettings", "logCategories": [ "AuditEvent", "AzurePolicyEvaluationDetails" ], "metricCategories": [ "AllMetrics" ] }, "resources": [ { "type": "Microsoft.KeyVault/vaults", "apiVersion": "2021-10-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "copy": [ { "name": "accessPolicies", "count": "[length(parameters('objectIds'))]", "input": { "tenantId": "[subscription().tenantId]", "objectId": "[parameters('objectIds')[copyIndex('accessPolicies')]]", "permissions": { "keys": [ "get", "list" ], "secrets": [ "get", "list" ], "certificates": [ "get", "list" ] } } } ], "sku": { "family": "A", "name": "[parameters('skuName')]" }, "tenantId": "[parameters('tenantId')]", "networkAcls": { "bypass": "AzureServices", "defaultAction": "[parameters('networkAclsDefaultAction')]" }, "enabledForDeployment": "[parameters('enabledForDeployment')]", "enabledForDiskEncryption": "[parameters('enabledForDiskEncryption')]", "enabledForTemplateDeployment": "[parameters('enabledForTemplateDeployment')]", "enableSoftDelete": "[parameters('enableSoftDelete')]" } }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('logs')]", "metrics": "[variables('metrics')]" }, "dependsOn": [ "[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]" ] } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.KeyVault/vaults', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'workspace')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "workspace", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('logAnalyticsWorkspaceName')]" }, "location": { "value": "[parameters('location')]" }, "sku": { "value": "[parameters('logAnalyticsSku')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.20.4.51522", "templateHash": "16766729232445168572" } }, "parameters": { "name": { "type": "string", "metadata": { "description": "Specifies the name of the Log Analytics workspace." } }, "sku": { "type": "string", "defaultValue": "PerNode", "allowedValues": [ "Free", "Standalone", "PerNode", "PerGB2018" ], "metadata": { "description": "Specifies the service tier of the workspace: Free, Standalone, PerNode, Per-GB." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "resources": [ { "type": "Microsoft.OperationalInsights/workspaces", "apiVersion": "2021-12-01-preview", "name": "[parameters('name')]", "tags": "[parameters('tags')]", "location": "[parameters('location')]", "properties": { "sku": { "name": "[parameters('sku')]" } } } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" }, "customerId": { "type": "string", "value": "[reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('name')), '2021-12-01-preview').customerId]" } } } } }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "containerRegistry", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('acrName')]" }, "sku": { "value": "[parameters('acrSku')]" }, "adminUserEnabled": { "value": "[parameters('acrAdminUserEnabled')]" }, "workspaceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'workspace'), '2022-09-01').outputs.id.value]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.20.4.51522", "templateHash": "5807716787087477945" } }, "parameters": { "name": { "type": "string", "defaultValue": "[format('acr{0}', uniqueString(resourceGroup().id))]", "minLength": 5, "maxLength": 50, "metadata": { "description": "Name of your Azure Container Registry" } }, "adminUserEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable admin user that have push / pull permission to the registry." } }, "sku": { "type": "string", "defaultValue": "Premium", "allowedValues": [ "Basic", "Standard", "Premium" ], "metadata": { "description": "Tier of your Azure Container Registry." } }, "workspaceId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Log Analytics workspace." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "variables": { "copy": [ { "name": "logs", "count": "[length(variables('logCategories'))]", "input": { "category": "[variables('logCategories')[copyIndex('logs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } }, { "name": "metrics", "count": "[length(variables('metricCategories'))]", "input": { "category": "[variables('metricCategories')[copyIndex('metrics')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } } ], "diagnosticSettingsName": "diagnosticSettings", "logCategories": [ "ContainerRegistryRepositoryEvents", "ContainerRegistryLoginEvents" ], "metricCategories": [ "AllMetrics" ] }, "resources": [ { "type": "Microsoft.ContainerRegistry/registries", "apiVersion": "2021-12-01-preview", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "sku": { "name": "[parameters('sku')]" }, "properties": { "adminUserEnabled": "[parameters('adminUserEnabled')]" } }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('name'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('logs')]", "metrics": "[variables('metrics')]" }, "dependsOn": [ "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]" ] } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.ContainerRegistry/registries', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'workspace')]" ] }, { "condition": "[parameters('vmEnabled')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "storageAccount", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('blobStorageAccountName')]" }, "createContainers": { "value": true }, "containerNames": { "value": [ "todoapi", "todoweb" ] }, "keyVaultName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'keyVault'), '2022-09-01').outputs.name.value]" }, "workspaceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'workspace'), '2022-09-01').outputs.id.value]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.20.4.51522", "templateHash": "13249535459009766675" } }, "parameters": { "name": { "type": "string", "defaultValue": "[format('boot{0}', uniqueString(resourceGroup().id))]", "metadata": { "description": "Specifies the globally unique name for the storage account used to store the boot diagnostics logs of the virtual machine." } }, "createContainers": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to create containers." } }, "containerNames": { "type": "array", "metadata": { "description": "Specifies an array of containers to create." } }, "keyVaultName": { "type": "string", "metadata": { "description": "Specifies the name of a Key Vault where to store secrets." } }, "workspaceId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Log Analytics workspace." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "variables": { "copy": [ { "name": "logs", "count": "[length(variables('logCategories'))]", "input": { "category": "[variables('logCategories')[copyIndex('logs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } }, { "name": "metrics", "count": "[length(variables('metricCategories'))]", "input": { "category": "[variables('metricCategories')[copyIndex('metrics')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } } ], "diagnosticSettingsName": "diagnosticSettings", "logCategories": [ "StorageRead", "StorageWrite", "StorageDelete" ], "metricCategories": [ "Transaction" ] }, "resources": [ { "copy": { "name": "containers", "count": "[length(parameters('containerNames'))]" }, "condition": "[parameters('createContainers')]", "type": "Microsoft.Storage/storageAccounts/blobServices/containers", "apiVersion": "2021-09-01", "name": "[format('{0}/{1}/{2}', parameters('name'), 'default', parameters('containerNames')[copyIndex()])]", "properties": { "publicAccess": "None" }, "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('name'), 'default')]" ] }, { "type": "Microsoft.Storage/storageAccounts/blobServices", "apiVersion": "2021-09-01", "name": "[format('{0}/{1}', parameters('name'), 'default')]", "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" ] }, { "type": "Microsoft.Storage/storageAccounts", "apiVersion": "2021-09-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "sku": { "name": "Standard_LRS" }, "kind": "StorageV2" }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Storage/storageAccounts/{0}/blobServices/{1}', parameters('name'), 'default')]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('logs')]", "metrics": "[variables('metrics')]" }, "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('name'), 'default')]" ] }, { "type": "Microsoft.KeyVault/vaults/secrets", "apiVersion": "2021-11-01-preview", "name": "[format('{0}/{1}', parameters('keyVaultName'), 'DataProtection--BlobStorage--AccountName')]", "properties": { "value": "[parameters('name')]" }, "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" ] }, { "type": "Microsoft.KeyVault/vaults/secrets", "apiVersion": "2021-11-01-preview", "name": "[format('{0}/{1}', parameters('keyVaultName'), 'DataProtection--BlobStorage--ConnectionString')]", "properties": { "value": "[format('DefaultEndpointsProtocol=https;AccountName={0};AccountKey={1}', parameters('name'), listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('name')), '2021-09-01').keys[0].value)]" }, "dependsOn": [ "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" ] }, { "type": "Microsoft.KeyVault/vaults/secrets", "apiVersion": "2021-11-01-preview", "name": "[format('{0}/{1}', parameters('keyVaultName'), 'DataProtection--BlobStorage--UseAzureCredential')]", "properties": { "value": "true" } } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.Storage/storageAccounts', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'keyVault')]", "[resourceId('Microsoft.Resources/deployments', 'workspace')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "network", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "podSubnetEnabled": { "value": "[and(and(not(equals(parameters('aksClusterNetworkPluginMode'), 'Overlay')), not(equals(parameters('podSubnetName'), ''))), not(equals(parameters('podSubnetAddressPrefix'), '')))]" }, "enableVnetIntegration": { "value": "[parameters('enableVnetIntegration')]" }, "bastionHostEnabled": { "value": "[parameters('bastionHostEnabled')]" }, "virtualNetworkName": { "value": "[parameters('virtualNetworkName')]" }, "virtualNetworkAddressPrefixes": { "value": "[parameters('virtualNetworkAddressPrefixes')]" }, "systemAgentPoolSubnetName": { "value": "[parameters('systemAgentPoolSubnetName')]" }, "systemAgentPoolSubnetAddressPrefix": { "value": "[parameters('systemAgentPoolSubnetAddressPrefix')]" }, "userAgentPoolSubnetName": { "value": "[parameters('userAgentPoolSubnetName')]" }, "userAgentPoolSubnetAddressPrefix": { "value": "[parameters('userAgentPoolSubnetAddressPrefix')]" }, "windowsAgentPoolSubnetName": { "value": "[parameters('windowsAgentPoolSubnetName')]" }, "windowsAgentPoolSubnetAddressPrefix": { "value": "[parameters('windowsAgentPoolSubnetAddressPrefix')]" }, "windowsAgentPoolEnabled": { "value": "[parameters('windowsAgentPoolEnabled')]" }, "podSubnetName": { "value": "[parameters('podSubnetName')]" }, "podSubnetAddressPrefix": { "value": "[parameters('podSubnetAddressPrefix')]" }, "apiServerSubnetName": { "value": "[parameters('apiServerSubnetName')]" }, "apiServerSubnetAddressPrefix": { "value": "[parameters('apiServerSubnetAddressPrefix')]" }, "vmEnabled": { "value": "[parameters('vmEnabled')]" }, "vmSubnetName": { "value": "[parameters('vmSubnetName')]" }, "vmSubnetAddressPrefix": { "value": "[parameters('vmSubnetAddressPrefix')]" }, "vmSubnetNsgName": { "value": "[format('{0}Nsg', parameters('vmSubnetName'))]" }, "bastionSubnetAddressPrefix": { "value": "[parameters('bastionSubnetAddressPrefix')]" }, "bastionSubnetNsgName": { "value": "AzureBastionSubnetNsg" }, "applicationGatewayEnabled": { "value": "[parameters('applicationGatewayEnabled')]" }, "applicationGatewaySubnetName": { "value": "[parameters('applicationGatewaySubnetName')]" }, "applicationGatewaySubnetAddressPrefix": { "value": "[parameters('applicationGatewaySubnetAddressPrefix')]" }, "bastionHostName": { "value": "[parameters('bastionHostName')]" }, "natGatewayName": { "value": "[parameters('natGatewayName')]" }, "natGatewayEnabled": { "value": "[equals(parameters('aksClusterOutboundType'), 'userAssignedNATGateway')]" }, "natGatewayZones": { "value": "[parameters('natGatewayZones')]" }, "natGatewayPublicIps": { "value": "[parameters('natGatewayPublicIps')]" }, "natGatewayIdleTimeoutMins": { "value": "[parameters('natGatewayIdleTimeoutMins')]" }, "createAcrPrivateEndpoint": { "value": "[equals(parameters('acrSku'), 'Premium')]" }, "storageAccountPrivateEndpointName": { "value": "[parameters('blobStorageAccountPrivateEndpointName')]" }, "storageAccountId": "[if(parameters('vmEnabled'), createObject('value', reference(resourceId('Microsoft.Resources/deployments', 'storageAccount'), '2022-09-01').outputs.id.value), createObject('value', ''))]", "keyVaultPrivateEndpointName": { "value": "[parameters('keyVaultPrivateEndpointName')]" }, "keyVaultId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'keyVault'), '2022-09-01').outputs.id.value]" }, "acrPrivateEndpointName": { "value": "[parameters('acrPrivateEndpointName')]" }, "acrId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'containerRegistry'), '2022-09-01').outputs.id.value]" }, "openAiEnabled": { "value": "[parameters('openAiEnabled')]" }, "openAiPrivateEndpointName": { "value": "[parameters('openAiPrivateEndpointName')]" }, "openAiId": "[if(parameters('openAiEnabled'), createObject('value', reference(resourceId('Microsoft.Resources/deployments', 'openAi'), '2022-09-01').outputs.id.value), createObject('value', ''))]", "workspaceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'workspace'), '2022-09-01').outputs.id.value]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.20.4.51522", "templateHash": "5509046460350427542" } }, "parameters": { "podSubnetEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the podSubnet is enabled." } }, "enableVnetIntegration": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable API server VNET integration for the cluster or not." } }, "virtualNetworkName": { "type": "string", "metadata": { "description": "Specifies the name of the virtual network." } }, "virtualNetworkAddressPrefixes": { "type": "string", "defaultValue": "10.0.0.0/8", "metadata": { "description": "Specifies the address prefixes of the virtual network." } }, "systemAgentPoolSubnetName": { "type": "string", "defaultValue": "SystemSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the worker nodes of the default system agent pool of the AKS cluster." } }, "systemAgentPoolSubnetAddressPrefix": { "type": "string", "defaultValue": "10.0.0.0/16", "metadata": { "description": "Specifies the address prefix of the subnet hosting the worker nodes of the default system agent pool of the AKS cluster." } }, "userAgentPoolSubnetName": { "type": "string", "defaultValue": "UserSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the worker nodes of the user agent pool of the AKS cluster." } }, "userAgentPoolSubnetAddressPrefix": { "type": "string", "defaultValue": "10.1.0.0/16", "metadata": { "description": "Specifies the address prefix of the subnet hosting the worker nodes of the user agent pool of the AKS cluster." } }, "podSubnetName": { "type": "string", "defaultValue": "PodSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the pods running in the AKS cluster." } }, "podSubnetAddressPrefix": { "type": "string", "defaultValue": "10.2.0.0/16", "metadata": { "description": "Specifies the address prefix of the subnet hosting the pods running in the AKS cluster." } }, "windowsAgentPoolEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to create a Windows agent pool." } }, "windowsAgentPoolSubnetName": { "type": "string", "defaultValue": "WindowsSubnet", "metadata": { "description": "Specifies the address prefix of the subnet hosting the pods running in the AKS cluster." } }, "windowsAgentPoolSubnetAddressPrefix": { "type": "string", "defaultValue": "10.4.0.0/16", "metadata": { "description": "Specifies the address prefix of the subnet hosting the pods running in the AKS cluster." } }, "apiServerSubnetName": { "type": "string", "defaultValue": "ApiServerSubnet", "metadata": { "description": "Specifies the name of the subnet delegated to the API server when configuring the AKS cluster to use API server VNET integration." } }, "apiServerSubnetAddressPrefix": { "type": "string", "defaultValue": "10.3.0.0/28", "metadata": { "description": "Specifies the address prefix of the subnet delegated to the API server when configuring the AKS cluster to use API server VNET integration." } }, "vmEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether creating or not a jumpbox virtual machine in the AKS cluster virtual network." } }, "vmSubnetName": { "type": "string", "defaultValue": "VmSubnet", "metadata": { "description": "Specifies the name of the subnet which contains the virtual machine." } }, "vmSubnetAddressPrefix": { "type": "string", "defaultValue": "10.3.1.0/24", "metadata": { "description": "Specifies the address prefix of the subnet which contains the virtual machine." } }, "vmSubnetNsgName": { "type": "string", "defaultValue": "VmSubnetNsg", "metadata": { "description": "Specifies the name of the network security group associated to the subnet hosting the virtual machine." } }, "bastionSubnetAddressPrefix": { "type": "string", "defaultValue": "10.3.2.0/24", "metadata": { "description": "Specifies the Bastion subnet IP prefix. This prefix must be within vnet IP prefix address space." } }, "applicationGatewayEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether creating the Application Gateway and enabling the Application Gateway Ingress Controller or not." } }, "applicationGatewaySubnetName": { "type": "string", "defaultValue": "AppGatewaySubnet", "metadata": { "description": "Specifies the name of the subnet which contains the Application Gateway." } }, "applicationGatewaySubnetAddressPrefix": { "type": "string", "defaultValue": "10.3.3.0/24", "metadata": { "description": "Specifies the address prefix of the subnet which contains the Application Gateway." } }, "bastionSubnetNsgName": { "type": "string", "defaultValue": "AzureBastionNsg", "metadata": { "description": "Specifies the name of the network security group associated to the subnet hosting Azure Bastion." } }, "bastionHostEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether Azure Bastion should be created." } }, "bastionHostName": { "type": "string", "metadata": { "description": "Specifies the name of the Azure Bastion resource." } }, "bastionHostDisableCopyPaste": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable/Disable Copy/Paste feature of the Bastion Host resource." } }, "bastionHostEnableFileCopy": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable/Disable File Copy feature of the Bastion Host resource." } }, "bastionHostEnableIpConnect": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable/Disable IP Connect feature of the Bastion Host resource." } }, "bastionHostEnableShareableLink": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable/Disable Shareable Link of the Bastion Host resource." } }, "bastionHostEnableTunneling": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable/Disable Tunneling feature of the Bastion Host resource." } }, "natGatewayName": { "type": "string", "metadata": { "description": "Specifies the name of the Azure NAT Gateway." } }, "natGatewayEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether creating an Azure NAT Gateway for outbound connections." } }, "natGatewayZones": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies a list of availability zones denoting the zone in which Nat Gateway should be deployed." } }, "natGatewayPublicIps": { "type": "int", "defaultValue": 1, "metadata": { "description": "Specifies the number of Public IPs to create for the Azure NAT Gateway." } }, "natGatewayIdleTimeoutMins": { "type": "int", "defaultValue": 30, "metadata": { "description": "Specifies the idle timeout in minutes for the Azure NAT Gateway." } }, "storageAccountPrivateEndpointName": { "type": "string", "defaultValue": "BlobStorageAccountPrivateEndpoint", "metadata": { "description": "Specifies the name of the private link to the boot diagnostics storage account." } }, "storageAccountId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Azure Storage Account." } }, "keyVaultPrivateEndpointName": { "type": "string", "defaultValue": "KeyVaultPrivateEndpoint", "metadata": { "description": "Specifies the name of the private link to the Key Vault." } }, "keyVaultId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Azure Key vault." } }, "createAcrPrivateEndpoint": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to create a private endpoint for the Azure Container Registry" } }, "acrPrivateEndpointName": { "type": "string", "defaultValue": "AcrPrivateEndpoint", "metadata": { "description": "Specifies the name of the private link to the Azure Container Registry." } }, "acrId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Azure Container Registry." } }, "openAiEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether creating the Azure OpenAi resource or not." } }, "openAiPrivateEndpointName": { "type": "string", "defaultValue": "OpenAiPrivateEndpoint", "metadata": { "description": "Specifies the name of the private link to the Azure OpenAI resource." } }, "openAiId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Azure OpenAi." } }, "workspaceId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Log Analytics workspace." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "variables": { "copy": [ { "name": "nsgLogs", "count": "[length(variables('nsgLogCategories'))]", "input": { "category": "[variables('nsgLogCategories')[copyIndex('nsgLogs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } }, { "name": "vnetLogs", "count": "[length(variables('vnetLogCategories'))]", "input": { "category": "[variables('vnetLogCategories')[copyIndex('vnetLogs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } }, { "name": "vnetMetrics", "count": "[length(variables('vnetMetricCategories'))]", "input": { "category": "[variables('vnetMetricCategories')[copyIndex('vnetMetrics')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } }, { "name": "bastionLogs", "count": "[length(variables('bastionLogCategories'))]", "input": { "category": "[variables('bastionLogCategories')[copyIndex('bastionLogs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } }, { "name": "bastionMetrics", "count": "[length(variables('bastionMetricCategories'))]", "input": { "category": "[variables('bastionMetricCategories')[copyIndex('bastionMetrics')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } } ], "diagnosticSettingsName": "diagnosticSettings", "nsgLogCategories": [ "NetworkSecurityGroupEvent", "NetworkSecurityGroupRuleCounter" ], "vnetLogCategories": [ "VMProtectionAlerts" ], "vnetMetricCategories": [ "AllMetrics" ], "bastionLogCategories": [ "BastionAuditLogs" ], "bastionMetricCategories": [ "AllMetrics" ], "bastionSubnetName": "AzureBastionSubnet", "bastionPublicIpAddressName": "[format('{0}PublicIp', parameters('bastionHostName'))]", "systemAgentPoolSubnet": { "name": "[parameters('systemAgentPoolSubnetName')]", "properties": { "addressPrefix": "[parameters('systemAgentPoolSubnetAddressPrefix')]", "privateEndpointNetworkPolicies": "Disabled", "privateLinkServiceNetworkPolicies": "Enabled", "natGateway": "[if(parameters('natGatewayEnabled'), createObject('id', resourceId('Microsoft.Network/natGateways', parameters('natGatewayName'))), null())]" } }, "userAgentPoolSubnet": { "name": "[parameters('userAgentPoolSubnetName')]", "properties": { "addressPrefix": "[parameters('userAgentPoolSubnetAddressPrefix')]", "privateEndpointNetworkPolicies": "Disabled", "privateLinkServiceNetworkPolicies": "Enabled", "natGateway": "[if(parameters('natGatewayEnabled'), createObject('id', resourceId('Microsoft.Network/natGateways', parameters('natGatewayName'))), null())]" } }, "windowsAgentPoolSubnet": { "name": "[parameters('windowsAgentPoolSubnetName')]", "properties": { "addressPrefix": "[parameters('windowsAgentPoolSubnetAddressPrefix')]", "privateEndpointNetworkPolicies": "Disabled", "privateLinkServiceNetworkPolicies": "Enabled", "natGateway": "[if(parameters('natGatewayEnabled'), createObject('id', resourceId('Microsoft.Network/natGateways', parameters('natGatewayName'))), null())]" } }, "podSubnet": { "name": "[parameters('podSubnetName')]", "properties": { "addressPrefix": "[parameters('podSubnetAddressPrefix')]", "privateEndpointNetworkPolicies": "Disabled", "privateLinkServiceNetworkPolicies": "Enabled", "natGateway": "[if(parameters('natGatewayEnabled'), createObject('id', resourceId('Microsoft.Network/natGateways', parameters('natGatewayName'))), null())]", "delegations": [ { "name": "aks-delegation", "properties": { "serviceName": "Microsoft.ContainerService/managedClusters" } } ] } }, "apiServerSubnet": { "name": "[parameters('apiServerSubnetName')]", "properties": { "addressPrefix": "[parameters('apiServerSubnetAddressPrefix')]", "privateEndpointNetworkPolicies": "Disabled", "privateLinkServiceNetworkPolicies": "Enabled", "delegations": [ { "name": "aks-delegation", "properties": { "serviceName": "Microsoft.ContainerService/managedClusters" } } ] } }, "vmSubnet": { "name": "[parameters('vmSubnetName')]", "properties": { "addressPrefix": "[parameters('vmSubnetAddressPrefix')]", "networkSecurityGroup": { "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('vmSubnetNsgName'))]" }, "privateEndpointNetworkPolicies": "Enabled", "privateLinkServiceNetworkPolicies": "Disabled", "natGateway": "[if(parameters('natGatewayEnabled'), createObject('id', resourceId('Microsoft.Network/natGateways', parameters('natGatewayName'))), null())]" } }, "bastionSubnet": { "name": "[variables('bastionSubnetName')]", "properties": { "addressPrefix": "[parameters('bastionSubnetAddressPrefix')]", "networkSecurityGroup": { "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('bastionSubnetNsgName'))]" } } }, "applicationGatewaySubnet": { "name": "[parameters('applicationGatewaySubnetName')]", "properties": { "addressPrefix": "[parameters('applicationGatewaySubnetAddressPrefix')]", "privateEndpointNetworkPolicies": "Enabled", "privateLinkServiceNetworkPolicies": "Disabled" } }, "subnets": "[union(array(variables('systemAgentPoolSubnet')), array(variables('userAgentPoolSubnet')), if(parameters('podSubnetEnabled'), array(variables('podSubnet')), createArray()), if(parameters('windowsAgentPoolEnabled'), array(variables('windowsAgentPoolSubnet')), createArray()), if(parameters('enableVnetIntegration'), array(variables('apiServerSubnet')), createArray()), array(variables('vmSubnet')), if(parameters('bastionHostEnabled'), array(variables('bastionSubnet')), createArray()), if(parameters('applicationGatewayEnabled'), array(variables('applicationGatewaySubnet')), createArray()))]" }, "resources": [ { "condition": "[parameters('bastionHostEnabled')]", "type": "Microsoft.Network/networkSecurityGroups", "apiVersion": "2021-08-01", "name": "[parameters('bastionSubnetNsgName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "securityRules": [ { "name": "AllowHttpsInBound", "properties": { "protocol": "Tcp", "sourcePortRange": "*", "sourceAddressPrefix": "Internet", "destinationPortRange": "443", "destinationAddressPrefix": "*", "access": "Allow", "priority": 100, "direction": "Inbound" } }, { "name": "AllowGatewayManagerInBound", "properties": { "protocol": "Tcp", "sourcePortRange": "*", "sourceAddressPrefix": "GatewayManager", "destinationPortRange": "443", "destinationAddressPrefix": "*", "access": "Allow", "priority": 110, "direction": "Inbound" } }, { "name": "AllowLoadBalancerInBound", "properties": { "protocol": "Tcp", "sourcePortRange": "*", "sourceAddressPrefix": "AzureLoadBalancer", "destinationPortRange": "443", "destinationAddressPrefix": "*", "access": "Allow", "priority": 120, "direction": "Inbound" } }, { "name": "AllowBastionHostCommunicationInBound", "properties": { "protocol": "*", "sourcePortRange": "*", "sourceAddressPrefix": "VirtualNetwork", "destinationPortRanges": [ "8080", "5701" ], "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 130, "direction": "Inbound" } }, { "name": "DenyAllInBound", "properties": { "protocol": "*", "sourcePortRange": "*", "sourceAddressPrefix": "*", "destinationPortRange": "*", "destinationAddressPrefix": "*", "access": "Deny", "priority": 1000, "direction": "Inbound" } }, { "name": "AllowSshRdpOutBound", "properties": { "protocol": "Tcp", "sourcePortRange": "*", "sourceAddressPrefix": "*", "destinationPortRanges": [ "22", "3389" ], "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 100, "direction": "Outbound" } }, { "name": "AllowAzureCloudCommunicationOutBound", "properties": { "protocol": "Tcp", "sourcePortRange": "*", "sourceAddressPrefix": "*", "destinationPortRange": "443", "destinationAddressPrefix": "AzureCloud", "access": "Allow", "priority": 110, "direction": "Outbound" } }, { "name": "AllowBastionHostCommunicationOutBound", "properties": { "protocol": "*", "sourcePortRange": "*", "sourceAddressPrefix": "VirtualNetwork", "destinationPortRanges": [ "8080", "5701" ], "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 120, "direction": "Outbound" } }, { "name": "AllowGetSessionInformationOutBound", "properties": { "protocol": "*", "sourcePortRange": "*", "sourceAddressPrefix": "*", "destinationAddressPrefix": "Internet", "destinationPortRanges": [ "80", "443" ], "access": "Allow", "priority": 130, "direction": "Outbound" } }, { "name": "DenyAllOutBound", "properties": { "protocol": "*", "sourcePortRange": "*", "destinationPortRange": "*", "sourceAddressPrefix": "*", "destinationAddressPrefix": "*", "access": "Deny", "priority": 1000, "direction": "Outbound" } } ] } }, { "type": "Microsoft.Network/networkSecurityGroups", "apiVersion": "2021-08-01", "name": "[parameters('vmSubnetNsgName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "securityRules": [ { "name": "AllowSshInbound", "properties": { "priority": 100, "access": "Allow", "direction": "Inbound", "destinationPortRange": "22", "protocol": "Tcp", "sourceAddressPrefix": "*", "sourcePortRange": "*", "destinationAddressPrefix": "*" } } ] } }, { "type": "Microsoft.Network/virtualNetworks", "apiVersion": "2021-08-01", "name": "[parameters('virtualNetworkName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "addressSpace": { "addressPrefixes": [ "[parameters('virtualNetworkAddressPrefixes')]" ] }, "subnets": "[variables('subnets')]" }, "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('bastionSubnetNsgName'))]", "[resourceId('Microsoft.Network/natGateways', parameters('natGatewayName'))]", "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('vmSubnetNsgName'))]" ] }, { "copy": { "name": "natGatewayPublicIp", "count": "[length(range(0, parameters('natGatewayPublicIps')))]" }, "condition": "[parameters('natGatewayEnabled')]", "type": "Microsoft.Network/publicIPAddresses", "apiVersion": "2021-08-01", "name": "[if(equals(parameters('natGatewayPublicIps'), 1), format('{0}PublicIp', parameters('natGatewayName')), format('{0}PublicIp{1}', parameters('natGatewayName'), add(range(0, parameters('natGatewayPublicIps'))[copyIndex()], 1)))]", "location": "[parameters('location')]", "sku": { "name": "Standard" }, "zones": "[if(not(empty(parameters('natGatewayZones'))), parameters('natGatewayZones'), createArray())]", "properties": { "publicIPAllocationMethod": "Static" } }, { "condition": "[parameters('natGatewayEnabled')]", "type": "Microsoft.Network/natGateways", "apiVersion": "2021-08-01", "name": "[parameters('natGatewayName')]", "location": "[parameters('location')]", "sku": { "name": "Standard" }, "zones": "[if(not(empty(parameters('natGatewayZones'))), parameters('natGatewayZones'), createArray())]", "properties": { "copy": [ { "name": "publicIpAddresses", "count": "[length(range(0, parameters('natGatewayPublicIps')))]", "input": { "id": "[resourceId('Microsoft.Network/publicIPAddresses', if(equals(parameters('natGatewayPublicIps'), 1), format('{0}PublicIp', parameters('natGatewayName')), format('{0}PublicIp{1}', parameters('natGatewayName'), add(range(0, parameters('natGatewayPublicIps'))[range(0, parameters('natGatewayPublicIps'))[copyIndex('publicIpAddresses')]], 1))))]" } } ], "idleTimeoutInMinutes": "[parameters('natGatewayIdleTimeoutMins')]" }, "dependsOn": [ "natGatewayPublicIp" ] }, { "condition": "[parameters('bastionHostEnabled')]", "type": "Microsoft.Network/publicIPAddresses", "apiVersion": "2021-08-01", "name": "[variables('bastionPublicIpAddressName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "sku": { "name": "Standard" }, "properties": { "publicIPAllocationMethod": "Static" } }, { "condition": "[parameters('bastionHostEnabled')]", "type": "Microsoft.Network/bastionHosts", "apiVersion": "2021-08-01", "name": "[parameters('bastionHostName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "disableCopyPaste": "[parameters('bastionHostDisableCopyPaste')]", "enableFileCopy": "[parameters('bastionHostEnableFileCopy')]", "enableIpConnect": "[parameters('bastionHostEnableIpConnect')]", "enableShareableLink": "[parameters('bastionHostEnableShareableLink')]", "enableTunneling": "[parameters('bastionHostEnableTunneling')]", "ipConfigurations": [ { "name": "IpConf", "properties": { "subnet": { "id": "[format('{0}/subnets/{1}', resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName')), variables('bastionSubnetName'))]" }, "publicIPAddress": { "id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('bastionPublicIpAddressName'))]" } } } ] }, "dependsOn": [ "[resourceId('Microsoft.Network/publicIPAddresses', variables('bastionPublicIpAddressName'))]", "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "type": "Microsoft.Network/privateDnsZones", "apiVersion": "2020-06-01", "name": "[format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'azurecr.us', 'azurecr.io'))]", "location": "global", "tags": "[parameters('tags')]" }, { "condition": "[parameters('vmEnabled')]", "type": "Microsoft.Network/privateDnsZones", "apiVersion": "2020-06-01", "name": "[format('privatelink.blob.{0}', environment().suffixes.storage)]", "location": "global", "tags": "[parameters('tags')]" }, { "type": "Microsoft.Network/privateDnsZones", "apiVersion": "2020-06-01", "name": "[format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'vaultcore.usgovcloudapi.net', 'vaultcore.azure.net'))]", "location": "global", "tags": "[parameters('tags')]" }, { "condition": "[parameters('openAiEnabled')]", "type": "Microsoft.Network/privateDnsZones", "apiVersion": "2020-06-01", "name": "[format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'openai.usgovcloudapi.net', 'openai.azure.com'))]", "location": "global", "tags": "[parameters('tags')]" }, { "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'azurecr.us', 'azurecr.io')), format('link_to_{0}', toLower(parameters('virtualNetworkName'))))]", "location": "global", "properties": { "registrationEnabled": false, "virtualNetwork": { "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" } }, "dependsOn": [ "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'azurecr.us', 'azurecr.io')))]", "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "condition": "[parameters('vmEnabled')]", "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', format('privatelink.blob.{0}', environment().suffixes.storage), format('link_to_{0}', toLower(parameters('virtualNetworkName'))))]", "location": "global", "properties": { "registrationEnabled": false, "virtualNetwork": { "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" } }, "dependsOn": [ "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.blob.{0}', environment().suffixes.storage))]", "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'vaultcore.usgovcloudapi.net', 'vaultcore.azure.net')), format('link_to_{0}', toLower(parameters('virtualNetworkName'))))]", "location": "global", "properties": { "registrationEnabled": false, "virtualNetwork": { "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" } }, "dependsOn": [ "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'vaultcore.usgovcloudapi.net', 'vaultcore.azure.net')))]", "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "condition": "[parameters('openAiEnabled')]", "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", "apiVersion": "2020-06-01", "name": "[format('{0}/{1}', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'openai.usgovcloudapi.net', 'openai.azure.com')), format('link_to_{0}', toLower(parameters('virtualNetworkName'))))]", "location": "global", "properties": { "registrationEnabled": false, "virtualNetwork": { "id": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" } }, "dependsOn": [ "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'openai.usgovcloudapi.net', 'openai.azure.com')))]", "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "condition": "[parameters('createAcrPrivateEndpoint')]", "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2022-09-01", "name": "[parameters('acrPrivateEndpointName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "privateLinkServiceConnections": [ { "name": "[parameters('acrPrivateEndpointName')]", "properties": { "privateLinkServiceId": "[parameters('acrId')]", "groupIds": [ "registry" ] } } ], "subnet": { "id": "[format('{0}/subnets/{1}', resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName')), parameters('vmSubnetName'))]" } }, "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "condition": "[parameters('createAcrPrivateEndpoint')]", "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2022-09-01", "name": "[format('{0}/{1}', parameters('acrPrivateEndpointName'), 'acrPrivateDnsZoneGroup')]", "properties": { "privateDnsZoneConfigs": [ { "name": "dnsConfig", "properties": { "privateDnsZoneId": "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'azurecr.us', 'azurecr.io')))]" } } ] }, "dependsOn": [ "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'azurecr.us', 'azurecr.io')))]", "[resourceId('Microsoft.Network/privateEndpoints', parameters('acrPrivateEndpointName'))]" ] }, { "condition": "[parameters('vmEnabled')]", "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2022-09-01", "name": "[parameters('storageAccountPrivateEndpointName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "privateLinkServiceConnections": [ { "name": "[parameters('storageAccountPrivateEndpointName')]", "properties": { "privateLinkServiceId": "[parameters('storageAccountId')]", "groupIds": [ "blob" ] } } ], "subnet": { "id": "[format('{0}/subnets/{1}', resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName')), parameters('vmSubnetName'))]" } }, "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "condition": "[parameters('vmEnabled')]", "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2022-09-01", "name": "[format('{0}/{1}', parameters('storageAccountPrivateEndpointName'), 'PrivateDnsZoneGroupName')]", "properties": { "privateDnsZoneConfigs": [ { "name": "dnsConfig", "properties": { "privateDnsZoneId": "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.blob.{0}', environment().suffixes.storage))]" } } ] }, "dependsOn": [ "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.blob.{0}', environment().suffixes.storage))]", "[resourceId('Microsoft.Network/privateEndpoints', parameters('storageAccountPrivateEndpointName'))]" ] }, { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2022-09-01", "name": "[parameters('keyVaultPrivateEndpointName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "privateLinkServiceConnections": [ { "name": "[parameters('keyVaultPrivateEndpointName')]", "properties": { "privateLinkServiceId": "[parameters('keyVaultId')]", "groupIds": [ "vault" ] } } ], "subnet": { "id": "[format('{0}/subnets/{1}', resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName')), parameters('vmSubnetName'))]" } }, "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2022-09-01", "name": "[format('{0}/{1}', parameters('keyVaultPrivateEndpointName'), 'PrivateDnsZoneGroupName')]", "properties": { "privateDnsZoneConfigs": [ { "name": "dnsConfig", "properties": { "privateDnsZoneId": "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'vaultcore.usgovcloudapi.net', 'vaultcore.azure.net')))]" } } ] }, "dependsOn": [ "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'vaultcore.usgovcloudapi.net', 'vaultcore.azure.net')))]", "[resourceId('Microsoft.Network/privateEndpoints', parameters('keyVaultPrivateEndpointName'))]" ] }, { "condition": "[parameters('openAiEnabled')]", "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2022-09-01", "name": "[parameters('openAiPrivateEndpointName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "privateLinkServiceConnections": [ { "name": "[parameters('openAiPrivateEndpointName')]", "properties": { "privateLinkServiceId": "[parameters('openAiId')]", "groupIds": [ "account" ] } } ], "subnet": { "id": "[format('{0}/subnets/{1}', resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName')), parameters('vmSubnetName'))]" } }, "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "condition": "[parameters('openAiEnabled')]", "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2022-09-01", "name": "[format('{0}/{1}', parameters('openAiPrivateEndpointName'), 'PrivateDnsZoneGroupName')]", "properties": { "privateDnsZoneConfigs": [ { "name": "dnsConfig", "properties": { "privateDnsZoneId": "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'openai.usgovcloudapi.net', 'openai.azure.com')))]" } } ] }, "dependsOn": [ "[resourceId('Microsoft.Network/privateDnsZones', format('privatelink.{0}', if(equals(toLower(environment().name), 'azureusgovernment'), 'openai.usgovcloudapi.net', 'openai.azure.com')))]", "[resourceId('Microsoft.Network/privateEndpoints', parameters('openAiPrivateEndpointName'))]" ] }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('vmSubnetNsgName'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('nsgLogs')]" }, "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('vmSubnetNsgName'))]" ] }, { "condition": "[parameters('bastionHostEnabled')]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('bastionSubnetNsgName'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('nsgLogs')]" }, "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('bastionSubnetNsgName'))]" ] }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/virtualNetworks/{0}', parameters('virtualNetworkName'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('vnetLogs')]", "metrics": "[variables('vnetMetrics')]" }, "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" ] }, { "condition": "[parameters('bastionHostEnabled')]", "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/bastionHosts/{0}', parameters('bastionHostName'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('bastionLogs')]", "metrics": "[variables('bastionMetrics')]" }, "dependsOn": [ "[resourceId('Microsoft.Network/bastionHosts', parameters('bastionHostName'))]" ] } ], "outputs": { "virtualNetworkId": { "type": "string", "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]" }, "virtualNetworkName": { "type": "string", "value": "[parameters('virtualNetworkName')]" }, "systemAgentPoolSubnetId": { "type": "string", "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('systemAgentPoolSubnetName'))]" }, "userAgentPoolSubnetId": { "type": "string", "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('userAgentPoolSubnetName'))]" }, "windowsAgentPoolSubnetId": { "type": "string", "value": "[if(parameters('windowsAgentPoolEnabled'), resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('windowsAgentPoolSubnetName')), '')]" }, "podSubnetId": { "type": "string", "value": "[if(parameters('podSubnetEnabled'), resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('podSubnetName')), '')]" }, "vmSubnetId": { "type": "string", "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('vmSubnetName'))]" }, "bastionSubnetId": { "type": "string", "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), variables('bastionSubnetName'))]" }, "applicationGatewaySubnetId": { "type": "string", "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('applicationGatewaySubnetName'))]" }, "systemAgentPoolSubnetName": { "type": "string", "value": "[parameters('systemAgentPoolSubnetName')]" }, "userAgentPoolSubnetName": { "type": "string", "value": "[parameters('systemAgentPoolSubnetName')]" }, "windowsAgentPoolSubnetName": { "type": "string", "value": "[parameters('windowsAgentPoolSubnetName')]" }, "podSubnetName": { "type": "string", "value": "[parameters('podSubnetName')]" }, "vmSubnetName": { "type": "string", "value": "[parameters('vmSubnetName')]" }, "bastionSubnetName": { "type": "string", "value": "[variables('bastionSubnetName')]" }, "applicationGatewaySubnetName": { "type": "string", "value": "[parameters('applicationGatewaySubnetName')]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'containerRegistry')]", "[resourceId('Microsoft.Resources/deployments', 'keyVault')]", "[resourceId('Microsoft.Resources/deployments', 'openAi')]", "[resourceId('Microsoft.Resources/deployments', 'storageAccount')]", "[resourceId('Microsoft.Resources/deployments', 'workspace')]" ] }, { "condition": "[parameters('vmEnabled')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "jumpboxVirtualMachine", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "vmName": { "value": "[parameters('vmName')]" }, "vmSize": { "value": "[parameters('vmSize')]" }, "vmSubnetId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'network'), '2022-09-01').outputs.vmSubnetId.value]" }, "storageAccountName": "[if(parameters('vmEnabled'), createObject('value', reference(resourceId('Microsoft.Resources/deployments', 'storageAccount'), '2022-09-01').outputs.name.value), createObject('value', ''))]", "imagePublisher": { "value": "[parameters('imagePublisher')]" }, "imageOffer": { "value": "[parameters('imageOffer')]" }, "imageSku": { "value": "[parameters('imageSku')]" }, "authenticationType": { "value": "[parameters('authenticationType')]" }, "vmAdminUsername": { "value": "[parameters('vmAdminUsername')]" }, "vmAdminPasswordOrKey": { "value": "[parameters('vmAdminPasswordOrKey')]" }, "diskStorageAccountType": { "value": "[parameters('diskStorageAccountType')]" }, "numDataDisks": { "value": "[parameters('numDataDisks')]" }, "osDiskSize": { "value": "[parameters('osDiskSize')]" }, "dataDiskSize": { "value": "[parameters('dataDiskSize')]" }, "dataDiskCaching": { "value": "[parameters('dataDiskCaching')]" }, "managedIdentityName": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), createObject('value', format('{0}{1}AzureMonitorAgentManagedIdentity', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1))))), if(equals(parameters('letterCaseType'), 'CamelCase'), createObject('value', format('{0}AzureMonitorAgentManagedIdentity', toLower(parameters('prefix')))), createObject('value', format('{0}-azure-monitor-agent-managed-identity', toLower(parameters('prefix'))))))]", "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.20.4.51522", "templateHash": "15541984622859495884" } }, "parameters": { "vmName": { "type": "string", "defaultValue": "TestVm", "metadata": { "description": "Specifies the name of the virtual machine." } }, "vmSize": { "type": "string", "defaultValue": "Standard_DS3_v2", "metadata": { "description": "Specifies the size of the virtual machine." } }, "vmSubnetId": { "type": "string", "metadata": { "description": "Specifies the resource id of the subnet hosting the virtual machine." } }, "storageAccountName": { "type": "string", "metadata": { "description": "Specifies the name of the storage account where the bootstrap diagnostic logs of the virtual machine are stored." } }, "imagePublisher": { "type": "string", "defaultValue": "Canonical", "metadata": { "description": "Specifies the image publisher of the disk image used to create the virtual machine." } }, "imageOffer": { "type": "string", "defaultValue": "0001-com-ubuntu-server-jammy", "metadata": { "description": "Specifies the offer of the platform image or marketplace image used to create the virtual machine." } }, "imageSku": { "type": "string", "defaultValue": "22_04-lts-gen2", "metadata": { "description": "Specifies the Ubuntu version for the VM. This will pick a fully patched image of this given Ubuntu version." } }, "authenticationType": { "type": "string", "defaultValue": "password", "allowedValues": [ "sshPublicKey", "password" ], "metadata": { "description": "Specifies the type of authentication when accessing the Virtual Machine. SSH key is recommended." } }, "vmAdminUsername": { "type": "string", "metadata": { "description": "Specifies the name of the administrator account of the virtual machine." } }, "vmAdminPasswordOrKey": { "type": "securestring", "metadata": { "description": "Specifies the SSH Key or password for the virtual machine. SSH key is recommended." } }, "diskStorageAccountType": { "type": "string", "defaultValue": "Premium_LRS", "allowedValues": [ "Premium_LRS", "StandardSSD_LRS", "Standard_LRS", "UltraSSD_LRS" ], "metadata": { "description": "Specifies the storage account type for OS and data disk." } }, "numDataDisks": { "type": "int", "defaultValue": 1, "minValue": 0, "maxValue": 64, "metadata": { "description": "Specifies the number of data disks of the virtual machine." } }, "osDiskSize": { "type": "int", "defaultValue": 50, "metadata": { "description": "Specifies the size in GB of the OS disk of the VM." } }, "dataDiskSize": { "type": "int", "defaultValue": 50, "metadata": { "description": "Specifies the size in GB of the OS disk of the virtual machine." } }, "dataDiskCaching": { "type": "string", "defaultValue": "ReadWrite", "metadata": { "description": "Specifies the caching requirements for the data disks." } }, "managedIdentityName": { "type": "string", "metadata": { "description": "Specifies the name of the user-defined managed identity used by the Azure Monitor Agent." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "variables": { "vmNicName": "[format('{0}Nic', parameters('vmName'))]", "linuxConfiguration": { "disablePasswordAuthentication": true, "ssh": { "publicKeys": [ { "path": "[format('/home/{0}/.ssh/authorized_keys', parameters('vmAdminUsername'))]", "keyData": "[parameters('vmAdminPasswordOrKey')]" } ] }, "provisionVMAgent": true } }, "resources": [ { "type": "Microsoft.Network/networkInterfaces", "apiVersion": "2021-08-01", "name": "[variables('vmNicName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "ipConfigurations": [ { "name": "ipconfig1", "properties": { "privateIPAllocationMethod": "Dynamic", "subnet": { "id": "[parameters('vmSubnetId')]" } } } ] } }, { "type": "Microsoft.Compute/virtualMachines", "apiVersion": "2021-11-01", "name": "[parameters('vmName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "hardwareProfile": { "vmSize": "[parameters('vmSize')]" }, "osProfile": { "computerName": "[parameters('vmName')]", "adminUsername": "[parameters('vmAdminUsername')]", "adminPassword": "[parameters('vmAdminPasswordOrKey')]", "linuxConfiguration": "[if(equals(parameters('authenticationType'), 'password'), null(), variables('linuxConfiguration'))]" }, "storageProfile": { "copy": [ { "name": "dataDisks", "count": "[length(range(0, parameters('numDataDisks')))]", "input": { "caching": "[parameters('dataDiskCaching')]", "diskSizeGB": "[parameters('dataDiskSize')]", "lun": "[range(0, parameters('numDataDisks'))[copyIndex('dataDisks')]]", "name": "[format('{0}-DataDisk{1}', parameters('vmName'), range(0, parameters('numDataDisks'))[copyIndex('dataDisks')])]", "createOption": "Empty", "managedDisk": { "storageAccountType": "[parameters('diskStorageAccountType')]" } } } ], "imageReference": { "publisher": "[parameters('imagePublisher')]", "offer": "[parameters('imageOffer')]", "sku": "[parameters('imageSku')]", "version": "latest" }, "osDisk": { "name": "[format('{0}_OSDisk', parameters('vmName'))]", "caching": "ReadWrite", "createOption": "FromImage", "diskSizeGB": "[parameters('osDiskSize')]", "managedDisk": { "storageAccountType": "[parameters('diskStorageAccountType')]" } } }, "networkProfile": { "networkInterfaces": [ { "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('vmNicName'))]" } ] }, "diagnosticsProfile": { "bootDiagnostics": { "enabled": true, "storageUri": "[reference(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2021-09-01').primaryEndpoints.blob]" } } }, "dependsOn": [ "[resourceId('Microsoft.Network/networkInterfaces', variables('vmNicName'))]" ] }, { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2023-01-31", "name": "[parameters('managedIdentityName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]" }, { "type": "Microsoft.Compute/virtualMachines/extensions", "apiVersion": "2021-11-01", "name": "[format('{0}/{1}', parameters('vmName'), 'AzureMonitorLinuxAgent')]", "location": "[parameters('location')]", "properties": { "publisher": "Microsoft.Azure.Monitor", "type": "AzureMonitorLinuxAgent", "typeHandlerVersion": "1.21", "autoUpgradeMinorVersion": true, "enableAutomaticUpgrade": true, "settings": { "authentication": { "managedIdentity": { "identifier-name": "mi_res_id", "identifier-value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))]" } } } }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))]", "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]" ] } ] } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'network')]", "[resourceId('Microsoft.Resources/deployments', 'storageAccount')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "aksManageIdentity", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "managedIdentityName": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), createObject('value', format('{0}{1}AksManagedIdentity', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1))))), if(equals(parameters('letterCaseType'), 'CamelCase'), createObject('value', format('{0}AksManagedIdentity', toLower(parameters('prefix')))), createObject('value', format('{0}-aks-managed-identity', toLower(parameters('prefix'))))))]", "virtualNetworkName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'network'), '2022-09-01').outputs.virtualNetworkName.value]" }, "systemAgentPoolSubnetName": { "value": "[parameters('systemAgentPoolSubnetName')]" }, "userAgentPoolSubnetName": { "value": "[parameters('userAgentPoolSubnetName')]" }, "podSubnetName": { "value": "[parameters('podSubnetName')]" }, "apiServerSubnetName": { "value": "[parameters('apiServerSubnetName')]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.20.4.51522", "templateHash": "12740139246391840321" } }, "parameters": { "managedIdentityName": { "type": "string", "metadata": { "description": "Specifies the name of the user-defined managed identity." } }, "virtualNetworkName": { "type": "string", "metadata": { "description": "Specifies the name of the existing virtual network." } }, "systemAgentPoolSubnetName": { "type": "string", "defaultValue": "SystemSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the worker nodes of the default system agent pool of the AKS cluster." } }, "userAgentPoolSubnetName": { "type": "string", "defaultValue": "UserSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the worker nodes of the user agent pool of the AKS cluster." } }, "podSubnetName": { "type": "string", "defaultValue": "PodSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the pods running in the AKS cluster." } }, "apiServerSubnetName": { "type": "string", "defaultValue": "ApiServerSubnet", "metadata": { "description": "Specifies the name of the subnet delegated to the API server when configuring the AKS cluster to use API server VNET integration." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "resources": [ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2023-01-31", "name": "[parameters('managedIdentityName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]" }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', parameters('virtualNetworkName'), parameters('systemAgentPoolSubnetName'))]", "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('systemAgentPoolSubnetName')), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), '2023-01-31').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))]" ] }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', parameters('virtualNetworkName'), parameters('userAgentPoolSubnetName'))]", "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('userAgentPoolSubnetName')), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), '2023-01-31').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))]" ] }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', parameters('virtualNetworkName'), parameters('podSubnetName'))]", "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('podSubnetName')), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), '2023-01-31').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))]" ] }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', parameters('virtualNetworkName'), parameters('apiServerSubnetName'))]", "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('apiServerSubnetName')), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), '2023-01-31').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))]" ] } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))]" }, "name": { "type": "string", "value": "[parameters('managedIdentityName')]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'network')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "kubeletManageIdentity", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "aksClusterName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksCluster'), '2022-09-01').outputs.name.value]" }, "acrName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'containerRegistry'), '2022-09-01').outputs.name.value]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.20.4.51522", "templateHash": "8014882600671056193" } }, "parameters": { "aksClusterName": { "type": "string", "metadata": { "description": "Specifies the name of the existing AKS cluster." } }, "acrName": { "type": "string", "metadata": { "description": "Specifies the name of the existing container registry." } } }, "resources": [ { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('acrName'))]", "name": "[guid(parameters('aksClusterName'), resourceId('Microsoft.ContainerRegistry/registries', parameters('acrName')), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", "principalId": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName')), '2022-03-02-preview').identityProfile.kubeletidentity.objectId]", "principalType": "ServicePrincipal" } } ] } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'aksCluster')]", "[resourceId('Microsoft.Resources/deployments', 'containerRegistry')]" ] }, { "condition": "[parameters('applicationGatewayEnabled')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "applicationGateway", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('applicationGatewayName')]" }, "skuName": { "value": "[parameters('applicationGatewaySkuName')]" }, "frontendIpConfigurationType": { "value": "[parameters('applicationGatewayFrontendIpConfigurationType')]" }, "publicIpAddressName": { "value": "[parameters('applicationGatewayPublicIpAddressName')]" }, "subnetId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'network'), '2022-09-01').outputs.applicationGatewaySubnetId.value]" }, "privateLinkSubnetId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'network'), '2022-09-01').outputs.vmSubnetId.value]" }, "privateIpAddress": { "value": "[parameters('applicationGatewayPrivateIpAddress')]" }, "availabilityZones": { "value": "[parameters('applicationGatewayAvailabilityZones')]" }, "minCapacity": { "value": "[parameters('applicationGatewayMinCapacity')]" }, "maxCapacity": { "value": "[parameters('applicationGatewayMaxCapacity')]" }, "privateLinkEnabled": { "value": "[parameters('applicationGatewayPrivateLinkEnabled')]" }, "wafPolicyName": { "value": "[parameters('wafPolicyName')]" }, "wafPolicyMode": { "value": "[parameters('wafPolicyMode')]" }, "wafPolicyState": { "value": "[parameters('wafPolicyState')]" }, "wafPolicyFileUploadLimitInMb": { "value": "[parameters('wafPolicyFileUploadLimitInMb')]" }, "wafPolicyMaxRequestBodySizeInKb": { "value": "[parameters('wafPolicyMaxRequestBodySizeInKb')]" }, "wafPolicyRequestBodyCheck": { "value": "[parameters('wafPolicyRequestBodyCheck')]" }, "wafPolicyRuleSetType": { "value": "[parameters('wafPolicyRuleSetType')]" }, "wafPolicyRuleSetVersion": { "value": "[parameters('wafPolicyRuleSetVersion')]" }, "workspaceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'workspace'), '2022-09-01').outputs.id.value]" }, "keyVaultName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'keyVault'), '2022-09-01').outputs.name.value]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('clusterTags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.20.4.51522", "templateHash": "14646765728738717117" } }, "parameters": { "name": { "type": "string", "metadata": { "description": "Specifies the name of the Application Gateway." } }, "skuName": { "type": "string", "defaultValue": "WAF_v2", "metadata": { "description": "Specifies the sku of the Application Gateway." } }, "frontendIpConfigurationType": { "type": "string", "allowedValues": [ "Public", "Private", "Both" ], "metadata": { "description": "Specifies the frontend IP configuration type." } }, "publicIpAddressName": { "type": "string", "defaultValue": "[format('{0}PublicIp', parameters('name'))]", "metadata": { "description": "Specifies the name of the public IP adddress used by the Application Gateway." } }, "location": { "type": "string", "metadata": { "description": "Specifies the location of the Application Gateway." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } }, "subnetId": { "type": "string", "metadata": { "description": "Specifies the resource id of the subnet used by the Application Gateway." } }, "privateLinkSubnetId": { "type": "string", "metadata": { "description": "Specifies the resource id of the subnet used by the Application Gateway Private Link." } }, "privateIpAddress": { "type": "string", "metadata": { "description": "Specifies the private IP address of the Application Gateway." } }, "availabilityZones": { "type": "array", "metadata": { "description": "Specifies the availability zones of the Application Gateway." } }, "workspaceId": { "type": "string", "metadata": { "description": "Specifies the workspace id of the Log Analytics used to monitor the Application Gateway." } }, "minCapacity": { "type": "int", "defaultValue": 1, "metadata": { "description": "Specifies the lower bound on number of Application Gateway capacity." } }, "maxCapacity": { "type": "int", "defaultValue": 10, "metadata": { "description": "Specifies the upper bound on number of Application Gateway capacity." } }, "privateLinkEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether create or not a Private Link for the Application Gateway." } }, "wafPolicyName": { "type": "string", "defaultValue": "[format('{0}WafPolicy', parameters('name'))]", "metadata": { "description": "Specifies the name of the WAF policy" } }, "wafPolicyMode": { "type": "string", "defaultValue": "Prevention", "allowedValues": [ "Detection", "Prevention" ], "metadata": { "description": "Specifies the mode of the WAF policy." } }, "wafPolicyState": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Enabled", "Disabled " ], "metadata": { "description": "Specifies the state of the WAF policy." } }, "wafPolicyFileUploadLimitInMb": { "type": "int", "defaultValue": 100, "metadata": { "description": "Specifies the maximum file upload size in Mb for the WAF policy." } }, "wafPolicyMaxRequestBodySizeInKb": { "type": "int", "defaultValue": 128, "metadata": { "description": "Specifies the maximum request body size in Kb for the WAF policy." } }, "wafPolicyRequestBodyCheck": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies the whether to allow WAF to check request Body." } }, "wafPolicyRuleSetType": { "type": "string", "defaultValue": "OWASP", "metadata": { "description": "Specifies the rule set type." } }, "wafPolicyRuleSetVersion": { "type": "string", "defaultValue": "3.2", "metadata": { "description": "Specifies the rule set version." } }, "keyVaultName": { "type": "string", "metadata": { "description": "Specifies the name of the Key Vault resource." } } }, "variables": { "copy": [ { "name": "applicationGatewayLogs", "count": "[length(variables('applicationGatewayLogCategories'))]", "input": { "category": "[variables('applicationGatewayLogCategories')[copyIndex('applicationGatewayLogs')]]", "enabled": true } }, { "name": "applicationGatewayMetrics", "count": "[length(variables('applicationGatewayMetricCategories'))]", "input": { "category": "[variables('applicationGatewayMetricCategories')[copyIndex('applicationGatewayMetrics')]]", "enabled": true } } ], "diagnosticSettingsName": "diagnosticSettings", "applicationGatewayResourceId": "[resourceId('Microsoft.Network/applicationGateways', parameters('name'))]", "gatewayIPConfigurationName": "DefaultGatewayIpConfiguration", "frontendPortName": "DefaultFrontendPort", "backendAddressPoolName": "DefaultBackendPool", "backendHttpSettingsName": "DefaultBackendHttpSettings", "httpListenerName": "DefaultHttpListener", "routingRuleName": "DefaultRequestRoutingRule", "privateLinkName": "DefaultPrivateLink", "publicFrontendIPConfigurationName": "PublicFrontendIPConfiguration", "privateFrontendIPConfigurationName": "PrivateFrontendIPConfiguration", "frontendIPConfigurationName": "[if(equals(parameters('frontendIpConfigurationType'), 'Public'), variables('publicFrontendIPConfigurationName'), variables('privateFrontendIPConfigurationName'))]", "applicationGatewayZones": "[if(not(empty(parameters('availabilityZones'))), parameters('availabilityZones'), createArray())]", "publicFrontendIPConfiguration": { "name": "[variables('publicFrontendIPConfigurationName')]", "properties": { "privateIPAllocationMethod": "Dynamic", "publicIPAddress": { "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpAddressName'))]" }, "privateLinkConfiguration": "[if(and(parameters('privateLinkEnabled'), equals(parameters('frontendIpConfigurationType'), 'Public')), createObject('id', format('{0}/privateLinkConfigurations/{1}', variables('applicationGatewayResourceId'), variables('privateLinkName'))), null())]" } }, "privateFrontendIPConfiguration": { "name": "[variables('privateFrontendIPConfigurationName')]", "properties": { "privateIPAllocationMethod": "Static", "privateIPAddress": "[parameters('privateIpAddress')]", "subnet": { "id": "[parameters('subnetId')]" }, "privateLinkConfiguration": "[if(and(parameters('privateLinkEnabled'), not(equals(parameters('frontendIpConfigurationType'), 'Public'))), createObject('id', format('{0}/privateLinkConfigurations/{1}', variables('applicationGatewayResourceId'), variables('privateLinkName'))), null())]" } }, "frontendIPConfigurations": "[union(if(equals(parameters('frontendIpConfigurationType'), 'Public'), array(variables('publicFrontendIPConfiguration')), createArray()), if(equals(parameters('frontendIpConfigurationType'), 'Private'), array(variables('privateFrontendIPConfiguration')), createArray()), if(equals(parameters('frontendIpConfigurationType'), 'Both'), concat(array(variables('publicFrontendIPConfiguration')), array(variables('privateFrontendIPConfiguration'))), createArray()))]", "sku": "[union(createObject('name', parameters('skuName'), 'tier', parameters('skuName')), if(equals(parameters('maxCapacity'), 0), createObject('capacity', parameters('minCapacity')), createObject()))]", "applicationGatewayProperties": "[union(createObject('sku', variables('sku'), 'gatewayIPConfigurations', createArray(createObject('name', variables('gatewayIPConfigurationName'), 'properties', createObject('subnet', createObject('id', parameters('subnetId'))))), 'frontendIPConfigurations', variables('frontendIPConfigurations'), 'frontendPorts', createArray(createObject('name', variables('frontendPortName'), 'properties', createObject('port', 80))), 'backendAddressPools', createArray(createObject('name', variables('backendAddressPoolName'))), 'backendHttpSettingsCollection', createArray(createObject('name', variables('backendHttpSettingsName'), 'properties', createObject('port', 80, 'protocol', 'Http', 'cookieBasedAffinity', 'Disabled', 'requestTimeout', 30, 'pickHostNameFromBackendAddress', true()))), 'httpListeners', createArray(createObject('name', variables('httpListenerName'), 'properties', createObject('frontendIPConfiguration', createObject('id', format('{0}/frontendIPConfigurations/{1}', variables('applicationGatewayResourceId'), variables('frontendIPConfigurationName'))), 'frontendPort', createObject('id', format('{0}/frontendPorts/{1}', variables('applicationGatewayResourceId'), variables('frontendPortName'))), 'protocol', 'Http'))), 'requestRoutingRules', createArray(createObject('name', variables('routingRuleName'), 'properties', createObject('ruleType', 'Basic', 'priority', 1000, 'httpListener', createObject('id', format('{0}/httpListeners/{1}', variables('applicationGatewayResourceId'), variables('httpListenerName'))), 'backendAddressPool', createObject('id', format('{0}/backendAddressPools/{1}', variables('applicationGatewayResourceId'), variables('backendAddressPoolName'))), 'backendHttpSettings', createObject('id', format('{0}/backendHttpSettingsCollection/{1}', variables('applicationGatewayResourceId'), variables('backendHttpSettingsName')))))), 'privateLinkConfigurations', if(parameters('privateLinkEnabled'), createArray(createObject('name', variables('privateLinkName'), 'properties', createObject('ipConfigurations', createArray(createObject('name', 'PrivateLinkDefaultIPConfiguration', 'properties', createObject('privateIPAllocationMethod', 'Dynamic', 'subnet', createObject('id', parameters('privateLinkSubnetId')))))))), createArray()), 'firewallPolicy', createObject('id', resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', parameters('wafPolicyName')))), if(greater(parameters('maxCapacity'), 0), createObject('autoscaleConfiguration', createObject('minCapacity', parameters('minCapacity'), 'maxCapacity', parameters('maxCapacity'))), createObject()))]", "applicationGatewayLogCategories": [ "ApplicationGatewayAccessLog", "ApplicationGatewayFirewallLog", "ApplicationGatewayPerformanceLog" ], "applicationGatewayMetricCategories": [ "AllMetrics" ] }, "resources": [ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2018-11-30", "name": "[format('{0}Identity', parameters('name'))]", "location": "[parameters('location')]" }, { "condition": "[not(equals(parameters('frontendIpConfigurationType'), 'Private'))]", "type": "Microsoft.Network/publicIPAddresses", "apiVersion": "2022-07-01", "name": "[parameters('publicIpAddressName')]", "location": "[parameters('location')]", "zones": "[variables('applicationGatewayZones')]", "sku": { "name": "Standard" }, "properties": { "publicIPAllocationMethod": "Static" } }, { "type": "Microsoft.Network/applicationGateways", "apiVersion": "2022-07-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "zones": "[variables('applicationGatewayZones')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('{0}Identity', parameters('name'))))]": {} } }, "properties": "[variables('applicationGatewayProperties')]", "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('{0}Identity', parameters('name')))]", "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpAddressName'))]", "[resourceId('Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies', parameters('wafPolicyName'))]" ] }, { "type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies", "apiVersion": "2022-07-01", "name": "[parameters('wafPolicyName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "customRules": [ { "name": "BlockMe", "priority": 1, "ruleType": "MatchRule", "action": "Block", "matchConditions": [ { "matchVariables": [ { "variableName": "QueryString" } ], "operator": "Contains", "negationConditon": false, "matchValues": [ "blockme" ] } ] }, { "name": "BlockEvilBot", "priority": 2, "ruleType": "MatchRule", "action": "Block", "matchConditions": [ { "matchVariables": [ { "variableName": "RequestHeaders", "selector": "User-Agent" } ], "operator": "Contains", "negationConditon": false, "matchValues": [ "evilbot" ], "transforms": [ "Lowercase" ] } ] } ], "policySettings": { "requestBodyCheck": "[parameters('wafPolicyRequestBodyCheck')]", "maxRequestBodySizeInKb": "[parameters('wafPolicyMaxRequestBodySizeInKb')]", "fileUploadLimitInMb": "[parameters('wafPolicyFileUploadLimitInMb')]", "mode": "[parameters('wafPolicyMode')]", "state": "[parameters('wafPolicyState')]" }, "managedRules": { "managedRuleSets": [ { "ruleSetType": "[parameters('wafPolicyRuleSetType')]", "ruleSetVersion": "[parameters('wafPolicyRuleSetVersion')]" } ] } } }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('keyVaultName'))]", "name": "[guid(resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName')), format('{0}Identity', parameters('name')), 'keyVaultSecretsUser')]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]", "principalType": "ServicePrincipal", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('{0}Identity', parameters('name'))), '2018-11-30').principalId]" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('{0}Identity', parameters('name')))]" ] }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.Network/applicationGateways/{0}', parameters('name'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('applicationGatewayLogs')]", "metrics": "[variables('applicationGatewayMetrics')]" }, "dependsOn": [ "[resourceId('Microsoft.Network/applicationGateways', parameters('name'))]" ] } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.Network/applicationGateways', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" }, "privateLinkFrontendIPConfigurationName": { "type": "string", "value": "[if(parameters('privateLinkEnabled'), variables('frontendIPConfigurationName'), '')]" }, "principalId": { "type": "string", "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', format('{0}Identity', parameters('name'))), '2018-11-30').principalId]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'keyVault')]", "[resourceId('Microsoft.Resources/deployments', 'network')]", "[resourceId('Microsoft.Resources/deployments', 'workspace')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "aksCluster", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('aksClusterName')]" }, "enableVnetIntegration": { "value": "[parameters('enableVnetIntegration')]" }, "virtualNetworkName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'network'), '2022-09-01').outputs.virtualNetworkName.value]" }, "systemAgentPoolSubnetName": { "value": "[parameters('systemAgentPoolSubnetName')]" }, "userAgentPoolSubnetName": { "value": "[parameters('userAgentPoolSubnetName')]" }, "podSubnetName": { "value": "[parameters('podSubnetName')]" }, "apiServerSubnetName": { "value": "[parameters('apiServerSubnetName')]" }, "managedIdentityName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksManageIdentity'), '2022-09-01').outputs.name.value]" }, "dnsPrefix": { "value": "[parameters('aksClusterDnsPrefix')]" }, "networkPlugin": { "value": "[parameters('aksClusterNetworkPlugin')]" }, "networkPluginMode": { "value": "[parameters('aksClusterNetworkPluginMode')]" }, "networkPolicy": { "value": "[parameters('aksClusterNetworkPolicy')]" }, "podCidr": { "value": "[parameters('aksClusterPodCidr')]" }, "serviceCidr": { "value": "[parameters('aksClusterServiceCidr')]" }, "dnsServiceIP": { "value": "[parameters('aksClusterDnsServiceIP')]" }, "loadBalancerSku": { "value": "[parameters('aksClusterLoadBalancerSku')]" }, "monitoringEnabled": { "value": "[parameters('aksClusterMonitoringEnabled')]" }, "ipFamilies": { "value": "[parameters('aksClusterIpFamilies')]" }, "outboundType": { "value": "[parameters('aksClusterOutboundType')]" }, "skuTier": { "value": "[parameters('aksClusterSkuTier')]" }, "kubernetesVersion": { "value": "[parameters('aksClusterKubernetesVersion')]" }, "adminUsername": { "value": "[parameters('aksClusterAdminUsername')]" }, "sshPublicKey": { "value": "[parameters('aksClusterSshPublicKey')]" }, "aadProfileTenantId": { "value": "[parameters('aadProfileTenantId')]" }, "aadProfileAdminGroupObjectIDs": { "value": "[parameters('aadProfileAdminGroupObjectIDs')]" }, "aadProfileManaged": { "value": "[parameters('aadProfileManaged')]" }, "aadProfileEnableAzureRBAC": { "value": "[parameters('aadProfileEnableAzureRBAC')]" }, "nodeOSUpgradeChannel": { "value": "[parameters('aksClusterNodeOSUpgradeChannel')]" }, "upgradeChannel": { "value": "[parameters('aksClusterUpgradeChannel')]" }, "enablePrivateCluster": { "value": "[parameters('aksClusterEnablePrivateCluster')]" }, "privateDNSZone": { "value": "[parameters('aksPrivateDNSZone')]" }, "enablePrivateClusterPublicFQDN": { "value": "[parameters('aksEnablePrivateClusterPublicFQDN')]" }, "systemAgentPoolName": { "value": "[parameters('systemAgentPoolName')]" }, "systemAgentPoolVmSize": { "value": "[parameters('systemAgentPoolVmSize')]" }, "systemAgentPoolOsDiskSizeGB": { "value": "[parameters('systemAgentPoolOsDiskSizeGB')]" }, "systemAgentPoolOsDiskType": { "value": "[parameters('systemAgentPoolOsDiskType')]" }, "systemAgentPoolAgentCount": { "value": "[parameters('systemAgentPoolAgentCount')]" }, "systemAgentPoolOsSKU": { "value": "[parameters('systemAgentPoolOsSKU')]" }, "systemAgentPoolOsType": { "value": "[parameters('systemAgentPoolOsType')]" }, "systemAgentPoolMaxPods": { "value": "[parameters('systemAgentPoolMaxPods')]" }, "systemAgentPoolMaxCount": { "value": "[parameters('systemAgentPoolMaxCount')]" }, "systemAgentPoolMinCount": { "value": "[parameters('systemAgentPoolMinCount')]" }, "systemAgentPoolEnableAutoScaling": { "value": "[parameters('systemAgentPoolEnableAutoScaling')]" }, "systemAgentPoolScaleSetPriority": { "value": "[parameters('systemAgentPoolScaleSetPriority')]" }, "systemAgentPoolScaleSetEvictionPolicy": { "value": "[parameters('systemAgentPoolScaleSetEvictionPolicy')]" }, "systemAgentPoolNodeLabels": { "value": "[parameters('systemAgentPoolNodeLabels')]" }, "systemAgentPoolNodeTaints": { "value": "[parameters('systemAgentPoolNodeTaints')]" }, "systemAgentPoolType": { "value": "[parameters('systemAgentPoolType')]" }, "systemAgentPoolAvailabilityZones": { "value": "[parameters('systemAgentPoolAvailabilityZones')]" }, "systemAgentPoolKubeletDiskType": { "value": "[parameters('systemAgentPoolKubeletDiskType')]" }, "userAgentPoolName": { "value": "[parameters('userAgentPoolName')]" }, "userAgentPoolVmSize": { "value": "[parameters('userAgentPoolVmSize')]" }, "userAgentPoolOsDiskSizeGB": { "value": "[parameters('userAgentPoolOsDiskSizeGB')]" }, "userAgentPoolOsDiskType": { "value": "[parameters('userAgentPoolOsDiskType')]" }, "userAgentPoolAgentCount": { "value": "[parameters('userAgentPoolAgentCount')]" }, "userAgentPoolOsSKU": { "value": "[parameters('userAgentPoolOsSKU')]" }, "userAgentPoolOsType": { "value": "[parameters('userAgentPoolOsType')]" }, "userAgentPoolMaxPods": { "value": "[parameters('userAgentPoolMaxPods')]" }, "userAgentPoolMaxCount": { "value": "[parameters('userAgentPoolMaxCount')]" }, "userAgentPoolMinCount": { "value": "[parameters('userAgentPoolMinCount')]" }, "userAgentPoolEnableAutoScaling": { "value": "[parameters('userAgentPoolEnableAutoScaling')]" }, "userAgentPoolScaleSetPriority": { "value": "[parameters('userAgentPoolScaleSetPriority')]" }, "userAgentPoolScaleSetEvictionPolicy": { "value": "[parameters('userAgentPoolScaleSetEvictionPolicy')]" }, "userAgentPoolNodeLabels": { "value": "[parameters('userAgentPoolNodeLabels')]" }, "userAgentPoolNodeTaints": { "value": "[parameters('userAgentPoolNodeTaints')]" }, "userAgentPoolType": { "value": "[parameters('userAgentPoolType')]" }, "userAgentPoolAvailabilityZones": { "value": "[parameters('userAgentPoolAvailabilityZones')]" }, "userAgentPoolKubeletDiskType": { "value": "[parameters('userAgentPoolKubeletDiskType')]" }, "httpApplicationRoutingEnabled": { "value": "[parameters('httpApplicationRoutingEnabled')]" }, "openServiceMeshEnabled": { "value": "[parameters('openServiceMeshEnabled')]" }, "istioServiceMeshEnabled": { "value": "[parameters('istioServiceMeshEnabled')]" }, "istioIngressGatewayEnabled": { "value": "[parameters('istioIngressGatewayEnabled')]" }, "istioIngressGatewayType": { "value": "[parameters('istioIngressGatewayType')]" }, "kedaEnabled": { "value": "[parameters('kedaEnabled')]" }, "daprEnabled": { "value": "[parameters('daprEnabled')]" }, "daprHaEnabled": { "value": "[parameters('daprHaEnabled')]" }, "fluxGitOpsEnabled": { "value": "[parameters('fluxGitOpsEnabled')]" }, "verticalPodAutoscalerEnabled": { "value": "[parameters('verticalPodAutoscalerEnabled')]" }, "aciConnectorLinuxEnabled": { "value": "[parameters('aciConnectorLinuxEnabled')]" }, "azurePolicyEnabled": { "value": "[parameters('azurePolicyEnabled')]" }, "azureKeyvaultSecretsProviderEnabled": { "value": "[parameters('azureKeyvaultSecretsProviderEnabled')]" }, "kubeDashboardEnabled": { "value": "[parameters('kubeDashboardEnabled')]" }, "autoScalerProfileScanInterval": { "value": "[parameters('autoScalerProfileScanInterval')]" }, "autoScalerProfileScaleDownDelayAfterAdd": { "value": "[parameters('autoScalerProfileScaleDownDelayAfterAdd')]" }, "autoScalerProfileScaleDownDelayAfterDelete": { "value": "[parameters('autoScalerProfileScaleDownDelayAfterDelete')]" }, "autoScalerProfileScaleDownDelayAfterFailure": { "value": "[parameters('autoScalerProfileScaleDownDelayAfterFailure')]" }, "autoScalerProfileScaleDownUnneededTime": { "value": "[parameters('autoScalerProfileScaleDownUnneededTime')]" }, "autoScalerProfileScaleDownUnreadyTime": { "value": "[parameters('autoScalerProfileScaleDownUnreadyTime')]" }, "autoScalerProfileUtilizationThreshold": { "value": "[parameters('autoScalerProfileUtilizationThreshold')]" }, "autoScalerProfileMaxGracefulTerminationSec": { "value": "[parameters('autoScalerProfileMaxGracefulTerminationSec')]" }, "blobCSIDriverEnabled": { "value": "[parameters('blobCSIDriverEnabled')]" }, "diskCSIDriverEnabled": { "value": "[parameters('diskCSIDriverEnabled')]" }, "fileCSIDriverEnabled": { "value": "[parameters('fileCSIDriverEnabled')]" }, "snapshotControllerEnabled": { "value": "[parameters('snapshotControllerEnabled')]" }, "defenderSecurityMonitoringEnabled": { "value": "[parameters('defenderSecurityMonitoringEnabled')]" }, "imageCleanerEnabled": { "value": "[parameters('imageCleanerEnabled')]" }, "imageCleanerIntervalHours": { "value": "[parameters('imageCleanerIntervalHours')]" }, "nodeRestrictionEnabled": { "value": "[parameters('nodeRestrictionEnabled')]" }, "workloadIdentityEnabled": { "value": "[parameters('workloadIdentityEnabled')]" }, "oidcIssuerProfileEnabled": { "value": "[parameters('oidcIssuerProfileEnabled')]" }, "podIdentityProfileEnabled": { "value": "[parameters('podIdentityProfileEnabled')]" }, "applicationGatewayEnabled": { "value": "[parameters('applicationGatewayEnabled')]" }, "applicationGatewayId": "[if(parameters('applicationGatewayEnabled'), createObject('value', reference(resourceId('Microsoft.Resources/deployments', 'applicationGateway'), '2022-09-01').outputs.id.value), createObject('value', ''))]", "applicationGatewayManagedIdentityPrincipalId": "[if(parameters('applicationGatewayEnabled'), createObject('value', reference(resourceId('Microsoft.Resources/deployments', 'applicationGateway'), '2022-09-01').outputs.principalId.value), createObject('value', ''))]", "keyVaultName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'keyVault'), '2022-09-01').outputs.name.value]" }, "workloadManagedIdentityName": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), createObject('value', format('{0}{1}WorkloadManagedIdentity', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1))))), if(equals(parameters('letterCaseType'), 'CamelCase'), createObject('value', format('{0}WorkloadManagedIdentity', toLower(parameters('prefix')))), createObject('value', format('{0}-workload-managed-identity', toLower(parameters('prefix'))))))]", "prometheusAndGrafanaEnabled": { "value": "[parameters('prometheusAndGrafanaEnabled')]" }, "metricAnnotationsAllowList": { "value": "[parameters('metricAnnotationsAllowList')]" }, "metricLabelsAllowlist": { "value": "[parameters('metricLabelsAllowlist')]" }, "openAiEnabled": { "value": "[parameters('openAiEnabled')]" }, "letterCaseType": { "value": "[parameters('letterCaseType')]" }, "namespace": { "value": "[parameters('namespace')]" }, "serviceAccountName": { "value": "[parameters('serviceAccountName')]" }, "userId": { "value": "[parameters('userId')]" }, "workspaceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'workspace'), '2022-09-01').outputs.id.value]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('clusterTags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.20.4.51522", "templateHash": "14700533493436445447" } }, "parameters": { "name": { "type": "string", "defaultValue": "[format('aks-{0}', uniqueString(resourceGroup().id))]", "metadata": { "description": "Specifies the name of the AKS cluster." } }, "enableVnetIntegration": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable API server VNET integration for the cluster or not." } }, "virtualNetworkName": { "type": "string", "metadata": { "description": "Specifies the name of the existing virtual network." } }, "systemAgentPoolSubnetName": { "type": "string", "defaultValue": "SystemSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the worker nodes of the default system agent pool of the AKS cluster." } }, "userAgentPoolSubnetName": { "type": "string", "defaultValue": "UserSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the worker nodes of the user agent pool of the AKS cluster." } }, "podSubnetName": { "type": "string", "defaultValue": "PodSubnet", "metadata": { "description": "Specifies the name of the subnet hosting the pods running in the AKS cluster." } }, "apiServerSubnetName": { "type": "string", "defaultValue": "ApiServerSubnet", "metadata": { "description": "Specifies the name of the subnet delegated to the API server when configuring the AKS cluster to use API server VNET integration." } }, "managedIdentityName": { "type": "string", "metadata": { "description": "Specifies the name of the AKS user-defined managed identity." } }, "workloadManagedIdentityName": { "type": "string", "metadata": { "description": "Specifies the name of the user-defined managed identity used by the application that uses Azure AD workload identity to authenticate against Azure OpenAI." } }, "dnsPrefix": { "type": "string", "defaultValue": "[parameters('name')]", "metadata": { "description": "Specifies the DNS prefix specified when creating the managed cluster." } }, "networkPlugin": { "type": "string", "defaultValue": "azure", "allowedValues": [ "azure", "kubenet" ], "metadata": { "description": "Specifies the network plugin used for building Kubernetes network. - azure or kubenet." } }, "networkPluginMode": { "type": "string", "defaultValue": "", "allowedValues": [ "", "Overlay" ], "metadata": { "description": "Specifies the Network plugin mode used for building the Kubernetes network." } }, "networkPolicy": { "type": "string", "defaultValue": "azure", "allowedValues": [ "azure", "calico" ], "metadata": { "description": "Specifies the network policy used for building Kubernetes network. - calico or azure" } }, "podCidr": { "type": "string", "defaultValue": "192.168.0.0/16", "metadata": { "description": "Specifies the CIDR notation IP range from which to assign pod IPs when kubenet is used." } }, "serviceCidr": { "type": "string", "defaultValue": "172.16.0.0/16", "metadata": { "description": "A CIDR notation IP range from which to assign service cluster IPs. It must not overlap with any Subnet IP ranges." } }, "dnsServiceIP": { "type": "string", "defaultValue": "172.16.0.10", "metadata": { "description": "Specifies the IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr." } }, "loadBalancerSku": { "type": "string", "defaultValue": "standard", "allowedValues": [ "basic", "standard" ], "metadata": { "description": "Specifies the sku of the load balancer used by the virtual machine scale sets used by nodepools." } }, "monitoringEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether Network Observability is enabled or not. When enabled, network monitoring generates metrics in Prometheus format." } }, "ipFamilies": { "type": "array", "defaultValue": [ "IPv4" ], "metadata": { "description": "Specifies the IP families are used to determine single-stack or dual-stack clusters. For single-stack, the expected value is IPv4. For dual-stack, the expected values are IPv4 and IPv6." } }, "outboundType": { "type": "string", "defaultValue": "loadBalancer", "allowedValues": [ "loadBalancer", "managedNATGateway", "userAssignedNATGateway", "userDefinedRouting" ], "metadata": { "description": "Specifies outbound (egress) routing method. - loadBalancer or userDefinedRouting." } }, "skuTier": { "type": "string", "defaultValue": "Standard", "allowedValues": [ "Standard", "Free" ], "metadata": { "description": "Specifies the tier of a managed cluster SKU: Paid or Free" } }, "kubernetesVersion": { "type": "string", "defaultValue": "1.18.8", "metadata": { "description": "Specifies the version of Kubernetes specified when creating the managed cluster." } }, "adminUsername": { "type": "string", "defaultValue": "azureuser", "metadata": { "description": "Specifies the administrator username of Linux virtual machines." } }, "sshPublicKey": { "type": "string", "metadata": { "description": "Specifies the SSH RSA public key string for the Linux nodes." } }, "aadProfileTenantId": { "type": "string", "defaultValue": "[subscription().tenantId]", "metadata": { "description": "Specifies the tenant id of the Azure Active Directory used by the AKS cluster for authentication." } }, "aadProfileAdminGroupObjectIDs": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the AAD group object IDs that will have admin role of the cluster." } }, "nodeOSUpgradeChannel": { "type": "string", "defaultValue": "Unmanaged", "allowedValues": [ "NodeImage", "None", "SecurityPatch", "Unmanaged" ], "metadata": { "description": "Specifies the node OS upgrade channel. The default is Unmanaged, but may change to either NodeImage or SecurityPatch at GA.\t." } }, "upgradeChannel": { "type": "string", "defaultValue": "stable", "allowedValues": [ "rapid", "stable", "patch", "node-image", "none" ], "metadata": { "description": "Specifies the upgrade channel for auto upgrade. Allowed values include rapid, stable, patch, node-image, none." } }, "enablePrivateCluster": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to create the cluster as a private cluster or not." } }, "privateDNSZone": { "type": "string", "defaultValue": "none", "metadata": { "description": "Specifies the Private DNS Zone mode for private cluster. When the value is equal to None, a Public DNS Zone is used in place of a Private DNS Zone" } }, "enablePrivateClusterPublicFQDN": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to create additional public FQDN for private cluster or not." } }, "aadProfileManaged": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable managed AAD integration." } }, "aadProfileEnableAzureRBAC": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to to enable Azure RBAC for Kubernetes authorization." } }, "systemAgentPoolName": { "type": "string", "defaultValue": "nodepool1", "metadata": { "description": "Specifies the unique name of of the system node pool profile in the context of the subscription and resource group." } }, "systemAgentPoolVmSize": { "type": "string", "defaultValue": "Standard_DS5_v2", "metadata": { "description": "Specifies the vm size of nodes in the system node pool." } }, "systemAgentPoolOsDiskSizeGB": { "type": "int", "defaultValue": 100, "metadata": { "description": "Specifies the OS Disk Size in GB to be used to specify the disk size for every machine in the system agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified." } }, "systemAgentPoolOsDiskType": { "type": "string", "defaultValue": "Ephemeral", "allowedValues": [ "Ephemeral", "Managed" ], "metadata": { "description": "Specifies the OS disk type to be used for machines in a given agent pool. Allowed values are 'Ephemeral' and 'Managed'. If unspecified, defaults to 'Ephemeral' when the VM supports ephemeral OS and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. - Managed or Ephemeral" } }, "systemAgentPoolAgentCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the number of agents (VMs) to host docker containers in the system node pool. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1." } }, "systemAgentPoolOsType": { "type": "string", "defaultValue": "Linux", "allowedValues": [ "Linux", "Windows" ], "metadata": { "description": "Specifies the OS type for the vms in the system node pool. Choose from Linux and Windows. Default to Linux." } }, "systemAgentPoolOsSKU": { "type": "string", "defaultValue": "Ubuntu", "allowedValues": [ "Ubuntu", "Windows2019", "Windows2022", "AzureLinux" ], "metadata": { "description": "Specifies the OS SKU used by the system agent pool. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated." } }, "systemAgentPoolMaxPods": { "type": "int", "defaultValue": 30, "metadata": { "description": "Specifies the maximum number of pods that can run on a node in the system node pool. The maximum number of pods per node in an AKS cluster is 250. The default maximum number of pods per node varies between kubenet and Azure CNI networking, and the method of cluster deployment." } }, "systemAgentPoolMaxCount": { "type": "int", "defaultValue": 5, "metadata": { "description": "Specifies the maximum number of nodes for auto-scaling for the system node pool." } }, "systemAgentPoolMinCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the minimum number of nodes for auto-scaling for the system node pool." } }, "systemAgentPoolEnableAutoScaling": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable auto-scaling for the system node pool." } }, "systemAgentPoolScaleSetPriority": { "type": "string", "defaultValue": "Regular", "allowedValues": [ "Spot", "Regular" ], "metadata": { "description": "Specifies the virtual machine scale set priority in the system node pool: Spot or Regular." } }, "systemAgentPoolScaleSetEvictionPolicy": { "type": "string", "defaultValue": "Delete", "allowedValues": [ "Delete", "Deallocate" ], "metadata": { "description": "Specifies the ScaleSetEvictionPolicy to be used to specify eviction policy for spot virtual machine scale set. Default to Delete. Allowed values are Delete or Deallocate." } }, "systemAgentPoolNodeLabels": { "type": "object", "defaultValue": {}, "metadata": { "description": "Specifies the Agent pool node labels to be persisted across all nodes in the system node pool." } }, "systemAgentPoolNodeTaints": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule." } }, "systemAgentPoolKubeletDiskType": { "type": "string", "defaultValue": "OS", "allowedValues": [ "OS", "Temporary" ], "metadata": { "description": "Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage." } }, "systemAgentPoolType": { "type": "string", "defaultValue": "VirtualMachineScaleSets", "allowedValues": [ "VirtualMachineScaleSets", "AvailabilitySet" ], "metadata": { "description": "Specifies the type for the system node pool: VirtualMachineScaleSets or AvailabilitySet" } }, "systemAgentPoolAvailabilityZones": { "type": "array", "defaultValue": [ "1", "2", "3" ], "metadata": { "description": "Specifies the availability zones for the agent nodes in the system node pool. Requirese the use of VirtualMachineScaleSets as node pool type." } }, "userAgentPoolName": { "type": "string", "defaultValue": "nodepool1", "metadata": { "description": "Specifies the unique name of of the user node pool profile in the context of the subscription and resource group." } }, "userAgentPoolVmSize": { "type": "string", "defaultValue": "Standard_DS5_v2", "metadata": { "description": "Specifies the vm size of nodes in the user node pool." } }, "userAgentPoolOsDiskSizeGB": { "type": "int", "defaultValue": 100, "metadata": { "description": "Specifies the OS Disk Size in GB to be used to specify the disk size for every machine in the system agent pool. If you specify 0, it will apply the default osDisk size according to the vmSize specified.." } }, "userAgentPoolOsDiskType": { "type": "string", "defaultValue": "Ephemeral", "allowedValues": [ "Ephemeral", "Managed" ], "metadata": { "description": "Specifies the OS disk type to be used for machines in a given agent pool. Allowed values are 'Ephemeral' and 'Managed'. If unspecified, defaults to 'Ephemeral' when the VM supports ephemeral OS and has a cache disk larger than the requested OSDiskSizeGB. Otherwise, defaults to 'Managed'. May not be changed after creation. - Managed or Ephemeral" } }, "userAgentPoolAgentCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the number of agents (VMs) to host docker containers in the user node pool. Allowed values must be in the range of 1 to 100 (inclusive). The default value is 1." } }, "userAgentPoolOsType": { "type": "string", "defaultValue": "Linux", "allowedValues": [ "Linux", "Windows" ], "metadata": { "description": "Specifies the OS type for the vms in the user node pool. Choose from Linux and Windows. Default to Linux." } }, "userAgentPoolOsSKU": { "type": "string", "defaultValue": "Ubuntu", "allowedValues": [ "Ubuntu", "Windows2019", "Windows2022", "AzureLinux" ], "metadata": { "description": "Specifies the OS SKU used by the user agent pool. If not specified, the default is Ubuntu if OSType=Linux or Windows2019 if OSType=Windows. And the default Windows OSSKU will be changed to Windows2022 after Windows2019 is deprecated." } }, "userAgentPoolMaxPods": { "type": "int", "defaultValue": 30, "metadata": { "description": "Specifies the maximum number of pods that can run on a node in the user node pool. The maximum number of pods per node in an AKS cluster is 250. The default maximum number of pods per node varies between kubenet and Azure CNI networking, and the method of cluster deployment." } }, "userAgentPoolMaxCount": { "type": "int", "defaultValue": 5, "metadata": { "description": "Specifies the maximum number of nodes for auto-scaling for the user node pool." } }, "userAgentPoolMinCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the minimum number of nodes for auto-scaling for the user node pool." } }, "userAgentPoolEnableAutoScaling": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable auto-scaling for the user node pool." } }, "userAgentPoolScaleSetPriority": { "type": "string", "defaultValue": "Regular", "allowedValues": [ "Spot", "Regular" ], "metadata": { "description": "Specifies the virtual machine scale set priority in the user node pool: Spot or Regular." } }, "userAgentPoolScaleSetEvictionPolicy": { "type": "string", "defaultValue": "Delete", "allowedValues": [ "Delete", "Deallocate" ], "metadata": { "description": "Specifies the ScaleSetEvictionPolicy to be used to specify eviction policy for spot virtual machine scale set. Default to Delete. Allowed values are Delete or Deallocate." } }, "userAgentPoolNodeLabels": { "type": "object", "defaultValue": {}, "metadata": { "description": "Specifies the Agent pool node labels to be persisted across all nodes in the user node pool." } }, "userAgentPoolNodeTaints": { "type": "array", "defaultValue": [], "allowedValues": [ "OS", "Temporary" ], "metadata": { "description": "Specifies the taints added to new nodes during node pool create and scale. For example, key=value:NoSchedule." } }, "userAgentPoolKubeletDiskType": { "type": "string", "defaultValue": "OS", "metadata": { "description": "Determines the placement of emptyDir volumes, container runtime data root, and Kubelet ephemeral storage." } }, "userAgentPoolType": { "type": "string", "defaultValue": "VirtualMachineScaleSets", "allowedValues": [ "VirtualMachineScaleSets", "AvailabilitySet" ], "metadata": { "description": "Specifies the type for the user node pool: VirtualMachineScaleSets or AvailabilitySet" } }, "userAgentPoolAvailabilityZones": { "type": "array", "defaultValue": [ "1", "2", "3" ], "metadata": { "description": "Specifies the availability zones for the agent nodes in the user node pool. Requirese the use of VirtualMachineScaleSets as node pool type." } }, "httpApplicationRoutingEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the httpApplicationRouting add-on is enabled or not." } }, "openServiceMeshEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Open Service Mesh add-on is enabled or not." } }, "istioServiceMeshEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Istio Service Mesh add-on is enabled or not." } }, "istioIngressGatewayEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Istio Ingress Gateway is enabled or not." } }, "istioIngressGatewayType": { "type": "string", "defaultValue": "External", "allowedValues": [ "Internal", "External" ], "metadata": { "description": "Specifies the type of the Istio Ingress Gateway." } }, "kedaEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Kubernetes Event-Driven Autoscaler (KEDA) add-on is enabled or not." } }, "daprEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Dapr extension is enabled or not." } }, "daprHaEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Enable high availability (HA) mode for the Dapr control plane" } }, "fluxGitOpsEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Flux V2 extension is enabled or not." } }, "verticalPodAutoscalerEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the Vertical Pod Autoscaler is enabled or not." } }, "aciConnectorLinuxEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the aciConnectorLinux add-on is enabled or not." } }, "azurePolicyEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the azurepolicy add-on is enabled or not." } }, "azureKeyvaultSecretsProviderEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the Azure Key Vault Provider for Secrets Store CSI Driver addon is enabled or not." } }, "kubeDashboardEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the kubeDashboard add-on is enabled or not." } }, "podIdentityProfileEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether the pod identity addon is enabled.." } }, "oidcIssuerProfileEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether the OIDC issuer is enabled." } }, "autoScalerProfileScanInterval": { "type": "string", "defaultValue": "10s", "metadata": { "description": "Specifies the scan interval of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownDelayAfterAdd": { "type": "string", "defaultValue": "10m", "metadata": { "description": "Specifies the scale down delay after add of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownDelayAfterDelete": { "type": "string", "defaultValue": "20s", "metadata": { "description": "Specifies the scale down delay after delete of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownDelayAfterFailure": { "type": "string", "defaultValue": "3m", "metadata": { "description": "Specifies scale down delay after failure of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownUnneededTime": { "type": "string", "defaultValue": "10m", "metadata": { "description": "Specifies the scale down unneeded time of the auto-scaler of the AKS cluster." } }, "autoScalerProfileScaleDownUnreadyTime": { "type": "string", "defaultValue": "20m", "metadata": { "description": "Specifies the scale down unready time of the auto-scaler of the AKS cluster." } }, "autoScalerProfileUtilizationThreshold": { "type": "string", "defaultValue": "0.5", "metadata": { "description": "Specifies the utilization threshold of the auto-scaler of the AKS cluster." } }, "autoScalerProfileMaxGracefulTerminationSec": { "type": "string", "defaultValue": "600", "metadata": { "description": "Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster." } }, "workspaceId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Log Analytics workspace." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } }, "blobCSIDriverEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to enable the Azure Blob CSI Driver. The default value is false." } }, "diskCSIDriverEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable the Azure Disk CSI Driver. The default value is true." } }, "fileCSIDriverEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable the Azure File CSI Driver. The default value is true." } }, "snapshotControllerEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable the Snapshot Controller. The default value is true." } }, "defenderSecurityMonitoringEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to enable Defender threat detection. The default value is false." } }, "imageCleanerEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to enable ImageCleaner on AKS cluster. The default value is false." } }, "imageCleanerIntervalHours": { "type": "int", "defaultValue": 24, "metadata": { "description": "Specifies whether ImageCleaner scanning interval in hours." } }, "nodeRestrictionEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to enable Node Restriction. The default value is false." } }, "workloadIdentityEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to enable Workload Identity. The default value is false." } }, "applicationGatewayEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to create the Application Gateway and enabling the Application Gateway Ingress Controller or not." } }, "applicationGatewayId": { "type": "string", "metadata": { "description": "Specifies the resource id of the Azure Application Gateway." } }, "applicationGatewayManagedIdentityPrincipalId": { "type": "string", "metadata": { "description": "Specifies the principal id of the managed identity of the Azure Application Gateway." } }, "keyVaultName": { "type": "string", "metadata": { "description": "Specifies the name of the Key Vault resource." } }, "prometheusAndGrafanaEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to create or not Azure Monitor managed service for Prometheus and Azure Managed Grafana resources." } }, "metricAnnotationsAllowList": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies a comma-separated list of additional Kubernetes label keys that will be used in the resource labels metric." } }, "metricLabelsAllowlist": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies a comma-separated list of Kubernetes annotations keys that will be used in the resource labels metric." } }, "openAiEnabled": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to create an Azure OpenAI Service resource or not." } }, "letterCaseType": { "type": "string", "defaultValue": "UpperCamelCase", "allowedValues": [ "CamelCase", "UpperCamelCase", "KebabCase" ], "metadata": { "description": "Specifies whether name resources are in CamelCase, UpperCamelCase, or KebabCase." } }, "namespace": { "type": "string", "defaultValue": "magic8ball", "metadata": { "description": "Specifies the namespace of the application." } }, "serviceAccountName": { "type": "string", "defaultValue": "magic8ball-sa", "metadata": { "description": "Specifies the service account of the application." } }, "userId": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies the object id of an Azure Active Directory user. In general, this the object id of the system administrator who deploys the Azure resources." } } }, "variables": { "copy": [ { "name": "logs", "count": "[length(variables('logCategories'))]", "input": { "category": "[variables('logCategories')[copyIndex('logs')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } }, { "name": "metrics", "count": "[length(variables('metricCategories'))]", "input": { "category": "[variables('metricCategories')[copyIndex('metrics')]]", "enabled": true, "retentionPolicy": { "enabled": true, "days": 0 } } } ], "diagnosticSettingsName": "diagnosticSettings", "logCategories": [ "kube-apiserver", "kube-audit", "kube-audit-admin", "kube-controller-manager", "kube-scheduler", "cluster-autoscaler", "cloud-controller-manager", "guard", "csi-azuredisk-controller", "csi-azurefile-controller", "csi-snapshot-controller" ], "metricCategories": [ "AllMetrics" ] }, "resources": [ { "type": "Microsoft.ContainerService/managedClusters", "apiVersion": "2023-06-02-preview", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "sku": { "name": "Base", "tier": "[parameters('skuTier')]" }, "identity": { "type": "UserAssigned", "userAssignedIdentities": { "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')))]": {} } }, "properties": { "kubernetesVersion": "[parameters('kubernetesVersion')]", "dnsPrefix": "[parameters('dnsPrefix')]", "agentPoolProfiles": [ { "name": "[toLower(parameters('systemAgentPoolName'))]", "count": "[parameters('systemAgentPoolAgentCount')]", "vmSize": "[parameters('systemAgentPoolVmSize')]", "vnetSubnetID": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('systemAgentPoolSubnetName'))]", "podSubnetID": "[if(equals(parameters('networkPluginMode'), 'Overlay'), null(), resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('podSubnetName')))]", "maxPods": "[parameters('systemAgentPoolMaxPods')]", "osDiskSizeGB": "[parameters('systemAgentPoolOsDiskSizeGB')]", "osDiskType": "[parameters('systemAgentPoolOsDiskType')]", "osSKU": "[parameters('systemAgentPoolOsSKU')]", "osType": "[parameters('systemAgentPoolOsType')]", "maxCount": "[parameters('systemAgentPoolMaxCount')]", "minCount": "[parameters('systemAgentPoolMinCount')]", "scaleSetPriority": "[parameters('systemAgentPoolScaleSetPriority')]", "scaleSetEvictionPolicy": "[parameters('systemAgentPoolScaleSetEvictionPolicy')]", "enableAutoScaling": "[parameters('systemAgentPoolEnableAutoScaling')]", "mode": "System", "type": "[parameters('systemAgentPoolType')]", "availabilityZones": "[parameters('systemAgentPoolAvailabilityZones')]", "nodeLabels": "[parameters('systemAgentPoolNodeLabels')]", "nodeTaints": "[parameters('systemAgentPoolNodeTaints')]", "kubeletDiskType": "[parameters('systemAgentPoolKubeletDiskType')]" }, { "name": "[toLower(parameters('userAgentPoolName'))]", "count": "[parameters('userAgentPoolAgentCount')]", "vmSize": "[parameters('userAgentPoolVmSize')]", "vnetSubnetID": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('userAgentPoolSubnetName'))]", "podSubnetID": "[if(equals(parameters('networkPluginMode'), 'Overlay'), null(), resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('podSubnetName')))]", "maxPods": "[parameters('userAgentPoolMaxPods')]", "osDiskSizeGB": "[parameters('userAgentPoolOsDiskSizeGB')]", "osDiskType": "[parameters('userAgentPoolOsDiskType')]", "osSKU": "[parameters('userAgentPoolOsSKU')]", "osType": "[parameters('userAgentPoolOsType')]", "maxCount": "[parameters('userAgentPoolMaxCount')]", "minCount": "[parameters('userAgentPoolMinCount')]", "scaleSetPriority": "[parameters('userAgentPoolScaleSetPriority')]", "scaleSetEvictionPolicy": "[parameters('userAgentPoolScaleSetEvictionPolicy')]", "enableAutoScaling": "[parameters('userAgentPoolEnableAutoScaling')]", "mode": "User", "type": "[parameters('userAgentPoolType')]", "availabilityZones": "[parameters('userAgentPoolAvailabilityZones')]", "nodeLabels": "[parameters('userAgentPoolNodeLabels')]", "nodeTaints": "[parameters('userAgentPoolNodeTaints')]", "kubeletDiskType": "[parameters('userAgentPoolKubeletDiskType')]" } ], "linuxProfile": { "adminUsername": "[parameters('adminUsername')]", "ssh": { "publicKeys": [ { "keyData": "[parameters('sshPublicKey')]" } ] } }, "addonProfiles": { "ingressApplicationGateway": "[if(parameters('applicationGatewayEnabled'), createObject('config', createObject('applicationGatewayId', if(parameters('applicationGatewayEnabled'), parameters('applicationGatewayId'), null())), 'enabled', true()), createObject('enabled', false()))]", "httpApplicationRouting": { "enabled": "[parameters('httpApplicationRoutingEnabled')]" }, "openServiceMesh": { "enabled": "[parameters('openServiceMeshEnabled')]", "config": {} }, "omsagent": { "enabled": true, "config": { "logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]" } }, "aciConnectorLinux": { "enabled": "[parameters('aciConnectorLinuxEnabled')]" }, "azurepolicy": { "enabled": "[parameters('azurePolicyEnabled')]", "config": { "version": "v2" } }, "kubeDashboard": { "enabled": "[parameters('kubeDashboardEnabled')]" }, "azureKeyvaultSecretsProvider": { "config": { "enableSecretRotation": "false" }, "enabled": "[parameters('azureKeyvaultSecretsProviderEnabled')]" } }, "podIdentityProfile": { "enabled": "[parameters('podIdentityProfileEnabled')]" }, "oidcIssuerProfile": { "enabled": "[parameters('oidcIssuerProfileEnabled')]" }, "enableRBAC": true, "networkProfile": { "networkPlugin": "[parameters('networkPlugin')]", "networkPluginMode": "[if(equals(parameters('networkPlugin'), 'azure'), parameters('networkPluginMode'), '')]", "networkPolicy": "[parameters('networkPolicy')]", "podCidr": "[if(or(equals(parameters('networkPlugin'), 'kubenet'), equals(parameters('networkPluginMode'), 'Overlay')), parameters('podCidr'), null())]", "serviceCidr": "[parameters('serviceCidr')]", "dnsServiceIP": "[parameters('dnsServiceIP')]", "outboundType": "[parameters('outboundType')]", "loadBalancerSku": "[parameters('loadBalancerSku')]", "monitoring": "[if(parameters('monitoringEnabled'), createObject('enabled', true()), null())]", "loadBalancerProfile": null, "ipFamilies": "[parameters('ipFamilies')]" }, "workloadAutoScalerProfile": { "keda": { "enabled": "[parameters('kedaEnabled')]" }, "verticalPodAutoscaler": { "controlledValues": "RequestsAndLimits", "enabled": "[parameters('verticalPodAutoscalerEnabled')]", "updateMode": "Off" } }, "aadProfile": { "clientAppID": null, "serverAppID": null, "serverAppSecret": null, "managed": "[parameters('aadProfileManaged')]", "enableAzureRBAC": "[parameters('aadProfileEnableAzureRBAC')]", "adminGroupObjectIDs": "[parameters('aadProfileAdminGroupObjectIDs')]", "tenantID": "[parameters('aadProfileTenantId')]" }, "autoUpgradeProfile": { "nodeOSUpgradeChannel": "[parameters('nodeOSUpgradeChannel')]", "upgradeChannel": "[parameters('upgradeChannel')]" }, "azureMonitorProfile": { "metrics": { "enabled": "[parameters('prometheusAndGrafanaEnabled')]", "kubeStateMetrics": { "metricAnnotationsAllowList": "[parameters('metricAnnotationsAllowList')]", "metricLabelsAllowlist": "[parameters('metricLabelsAllowlist')]" } } }, "autoScalerProfile": { "scan-interval": "[parameters('autoScalerProfileScanInterval')]", "scale-down-delay-after-add": "[parameters('autoScalerProfileScaleDownDelayAfterAdd')]", "scale-down-delay-after-delete": "[parameters('autoScalerProfileScaleDownDelayAfterDelete')]", "scale-down-delay-after-failure": "[parameters('autoScalerProfileScaleDownDelayAfterFailure')]", "scale-down-unneeded-time": "[parameters('autoScalerProfileScaleDownUnneededTime')]", "scale-down-unready-time": "[parameters('autoScalerProfileScaleDownUnreadyTime')]", "scale-down-utilization-threshold": "[parameters('autoScalerProfileUtilizationThreshold')]", "max-graceful-termination-sec": "[parameters('autoScalerProfileMaxGracefulTerminationSec')]" }, "apiServerAccessProfile": { "enablePrivateCluster": "[parameters('enablePrivateCluster')]", "enableVnetIntegration": "[parameters('enableVnetIntegration')]", "privateDNSZone": "[if(parameters('enablePrivateCluster'), parameters('privateDNSZone'), null())]", "enablePrivateClusterPublicFQDN": "[parameters('enablePrivateClusterPublicFQDN')]", "subnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('apiServerSubnetName'))]" }, "securityProfile": { "defender": { "logAnalyticsWorkspaceResourceId": "[parameters('workspaceId')]", "securityMonitoring": { "enabled": "[parameters('defenderSecurityMonitoringEnabled')]" } }, "imageCleaner": { "enabled": "[parameters('imageCleanerEnabled')]", "intervalHours": "[parameters('imageCleanerIntervalHours')]" }, "nodeRestriction": { "enabled": "[parameters('nodeRestrictionEnabled')]" }, "workloadIdentity": { "enabled": "[parameters('workloadIdentityEnabled')]" } }, "serviceMeshProfile": "[if(parameters('istioServiceMeshEnabled'), createObject('istio', createObject('components', createObject('ingressGateways', if(parameters('istioIngressGatewayEnabled'), createArray(createObject('enabled', true(), 'mode', parameters('istioIngressGatewayType'))), null()))), 'mode', 'Istio'), null())]", "storageProfile": { "blobCSIDriver": { "enabled": "[parameters('blobCSIDriverEnabled')]" }, "diskCSIDriver": { "enabled": "[parameters('diskCSIDriverEnabled')]" }, "fileCSIDriver": { "enabled": "[parameters('fileCSIDriverEnabled')]" }, "snapshotController": { "enabled": "[parameters('snapshotControllerEnabled')]" } } } }, { "condition": "[not(empty(parameters('userId')))]", "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "name": "[guid(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), parameters('userId'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b')]", "principalType": "User", "principalId": "[parameters('userId')]" }, "dependsOn": [ "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" ] }, { "condition": "[not(empty(parameters('userId')))]", "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "name": "[guid(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), parameters('userId'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", "principalType": "User", "principalId": "[parameters('userId')]" }, "dependsOn": [ "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" ] }, { "condition": "[parameters('applicationGatewayEnabled')]", "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "name": "[guid(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), parameters('applicationGatewayManagedIdentityPrincipalId'), 'managedIdentityOperator')]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')]", "principalType": "ServicePrincipal", "principalId": "[if(parameters('applicationGatewayEnabled'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').addonProfiles.ingressApplicationGateway.identity.objectId, '')]" }, "dependsOn": [ "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" ] }, { "condition": "[parameters('applicationGatewayEnabled')]", "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "name": "[guid(resourceGroup().id, 'ApplicationGateway', 'contributor')]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "principalType": "ServicePrincipal", "principalId": "[if(parameters('applicationGatewayEnabled'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').addonProfiles.ingressApplicationGateway.identity.objectId, '')]" }, "dependsOn": [ "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" ] }, { "condition": "[parameters('applicationGatewayEnabled')]", "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "name": "[guid(resourceGroup().id, 'ApplicationGateway', 'reader')]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", "principalType": "ServicePrincipal", "principalId": "[if(parameters('applicationGatewayEnabled'), reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').addonProfiles.ingressApplicationGateway.identity.objectId, '')]" }, "dependsOn": [ "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" ] }, { "condition": "[parameters('applicationGatewayEnabled')]", "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('keyVaultName'))]", "name": "[guid(resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName')), 'ApplicationGateway', 'keyVaultSecretsUser')]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]", "principalType": "ServicePrincipal", "principalId": "[parameters('applicationGatewayManagedIdentityPrincipalId')]" } }, { "condition": "[parameters('azureKeyvaultSecretsProviderEnabled')]", "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('keyVaultName'))]", "name": "[guid(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), 'CSIDriver', subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]", "principalType": "ServicePrincipal", "principalId": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').addonProfiles.azureKeyvaultSecretsProvider.identity.objectId]" }, "dependsOn": [ "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" ] }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", "name": "[guid(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), 'omsagent', subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')]", "principalId": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').addonProfiles.omsagent.identity.objectId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" ] }, { "condition": "[parameters('openAiEnabled')]", "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2023-01-31", "name": "[parameters('workloadManagedIdentityName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]" }, { "condition": "[parameters('openAiEnabled')]", "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('workloadManagedIdentityName')), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('workloadManagedIdentityName')), '2023-01-31').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('workloadManagedIdentityName'))]" ] }, { "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials", "apiVersion": "2023-01-31", "name": "[format('{0}/{1}', parameters('workloadManagedIdentityName'), if(equals(parameters('letterCaseType'), 'UpperCamelCase'), format('{0}{1}FederatedIdentity', toUpper(first(parameters('namespace'))), toLower(substring(parameters('namespace'), 1, sub(length(parameters('namespace')), 1)))), if(equals(parameters('letterCaseType'), 'CamelCase'), format('{0}FederatedIdentity', toLower(parameters('namespace'))), format('{0}-federated-identity', toLower(parameters('namespace'))))))]", "properties": { "issuer": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').oidcIssuerProfile.issuerURL]", "subject": "[format('system:serviceaccount:{0}:{1}', parameters('namespace'), parameters('serviceAccountName'))]", "audiences": [ "api://AzureADTokenExchange" ] }, "dependsOn": [ "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]", "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('workloadManagedIdentityName'))]" ] }, { "condition": "[parameters('daprEnabled')]", "type": "Microsoft.KubernetesConfiguration/extensions", "apiVersion": "2022-04-02-preview", "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", "name": "dapr", "properties": { "extensionType": "Microsoft.Dapr", "autoUpgradeMinorVersion": true, "releaseTrain": "Stable", "configurationSettings": { "global.ha.enabled": "[format('{0}', parameters('daprHaEnabled'))]" }, "scope": { "cluster": { "releaseNamespace": "dapr-system" } }, "configurationProtectedSettings": {} }, "dependsOn": [ "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" ] }, { "condition": "[parameters('fluxGitOpsEnabled')]", "type": "Microsoft.KubernetesConfiguration/extensions", "apiVersion": "2022-04-02-preview", "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", "name": "flux", "properties": { "extensionType": "microsoft.flux", "autoUpgradeMinorVersion": true, "releaseTrain": "Stable", "scope": { "cluster": { "releaseNamespace": "flux-system" } }, "configurationProtectedSettings": {} }, "dependsOn": [ "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]", "[extensionResourceId(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), 'Microsoft.KubernetesConfiguration/extensions', 'dapr')]" ] }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('name'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('logs')]", "metrics": "[variables('metrics')]" }, "dependsOn": [ "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" ] } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.ContainerService/managedClusters', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" }, "issuerUrl": { "type": "string", "value": "[reference(resourceId('Microsoft.ContainerService/managedClusters', parameters('name')), '2023-06-02-preview').oidcIssuerProfile.issuerURL]" }, "workloadManagedIdentityClientId": { "type": "string", "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('workloadManagedIdentityName')), '2023-01-31').clientId]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'aksManageIdentity')]", "[resourceId('Microsoft.Resources/deployments', 'applicationGateway')]", "[resourceId('Microsoft.Resources/deployments', 'keyVault')]", "[resourceId('Microsoft.Resources/deployments', 'network')]", "[resourceId('Microsoft.Resources/deployments', 'workspace')]" ] }, { "condition": "[parameters('windowsAgentPoolEnabled')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "windowsNodePool", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('windowsAgentPoolName')]" }, "mode": { "value": "[parameters('windowsAgentPoolMode')]" }, "aksClusterName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksCluster'), '2022-09-01').outputs.name.value]" }, "count": { "value": "[parameters('windowsAgentPoolCount')]" }, "minCount": { "value": "[parameters('windowsAgentPoolMinCount')]" }, "maxCount": { "value": "[parameters('windowsAgentPoolMaxCount')]" }, "enableAutoScaling": { "value": "[parameters('windowsAgentPoolEnableAutoScaling')]" }, "maxPods": { "value": "[parameters('windowsAgentPoolMaxPods')]" }, "osDiskSizeGB": { "value": "[parameters('windowsAgentPoolOsDiskSizeGB')]" }, "osDiskType": { "value": "[parameters('windowsAgentPoolOsDiskType')]" }, "osSKU": { "value": "[parameters('windowsAgentPoolOsSKU')]" }, "osType": { "value": "[parameters('windowsAgentPoolOsType')]" }, "nodeTaints": { "value": "[parameters('windowsAgentPoolNodeTaints')]" }, "nodeLabels": { "value": "[parameters('windowsAgentPoolNodeLabels')]" }, "availabilityZones": { "value": "[parameters('windowsAgentPoolAvailabilityZones')]" }, "vmSize": { "value": "[parameters('windowsAgentPoolVmSize')]" }, "virtualNetworkName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'network'), '2022-09-01').outputs.virtualNetworkName.value]" }, "vnetSubnetName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'network'), '2022-09-01').outputs.windowsAgentPoolSubnetName.value]" }, "podSubnetName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'network'), '2022-09-01').outputs.podSubnetName.value]" }, "enableNodePublicIP": { "value": "[parameters('windowsAgentPoolEnableNodePublicIP')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.20.4.51522", "templateHash": "2589032127414940734" } }, "parameters": { "name": { "type": "string", "metadata": { "description": "Specifies the name of the agent pool." } }, "mode": { "type": "string", "defaultValue": "User", "allowedValues": [ "System", "User" ], "metadata": { "description": "Specifies the mode of the agent pool." } }, "aksClusterName": { "type": "string", "defaultValue": "[format('aks-{0}', uniqueString(resourceGroup().id))]", "metadata": { "description": "Specifies the name of the AKS cluster." } }, "availabilityZones": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the availability zones for the agent pool." } }, "osDiskType": { "type": "string", "metadata": { "description": "Specifies thr OS disk type of the agent pool." } }, "vmSize": { "type": "string", "metadata": { "description": "Specifies the VM sku of the agent nodes." } }, "osDiskSizeGB": { "type": "int", "defaultValue": 0, "metadata": { "description": "Specifies the disk size in GB of the agent nodes." } }, "enableAutoScaling": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether to enable auto-scaling for the agent pool." } }, "count": { "type": "int", "defaultValue": 1, "metadata": { "description": "Specifies the number of agents for the user agent pool" } }, "minCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the minimum number of nodes for the user agent pool." } }, "maxCount": { "type": "int", "defaultValue": 3, "metadata": { "description": "Specifies the maximum number of nodes for the user agent pool." } }, "maxPods": { "type": "int", "defaultValue": 30, "metadata": { "description": "Specifies the maximum number of pods per node." } }, "nodeTaints": { "type": "array", "defaultValue": [], "metadata": { "description": "Specifies the taints that should be applied to the agent pool." } }, "nodeLabels": { "type": "object", "defaultValue": {}, "metadata": { "description": "Specifies the labels that should be applied to the agent pool." } }, "osType": { "type": "string", "allowedValues": [ "Linux", "Windows" ], "metadata": { "description": "Specifies the OS Type for the agent pool." } }, "osSKU": { "type": "string", "allowedValues": [ "Ubuntu", "Windows2019", "Windows2022", "AzureLinux" ] }, "enableNodePublicIP": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether assign a public IP per agent node." } }, "virtualNetworkName": { "type": "string", "metadata": { "description": "Specifies the name of the existing virtual network." } }, "vnetSubnetName": { "type": "string", "metadata": { "description": "Specifies the name of the subnet hosting the agent nodes of the agent pool." } }, "podSubnetName": { "type": "string", "metadata": { "description": "Specifies the name of the subnet hosting the pods running of the agent pool." } } }, "resources": [ { "type": "Microsoft.ContainerService/managedClusters/agentPools", "apiVersion": "2023-06-02-preview", "name": "[format('{0}/{1}', parameters('aksClusterName'), parameters('name'))]", "properties": { "mode": "[parameters('mode')]", "vmSize": "[parameters('vmSize')]", "count": "[parameters('count')]", "minCount": "[parameters('minCount')]", "maxCount": "[parameters('maxCount')]", "enableAutoScaling": "[parameters('enableAutoScaling')]", "availabilityZones": "[if(not(empty(parameters('availabilityZones'))), parameters('availabilityZones'), null())]", "osDiskSizeGB": "[parameters('osDiskSizeGB')]", "osDiskType": "[parameters('osDiskType')]", "osSKU": "[parameters('osSKU')]", "osType": "[parameters('osType')]", "maxPods": "[parameters('maxPods')]", "type": "VirtualMachineScaleSets", "vnetSubnetID": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('vnetSubnetName'))]", "podSubnetID": "[if(not(empty(resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('podSubnetName')))), resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('podSubnetName')), null())]", "nodeTaints": "[parameters('nodeTaints')]", "nodeLabels": "[parameters('nodeLabels')]", "enableNodePublicIP": "[parameters('enableNodePublicIP')]" } } ], "outputs": { "name": { "type": "string", "value": "[parameters('name')]" }, "id": { "type": "string", "value": "[resourceId('Microsoft.ContainerService/managedClusters/agentPools', parameters('aksClusterName'), parameters('name'))]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'aksCluster')]", "[resourceId('Microsoft.Resources/deployments', 'network')]" ] }, { "condition": "[parameters('actionGroupEnabled')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "actionGroup", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('actionGroupName')]" }, "enabled": { "value": "[parameters('actionGroupEnabled')]" }, "groupShortName": { "value": "[parameters('actionGroupShortName')]" }, "emailAddress": { "value": "[parameters('actionGroupEmailAddress')]" }, "useCommonAlertSchema": { "value": "[parameters('actionGroupUseCommonAlertSchema')]" }, "countryCode": { "value": "[parameters('actionGroupCountryCode')]" }, "phoneNumber": { "value": "[parameters('actionGroupPhoneNumber')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.20.4.51522", "templateHash": "18203783553561964336" } }, "parameters": { "name": { "type": "string", "metadata": { "description": "Specifies the name of the Action Group resource." } }, "groupShortName": { "type": "string", "defaultValue": "AksAlerts", "metadata": { "description": "Specifies the short name of the action group. This will be used in SMS messages.." } }, "enabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether this action group is enabled. If an action group is not enabled, then none of its receivers will receive communications." } }, "emailAddress": { "type": "string", "metadata": { "description": "Specifies the email address of the receiver." } }, "useCommonAlertSchema": { "type": "bool", "defaultValue": false, "metadata": { "description": "Specifies whether to use common alert schema.." } }, "countryCode": { "type": "string", "defaultValue": "39", "metadata": { "description": "Specifies the country code of the SMS receiver." } }, "phoneNumber": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies the phone number of the SMS receiver." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "resources": [ { "type": "Microsoft.Insights/actionGroups", "apiVersion": "2023-01-01", "name": "[parameters('name')]", "location": "Global", "tags": "[parameters('tags')]", "properties": { "groupShortName": "[parameters('groupShortName')]", "enabled": "[parameters('enabled')]", "emailReceivers": "[if(not(empty(parameters('emailAddress'))), createArray(createObject('name', 'EmailAndTextMessageOthers_-EmailAction-', 'emailAddress', parameters('emailAddress'), 'useCommonAlertSchema', parameters('useCommonAlertSchema'))), createArray())]", "smsReceivers": "[if(and(not(empty(parameters('countryCode'))), not(empty(parameters('phoneNumber')))), createArray(createObject('name', 'EmailAndTextMessageOthers_-SMSAction-', 'countryCode', parameters('countryCode'), 'phoneNumber', parameters('phoneNumber'))), createArray())]", "armRoleReceivers": [ { "name": "EmailOwner", "roleId": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", "useCommonAlertSchema": false } ] } } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.Insights/actionGroups', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" } } } } }, { "condition": "[parameters('prometheusAndGrafanaEnabled')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "managedPrometheus", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('prometheusName')]" }, "publicNetworkAccess": { "value": "[parameters('prometheusPublicNetworkAccess')]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" }, "clusterName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksCluster'), '2022-09-01').outputs.name.value]" }, "actionGroupId": "[if(parameters('actionGroupEnabled'), createObject('value', reference(resourceId('Microsoft.Resources/deployments', 'actionGroup'), '2022-09-01').outputs.id.value), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.20.4.51522", "templateHash": "10649822764561370768" } }, "parameters": { "name": { "type": "string", "metadata": { "description": "Specifies the name of the Azure Monitor managed service for Prometheus resource." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location of the Azure Monitor managed service for Prometheus resource." } }, "clusterName": { "type": "string", "metadata": { "description": "Specifies the name of the AKS cluster." } }, "publicNetworkAccess": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Enabled", "Disabled" ], "metadata": { "description": "Specifies whether or not public endpoint access is allowed for the Azure Monitor managed service for Prometheus resource." } }, "actionGroupId": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies the resource id of an Action Group resource. If empty, no action is specifies for metric alerts." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags for the Azure Monitor managed service for Prometheus resource." } } }, "variables": { "nodeRecordingRuleGroupPrefix": "NodeRecordingRulesRuleGroup-", "nodeRecordingRuleGroupName": "[format('{0}{1}', variables('nodeRecordingRuleGroupPrefix'), parameters('clusterName'))]", "nodeRecordingRuleGroupDescription": "Node Recording Rules RuleGroup", "kubernetesRecordingRuleGrouPrefix": "KubernetesRecordingRulesRuleGroup-", "kubernetesRecordingRuleGroupName": "[format('{0}{1}', variables('kubernetesRecordingRuleGrouPrefix'), parameters('clusterName'))]", "kubernetesRecordingRuleGroupDescription": "Kubernetes Recording Rules RuleGroup", "nodeRecordingRuleGroupWin": "NodeRecordingRulesRuleGroup-Win-", "nodeAndKubernetesRecordingRuleGroupWin": "NodeAndKubernetesRecordingRulesRuleGroup-Win-", "nodeRecordingRuleGroupNameWinName": "[format('{0}{1}', variables('nodeRecordingRuleGroupWin'), parameters('clusterName'))]", "nodeAndKubernetesRecordingRuleGroupWinName": "[format('{0}{1}', variables('nodeAndKubernetesRecordingRuleGroupWin'), parameters('clusterName'))]", "RecordingRuleGroupDescriptionWin": "Recording Rules RuleGroup for Win", "version": " - 0.1" }, "resources": [ { "type": "Microsoft.Monitor/accounts", "apiVersion": "2023-04-03", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]" }, { "type": "Microsoft.Insights/dataCollectionEndpoints", "apiVersion": "2022-06-01", "name": "[format('MSProm-{0}-{1}', parameters('location'), parameters('clusterName'))]", "location": "[parameters('location')]", "kind": "Linux", "tags": "[parameters('tags')]", "properties": { "networkAcls": { "publicNetworkAccess": "[parameters('publicNetworkAccess')]" } } }, { "type": "Microsoft.Insights/dataCollectionRules", "apiVersion": "2022-06-01", "name": "[format('MSProm-{0}-{1}', parameters('location'), parameters('clusterName'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "dataCollectionEndpointId": "[resourceId('Microsoft.Insights/dataCollectionEndpoints', format('MSProm-{0}-{1}', parameters('location'), parameters('clusterName')))]", "dataSources": { "prometheusForwarder": [ { "name": "PrometheusDataSource", "streams": [ "Microsoft-PrometheusMetrics" ], "labelIncludeFilter": {} } ] }, "destinations": { "monitoringAccounts": [ { "accountResourceId": "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]", "name": "MonitoringAccount1" } ] }, "dataFlows": [ { "streams": [ "Microsoft-PrometheusMetrics" ], "destinations": [ "MonitoringAccount1" ] } ] }, "dependsOn": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]", "[resourceId('Microsoft.Insights/dataCollectionEndpoints', format('MSProm-{0}-{1}', parameters('location'), parameters('clusterName')))]" ] }, { "type": "Microsoft.Insights/dataCollectionRuleAssociations", "apiVersion": "2022-06-01", "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('clusterName'))]", "name": "[format('MSProm-{0}-{1}', parameters('location'), parameters('clusterName'))]", "properties": { "dataCollectionRuleId": "[resourceId('Microsoft.Insights/dataCollectionRules', format('MSProm-{0}-{1}', parameters('location'), parameters('clusterName')))]", "description": "Association of data collection rule. Deleting this association will break the data collection for this AKS Cluster." }, "dependsOn": [ "[resourceId('Microsoft.Insights/dataCollectionRules', format('MSProm-{0}-{1}', parameters('location'), parameters('clusterName')))]" ] }, { "type": "Microsoft.AlertsManagement/prometheusRuleGroups", "apiVersion": "2023-03-01", "name": "[variables('nodeRecordingRuleGroupName')]", "location": "[parameters('location')]", "properties": { "description": "[format('{0}{1}', variables('nodeRecordingRuleGroupDescription'), variables('version'))]", "scopes": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" ], "enabled": true, "clusterName": "[parameters('clusterName')]", "interval": "PT1M", "rules": [ { "record": "instance:node_num_cpu:sum", "expression": "count without (cpu, mode) ( node_cpu_seconds_total{job=\"node\",mode=\"idle\"})" }, { "record": "instance:node_cpu_utilisation:rate5m", "expression": "1 - avg without (cpu) ( sum without (mode) (rate(node_cpu_seconds_total{job=\"node\", mode=~\"idle|iowait|steal\"}[5m])))" }, { "record": "instance:node_load1_per_cpu:ratio", "expression": "( node_load1{job=\"node\"}/ instance:node_num_cpu:sum{job=\"node\"})" }, { "record": "instance:node_memory_utilisation:ratio", "expression": "1 - ( ( node_memory_MemAvailable_bytes{job=\"node\"} or ( node_memory_Buffers_bytes{job=\"node\"} + node_memory_Cached_bytes{job=\"node\"} + node_memory_MemFree_bytes{job=\"node\"} + node_memory_Slab_bytes{job=\"node\"} ) )/ node_memory_MemTotal_bytes{job=\"node\"})" }, { "record": "instance:node_vmstat_pgmajfault:rate5m", "expression": "rate(node_vmstat_pgmajfault{job=\"node\"}[5m])" }, { "record": "instance_device:node_disk_io_time_seconds:rate5m", "expression": "rate(node_disk_io_time_seconds_total{job=\"node\", device!=\"\"}[5m])" }, { "record": "instance_device:node_disk_io_time_weighted_seconds:rate5m", "expression": "rate(node_disk_io_time_weighted_seconds_total{job=\"node\", device!=\"\"}[5m])" }, { "record": "instance:node_network_receive_bytes_excluding_lo:rate5m", "expression": "sum without (device) ( rate(node_network_receive_bytes_total{job=\"node\", device!=\"lo\"}[5m]))" }, { "record": "instance:node_network_transmit_bytes_excluding_lo:rate5m", "expression": "sum without (device) ( rate(node_network_transmit_bytes_total{job=\"node\", device!=\"lo\"}[5m]))" }, { "record": "instance:node_network_receive_drop_excluding_lo:rate5m", "expression": "sum without (device) ( rate(node_network_receive_drop_total{job=\"node\", device!=\"lo\"}[5m]))" }, { "record": "instance:node_network_transmit_drop_excluding_lo:rate5m", "expression": "sum without (device) ( rate(node_network_transmit_drop_total{job=\"node\", device!=\"lo\"}[5m]))" } ] }, "dependsOn": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" ] }, { "type": "Microsoft.AlertsManagement/prometheusRuleGroups", "apiVersion": "2023-03-01", "name": "[variables('kubernetesRecordingRuleGroupName')]", "location": "[parameters('location')]", "properties": { "description": "[format('{0}{1}', variables('kubernetesRecordingRuleGroupDescription'), variables('version'))]", "scopes": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" ], "enabled": true, "clusterName": "[parameters('clusterName')]", "interval": "PT1M", "rules": [ { "record": "node_namespace_pod_container:container_cpu_usage_seconds_total:sum_irate", "expression": "sum by (cluster, namespace, pod, container) ( irate(container_cpu_usage_seconds_total{job=\"cadvisor\", image!=\"\"}[5m])) * on (cluster, namespace, pod) group_left(node) topk by (cluster, namespace, pod) ( 1, max by(cluster, namespace, pod, node) (kube_pod_info{node!=\"\"}))" }, { "record": "node_namespace_pod_container:container_memory_working_set_bytes", "expression": "container_memory_working_set_bytes{job=\"cadvisor\", image!=\"\"}* on (namespace, pod) group_left(node) topk by(namespace, pod) (1, max by(namespace, pod, node) (kube_pod_info{node!=\"\"}))" }, { "record": "node_namespace_pod_container:container_memory_rss", "expression": "container_memory_rss{job=\"cadvisor\", image!=\"\"}* on (namespace, pod) group_left(node) topk by(namespace, pod) (1, max by(namespace, pod, node) (kube_pod_info{node!=\"\"}))" }, { "record": "node_namespace_pod_container:container_memory_cache", "expression": "container_memory_cache{job=\"cadvisor\", image!=\"\"}* on (namespace, pod) group_left(node) topk by(namespace, pod) (1, max by(namespace, pod, node) (kube_pod_info{node!=\"\"}))" }, { "record": "node_namespace_pod_container:container_memory_swap", "expression": "container_memory_swap{job=\"cadvisor\", image!=\"\"}* on (namespace, pod) group_left(node) topk by(namespace, pod) (1, max by(namespace, pod, node) (kube_pod_info{node!=\"\"}))" }, { "record": "cluster:namespace:pod_memory:active:kube_pod_container_resource_requests", "expression": "kube_pod_container_resource_requests{resource=\"memory\",job=\"kube-state-metrics\"} * on (namespace, pod, cluster)group_left() max by (namespace, pod, cluster) ( (kube_pod_status_phase{phase=~\"Pending|Running\"} == 1))" }, { "record": "namespace_memory:kube_pod_container_resource_requests:sum", "expression": "sum by (namespace, cluster) ( sum by (namespace, pod, cluster) ( max by (namespace, pod, container, cluster) ( kube_pod_container_resource_requests{resource=\"memory\",job=\"kube-state-metrics\"} ) * on(namespace, pod, cluster) group_left() max by (namespace, pod, cluster) ( kube_pod_status_phase{phase=~\"Pending|Running\"} == 1 ) ))" }, { "record": "cluster:namespace:pod_cpu:active:kube_pod_container_resource_requests", "expression": "kube_pod_container_resource_requests{resource=\"cpu\",job=\"kube-state-metrics\"} * on (namespace, pod, cluster)group_left() max by (namespace, pod, cluster) ( (kube_pod_status_phase{phase=~\"Pending|Running\"} == 1))" }, { "record": "namespace_cpu:kube_pod_container_resource_requests:sum", "expression": "sum by (namespace, cluster) ( sum by (namespace, pod, cluster) ( max by (namespace, pod, container, cluster) ( kube_pod_container_resource_requests{resource=\"cpu\",job=\"kube-state-metrics\"} ) * on(namespace, pod, cluster) group_left() max by (namespace, pod, cluster) ( kube_pod_status_phase{phase=~\"Pending|Running\"} == 1 ) ))" }, { "record": "cluster:namespace:pod_memory:active:kube_pod_container_resource_limits", "expression": "kube_pod_container_resource_limits{resource=\"memory\",job=\"kube-state-metrics\"} * on (namespace, pod, cluster)group_left() max by (namespace, pod, cluster) ( (kube_pod_status_phase{phase=~\"Pending|Running\"} == 1))" }, { "record": "namespace_memory:kube_pod_container_resource_limits:sum", "expression": "sum by (namespace, cluster) ( sum by (namespace, pod, cluster) ( max by (namespace, pod, container, cluster) ( kube_pod_container_resource_limits{resource=\"memory\",job=\"kube-state-metrics\"} ) * on(namespace, pod, cluster) group_left() max by (namespace, pod, cluster) ( kube_pod_status_phase{phase=~\"Pending|Running\"} == 1 ) ))" }, { "record": "cluster:namespace:pod_cpu:active:kube_pod_container_resource_limits", "expression": "kube_pod_container_resource_limits{resource=\"cpu\",job=\"kube-state-metrics\"} * on (namespace, pod, cluster)group_left() max by (namespace, pod, cluster) ( (kube_pod_status_phase{phase=~\"Pending|Running\"} == 1) )" }, { "record": "namespace_cpu:kube_pod_container_resource_limits:sum", "expression": "sum by (namespace, cluster) ( sum by (namespace, pod, cluster) ( max by (namespace, pod, container, cluster) ( kube_pod_container_resource_limits{resource=\"cpu\",job=\"kube-state-metrics\"} ) * on(namespace, pod, cluster) group_left() max by (namespace, pod, cluster) ( kube_pod_status_phase{phase=~\"Pending|Running\"} == 1 ) ))" }, { "record": "namespace_workload_pod:kube_pod_owner:relabel", "expression": "max by (cluster, namespace, workload, pod) ( label_replace( label_replace( kube_pod_owner{job=\"kube-state-metrics\", owner_kind=\"ReplicaSet\"}, \"replicaset\", \"$1\", \"owner_name\", \"(.*)\" ) * on(replicaset, namespace) group_left(owner_name) topk by(replicaset, namespace) ( 1, max by (replicaset, namespace, owner_name) ( kube_replicaset_owner{job=\"kube-state-metrics\"} ) ), \"workload\", \"$1\", \"owner_name\", \"(.*)\" ))", "labels": { "workload_type": "deployment" } }, { "record": "namespace_workload_pod:kube_pod_owner:relabel", "expression": "max by (cluster, namespace, workload, pod) ( label_replace( kube_pod_owner{job=\"kube-state-metrics\", owner_kind=\"DaemonSet\"}, \"workload\", \"$1\", \"owner_name\", \"(.*)\" ))", "labels": { "workload_type": "daemonset" } }, { "record": "namespace_workload_pod:kube_pod_owner:relabel", "expression": "max by (cluster, namespace, workload, pod) ( label_replace( kube_pod_owner{job=\"kube-state-metrics\", owner_kind=\"StatefulSet\"}, \"workload\", \"$1\", \"owner_name\", \"(.*)\" ))", "labels": { "workload_type": "statefulset" } }, { "record": "namespace_workload_pod:kube_pod_owner:relabel", "expression": "max by (cluster, namespace, workload, pod) ( label_replace( kube_pod_owner{job=\"kube-state-metrics\", owner_kind=\"Job\"}, \"workload\", \"$1\", \"owner_name\", \"(.*)\" ))", "labels": { "workload_type": "job" } }, { "record": ":node_memory_MemAvailable_bytes:sum", "expression": "sum( node_memory_MemAvailable_bytes{job=\"node\"} or ( node_memory_Buffers_bytes{job=\"node\"} + node_memory_Cached_bytes{job=\"node\"} + node_memory_MemFree_bytes{job=\"node\"} + node_memory_Slab_bytes{job=\"node\"} )) by (cluster)" }, { "record": "cluster:node_cpu:ratio_rate5m", "expression": "sum(rate(node_cpu_seconds_total{job=\"node\",mode!=\"idle\",mode!=\"iowait\",mode!=\"steal\"}[5m])) by (cluster) /count(sum(node_cpu_seconds_total{job=\"node\"}) by (cluster, instance, cpu)) by (cluster)" } ] }, "dependsOn": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" ] }, { "type": "Microsoft.AlertsManagement/prometheusRuleGroups", "apiVersion": "2023-03-01", "name": "[variables('nodeRecordingRuleGroupNameWinName')]", "location": "[parameters('location')]", "properties": { "description": "[format('{0}{1}', variables('RecordingRuleGroupDescriptionWin'), variables('version'))]", "scopes": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" ], "enabled": true, "clusterName": "[parameters('clusterName')]", "interval": "PT1M", "rules": [ { "record": "node:windows_node:sum", "expression": "count (windows_system_system_up_time{job=\"windows-exporter\"})" }, { "record": "node:windows_node_num_cpu:sum", "expression": "count by (instance) (sum by (instance, core) (windows_cpu_time_total{job=\"windows-exporter\"}))" }, { "record": ":windows_node_cpu_utilisation:avg5m", "expression": "1 - avg(rate(windows_cpu_time_total{job=\"windows-exporter\",mode=\"idle\"}[5m]))" }, { "record": "node:windows_node_cpu_utilisation:avg5m", "expression": "1 - avg by (instance) (rate(windows_cpu_time_total{job=\"windows-exporter\",mode=\"idle\"}[5m]))" }, { "record": ":windows_node_memory_utilisation:", "expression": "1 -sum(windows_memory_available_bytes{job=\"windows-exporter\"})/sum(windows_os_visible_memory_bytes{job=\"windows-exporter\"})" }, { "record": ":windows_node_memory_MemFreeCached_bytes:sum", "expression": "sum(windows_memory_available_bytes{job=\"windows-exporter\"} + windows_memory_cache_bytes{job=\"windows-exporter\"})" }, { "record": "node:windows_node_memory_totalCached_bytes:sum", "expression": "(windows_memory_cache_bytes{job=\"windows-exporter\"} + windows_memory_modified_page_list_bytes{job=\"windows-exporter\"} + windows_memory_standby_cache_core_bytes{job=\"windows-exporter\"} + windows_memory_standby_cache_normal_priority_bytes{job=\"windows-exporter\"} + windows_memory_standby_cache_reserve_bytes{job=\"windows-exporter\"})" }, { "record": ":windows_node_memory_MemTotal_bytes:sum", "expression": "sum(windows_os_visible_memory_bytes{job=\"windows-exporter\"})" }, { "record": "node:windows_node_memory_bytes_available:sum", "expression": "sum by (instance) ((windows_memory_available_bytes{job=\"windows-exporter\"}))" }, { "record": "node:windows_node_memory_bytes_total:sum", "expression": "sum by (instance) (windows_os_visible_memory_bytes{job=\"windows-exporter\"})" }, { "record": "node:windows_node_memory_utilisation:ratio", "expression": "(node:windows_node_memory_bytes_total:sum - node:windows_node_memory_bytes_available:sum) / scalar(sum(node:windows_node_memory_bytes_total:sum))" }, { "record": "node:windows_node_memory_utilisation:", "expression": "1 - (node:windows_node_memory_bytes_available:sum / node:windows_node_memory_bytes_total:sum)" }, { "record": "node:windows_node_memory_swap_io_pages:irate", "expression": "irate(windows_memory_swap_page_operations_total{job=\"windows-exporter\"}[5m])" }, { "record": ":windows_node_disk_utilisation:avg_irate", "expression": "avg(irate(windows_logical_disk_read_seconds_total{job=\"windows-exporter\"}[5m]) + irate(windows_logical_disk_write_seconds_total{job=\"windows-exporter\"}[5m]))" }, { "record": "node:windows_node_disk_utilisation:avg_irate", "expression": "avg by (instance) ((irate(windows_logical_disk_read_seconds_total{job=\"windows-exporter\"}[5m]) + irate(windows_logical_disk_write_seconds_total{job=\"windows-exporter\"}[5m])))" } ] }, "dependsOn": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" ] }, { "type": "Microsoft.AlertsManagement/prometheusRuleGroups", "apiVersion": "2023-03-01", "name": "[variables('nodeAndKubernetesRecordingRuleGroupWinName')]", "location": "[parameters('location')]", "properties": { "description": "[format('{0}{1}', variables('RecordingRuleGroupDescriptionWin'), variables('version'))]", "scopes": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" ], "enabled": true, "clusterName": "[parameters('clusterName')]", "interval": "PT1M", "rules": [ { "record": "node:windows_node_filesystem_usage:", "expression": "max by (instance,volume)((windows_logical_disk_size_bytes{job=\"windows-exporter\"} - windows_logical_disk_free_bytes{job=\"windows-exporter\"}) / windows_logical_disk_size_bytes{job=\"windows-exporter\"})" }, { "record": "node:windows_node_filesystem_avail:", "expression": "max by (instance, volume) (windows_logical_disk_free_bytes{job=\"windows-exporter\"} / windows_logical_disk_size_bytes{job=\"windows-exporter\"})" }, { "record": ":windows_node_net_utilisation:sum_irate", "expression": "sum(irate(windows_net_bytes_total{job=\"windows-exporter\"}[5m]))" }, { "record": "node:windows_node_net_utilisation:sum_irate", "expression": "sum by (instance) ((irate(windows_net_bytes_total{job=\"windows-exporter\"}[5m])))" }, { "record": ":windows_node_net_saturation:sum_irate", "expression": "sum(irate(windows_net_packets_received_discarded_total{job=\"windows-exporter\"}[5m])) + sum(irate(windows_net_packets_outbound_discarded_total{job=\"windows-exporter\"}[5m]))" }, { "record": "node:windows_node_net_saturation:sum_irate", "expression": "sum by (instance) ((irate(windows_net_packets_received_discarded_total{job=\"windows-exporter\"}[5m]) + irate(windows_net_packets_outbound_discarded_total{job=\"windows-exporter\"}[5m])))" }, { "record": "windows_pod_container_available", "expression": "windows_container_available{job=\"windows-exporter\", container_id != \"\"} * on(container_id) group_left(container, pod, namespace) max(kube_pod_container_info{job=\"kube-state-metrics\", container_id != \"\"}) by(container, container_id, pod, namespace)" }, { "record": "windows_container_total_runtime", "expression": "windows_container_cpu_usage_seconds_total{job=\"windows-exporter\", container_id != \"\"} * on(container_id) group_left(container, pod, namespace) max(kube_pod_container_info{job=\"kube-state-metrics\", container_id != \"\"}) by(container, container_id, pod, namespace)" }, { "record": "windows_container_memory_usage", "expression": "windows_container_memory_usage_commit_bytes{job=\"windows-exporter\", container_id != \"\"} * on(container_id) group_left(container, pod, namespace) max(kube_pod_container_info{job=\"kube-state-metrics\", container_id != \"\"}) by(container, container_id, pod, namespace)" }, { "record": "windows_container_private_working_set_usage", "expression": "windows_container_memory_usage_private_working_set_bytes{job=\"windows-exporter\", container_id != \"\"} * on(container_id) group_left(container, pod, namespace) max(kube_pod_container_info{job=\"kube-state-metrics\", container_id != \"\"}) by(container, container_id, pod, namespace)" }, { "record": "windows_container_network_received_bytes_total", "expression": "windows_container_network_receive_bytes_total{job=\"windows-exporter\", container_id != \"\"} * on(container_id) group_left(container, pod, namespace) max(kube_pod_container_info{job=\"kube-state-metrics\", container_id != \"\"}) by(container, container_id, pod, namespace)" }, { "record": "windows_container_network_transmitted_bytes_total", "expression": "windows_container_network_transmit_bytes_total{job=\"windows-exporter\", container_id != \"\"} * on(container_id) group_left(container, pod, namespace) max(kube_pod_container_info{job=\"kube-state-metrics\", container_id != \"\"}) by(container, container_id, pod, namespace)" }, { "record": "kube_pod_windows_container_resource_memory_request", "expression": "max by (namespace, pod, container) (kube_pod_container_resource_requests{resource=\"memory\",job=\"kube-state-metrics\"}) * on(container,pod,namespace) (windows_pod_container_available)" }, { "record": "kube_pod_windows_container_resource_memory_limit", "expression": "kube_pod_container_resource_limits{resource=\"memory\",job=\"kube-state-metrics\"} * on(container,pod,namespace) (windows_pod_container_available)" }, { "record": "kube_pod_windows_container_resource_cpu_cores_request", "expression": "max by (namespace, pod, container) ( kube_pod_container_resource_requests{resource=\"cpu\",job=\"kube-state-metrics\"}) * on(container,pod,namespace) (windows_pod_container_available)" }, { "record": "kube_pod_windows_container_resource_cpu_cores_limit", "expression": "kube_pod_container_resource_limits{resource=\"cpu\",job=\"kube-state-metrics\"} * on(container,pod,namespace) (windows_pod_container_available)" }, { "record": "namespace_pod_container:windows_container_cpu_usage_seconds_total:sum_rate", "expression": "sum by (namespace, pod, container) (rate(windows_container_total_runtime{}[5m]))" } ] }, "dependsOn": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" ] }, { "type": "Microsoft.AlertsManagement/prometheusRuleGroups", "apiVersion": "2021-07-22-preview", "name": "[format('CommunityCIAlerts-{0}', parameters('clusterName'))]", "location": "[parameters('location')]", "properties": { "description": "Kubernetes Alert RuleGroup-communityCIAlerts - 0.1", "scopes": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" ], "clusterName": "[parameters('clusterName')]", "enabled": true, "interval": "PT1M", "rules": [ { "alert": "KubePodCrashLooping", "expression": "max_over_time(kube_pod_container_status_waiting_reason{reason=\"CrashLoopBackOff\", job=\"kube-state-metrics\"}[5m]) >= 1", "for": "PT15M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubePodNotReady", "expression": "sum by (namespace, pod, cluster) ( max by(namespace, pod, cluster) ( kube_pod_status_phase{job=\"kube-state-metrics\", phase=~\"Pending|Unknown\"} ) * on(namespace, pod, cluster) group_left(owner_kind) topk by(namespace, pod, cluster) ( 1, max by(namespace, pod, owner_kind, cluster) (kube_pod_owner{owner_kind!=\"Job\"}) )) > 0", "for": "PT15M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeDeploymentReplicasMismatch", "expression": "( kube_deployment_spec_replicas{job=\"kube-state-metrics\"} > kube_deployment_status_replicas_available{job=\"kube-state-metrics\"}) and ( changes(kube_deployment_status_replicas_updated{job=\"kube-state-metrics\"}[10m]) == 0)", "for": "PT15M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeStatefulSetReplicasMismatch", "expression": "( kube_statefulset_status_replicas_ready{job=\"kube-state-metrics\"} != kube_statefulset_status_replicas{job=\"kube-state-metrics\"}) and ( changes(kube_statefulset_status_replicas_updated{job=\"kube-state-metrics\"}[10m]) == 0)", "for": "PT15M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeJobNotCompleted", "expression": "time() - max by(namespace, job_name, cluster) (kube_job_status_start_time{job=\"kube-state-metrics\"} and kube_job_status_active{job=\"kube-state-metrics\"} > 0) > 43200", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeJobFailed", "expression": "kube_job_failed{job=\"kube-state-metrics\"} > 0", "for": "PT15M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeHpaReplicasMismatch", "expression": "(kube_horizontalpodautoscaler_status_desired_replicas{job=\"kube-state-metrics\"} !=kube_horizontalpodautoscaler_status_current_replicas{job=\"kube-state-metrics\"}) and(kube_horizontalpodautoscaler_status_current_replicas{job=\"kube-state-metrics\"} >kube_horizontalpodautoscaler_spec_min_replicas{job=\"kube-state-metrics\"}) and(kube_horizontalpodautoscaler_status_current_replicas{job=\"kube-state-metrics\"} 1.5", "for": "PT5M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeMemoryQuotaOvercommit", "expression": "sum(min without(resource) (kube_resourcequota{job=\"kube-state-metrics\", type=\"hard\", resource=~\"(memory|requests.memory)\"})) /sum(kube_node_status_allocatable{resource=\"memory\", job=\"kube-state-metrics\"}) > 1.5", "for": "PT5M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeQuotaAlmostFull", "expression": "kube_resourcequota{job=\"kube-state-metrics\", type=\"used\"} / ignoring(instance, job, type)(kube_resourcequota{job=\"kube-state-metrics\", type=\"hard\"} > 0) > 0.9 < 1", "for": "PT15M", "labels": { "severity": "info" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeVersionMismatch", "expression": "count by (cluster) (count by (git_version, cluster) (label_replace(kubernetes_build_info{job!~\"kube-dns|coredns\"},\"git_version\",\"$1\",\"git_version\",\"(v[0-9]*.[0-9]*).*\"))) > 1", "for": "PT15M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeNodeNotReady", "expression": "kube_node_status_condition{job=\"kube-state-metrics\",condition=\"Ready\",status=\"true\"} == 0", "for": "PT15M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeNodeUnreachable", "expression": "(kube_node_spec_taint{job=\"kube-state-metrics\",key=\"node.kubernetes.io/unreachable\",effect=\"NoSchedule\"} unless ignoring(key,value) kube_node_spec_taint{job=\"kube-state-metrics\",key=~\"ToBeDeletedByClusterAutoscaler|cloud.google.com/impending-node-termination|aws-node-termination-handler/spot-itn\"}) == 1", "for": "PT15M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeletTooManyPods", "expression": "count by(cluster, node) ( (kube_pod_status_phase{job=\"kube-state-metrics\",phase=\"Running\"} == 1) * on(instance,pod,namespace,cluster) group_left(node) topk by(instance,pod,namespace,cluster) (1, kube_pod_info{job=\"kube-state-metrics\"}))/max by(cluster, node) ( kube_node_status_capacity{job=\"kube-state-metrics\",resource=\"pods\"} != 1) > 0.95", "for": "PT15M", "labels": { "severity": "info" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] }, { "alert": "KubeNodeReadinessFlapping", "expression": "sum(changes(kube_node_status_condition{status=\"true\",condition=\"Ready\"}[15m])) by (cluster, node) > 2", "for": "PT15M", "labels": { "severity": "warning" }, "severity": 3, "enabled": true, "resolveConfiguration": { "autoResolved": true, "timeToResolve": "PT10M" }, "actions": [ { "actionGroupId": "[parameters('actionGroupId')]" } ] } ] }, "dependsOn": [ "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" ] } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.Monitor/accounts', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" }, "location": { "type": "string", "value": "[reference(resourceId('Microsoft.Monitor/accounts', parameters('name')), '2023-04-03', 'full').location]" }, "accountId": { "type": "string", "value": "[reference(resourceId('Microsoft.Monitor/accounts', parameters('name')), '2023-04-03').accountId]" }, "prometheusQueryEndpoint": { "type": "string", "value": "[reference(resourceId('Microsoft.Monitor/accounts', parameters('name')), '2023-04-03').metrics.prometheusQueryEndpoint]" }, "internalId": { "type": "string", "value": "[reference(resourceId('Microsoft.Monitor/accounts', parameters('name')), '2023-04-03').metrics.internalId]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'actionGroup')]", "[resourceId('Microsoft.Resources/deployments', 'aksCluster')]" ] }, { "condition": "[parameters('prometheusAndGrafanaEnabled')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "managedGrafana", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('grafanaName')]" }, "skuName": { "value": "[parameters('grafanaSkuName')]" }, "apiKey": { "value": "[parameters('grafanaApiKey')]" }, "autoGeneratedDomainNameLabelScope": { "value": "[parameters('grafanaAutoGeneratedDomainNameLabelScope')]" }, "deterministicOutboundIP": { "value": "[parameters('grafanaDeterministicOutboundIP')]" }, "publicNetworkAccess": { "value": "[parameters('grafanaPublicNetworkAccess')]" }, "zoneRedundancy": { "value": "[parameters('grafanaZoneRedundancy')]" }, "prometheusName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'managedPrometheus'), '2022-09-01').outputs.name.value]" }, "userId": { "value": "[parameters('userId')]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.20.4.51522", "templateHash": "12965697610083364463" } }, "parameters": { "prometheusName": { "type": "string", "metadata": { "description": "Specifies the name of the Azure Monitor managed service for Prometheus resource." } }, "name": { "type": "string", "metadata": { "description": "Specifies the name of the Azure Managed Grafana resource." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location of the Azure Managed Grafana resource." } }, "skuName": { "type": "string", "defaultValue": "Standard", "metadata": { "description": "Specifies the sku of the Azure Managed Grafana resource." } }, "apiKey": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Disabled", "Enabled" ], "metadata": { "description": "Specifies the api key setting of the Azure Managed Grafana resource." } }, "autoGeneratedDomainNameLabelScope": { "type": "string", "defaultValue": "TenantReuse", "allowedValues": [ "TenantReuse" ], "metadata": { "description": "Specifies the scope for dns deterministic name hash calculation." } }, "deterministicOutboundIP": { "type": "string", "defaultValue": "Disabled", "allowedValues": [ "Disabled", "Enabled" ], "metadata": { "description": "Specifies whether the Azure Managed Grafana resource uses deterministic outbound IPs." } }, "publicNetworkAccess": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Disabled", "Enabled" ], "metadata": { "description": "Specifies the the state for enable or disable traffic over the public interface for the the Azure Managed Grafana resource." } }, "zoneRedundancy": { "type": "string", "defaultValue": "Disabled", "allowedValues": [ "Disabled", "Enabled" ], "metadata": { "description": "The zone redundancy setting of the Azure Managed Grafana resource." } }, "userId": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies the object id of an Azure Active Directory user. In general, this the object id of the system administrator who deploys the Azure resources." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags for the Azure Monitor managed service for Prometheus resource." } } }, "resources": [ { "type": "Microsoft.Dashboard/grafana", "apiVersion": "2022-08-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "sku": { "name": "[parameters('skuName')]" }, "identity": { "type": "SystemAssigned" }, "properties": { "apiKey": "[parameters('apiKey')]", "autoGeneratedDomainNameLabelScope": "[parameters('autoGeneratedDomainNameLabelScope')]", "deterministicOutboundIP": "[parameters('deterministicOutboundIP')]", "grafanaIntegrations": { "azureMonitorWorkspaceIntegrations": [ { "azureMonitorWorkspaceResourceId": "[resourceId('Microsoft.Monitor/accounts', parameters('prometheusName'))]" } ] }, "publicNetworkAccess": "[parameters('publicNetworkAccess')]", "zoneRedundancy": "[parameters('zoneRedundancy')]" } }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.Monitor/accounts/{0}', parameters('prometheusName'))]", "name": "[guid(parameters('name'), parameters('prometheusName'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", "principalId": "[reference(resourceId('Microsoft.Dashboard/grafana', parameters('name')), '2022-08-01', 'full').identity.principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.Dashboard/grafana', parameters('name'))]" ] }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.Monitor/accounts/{0}', parameters('prometheusName'))]", "name": "[guid(parameters('name'), parameters('prometheusName'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b0d8363b-8ddd-447d-831f-62ca05bff136'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b0d8363b-8ddd-447d-831f-62ca05bff136')]", "principalId": "[reference(resourceId('Microsoft.Dashboard/grafana', parameters('name')), '2022-08-01', 'full').identity.principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.Dashboard/grafana', parameters('name'))]" ] }, { "condition": "[not(empty(parameters('userId')))]", "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.Dashboard/grafana/{0}', parameters('name'))]", "name": "[guid(parameters('name'), parameters('userId'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '22926164-76b3-42b3-bc55-97df8dab3e41'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '22926164-76b3-42b3-bc55-97df8dab3e41')]", "principalId": "[parameters('userId')]", "principalType": "User" }, "dependsOn": [ "[resourceId('Microsoft.Dashboard/grafana', parameters('name'))]" ] } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.Dashboard/grafana', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" }, "location": { "type": "string", "value": "[reference(resourceId('Microsoft.Dashboard/grafana', parameters('name')), '2022-08-01', 'full').location]" }, "principalId": { "type": "string", "value": "[reference(resourceId('Microsoft.Dashboard/grafana', parameters('name')), '2022-08-01', 'full').identity.principalId]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'managedPrometheus')]" ] }, { "condition": "[parameters('createMetricAlerts')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "aksmetricalerts", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "aksClusterName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksCluster'), '2022-09-01').outputs.name.value]" }, "metricAlertsEnabled": { "value": "[parameters('metricAlertsEnabled')]" }, "evalFrequency": { "value": "[parameters('metricAlertsEvalFrequency')]" }, "windowSize": { "value": "[parameters('metricAlertsWindowsSize')]" }, "alertSeverity": { "value": "Informational" }, "actionGroupId": "[if(parameters('actionGroupEnabled'), createObject('value', reference(resourceId('Microsoft.Resources/deployments', 'actionGroup'), '2022-09-01').outputs.id.value), createObject('value', ''))]", "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.20.4.51522", "templateHash": "10569573964129882973" } }, "parameters": { "aksClusterName": { "type": "string", "metadata": { "description": "The name of the AKS Cluster to configure the alerts on." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } }, "evalFrequency": { "type": "string", "defaultValue": "PT1M", "allowedValues": [ "PT1M", "PT15M" ], "metadata": { "description": "Select the frequency on how often the alert rule should be run. Selecting frequency smaller than granularity of datapoints grouping will result in sliding window evaluation" } }, "metricAlertsEnabled": { "type": "bool", "defaultValue": true, "metadata": { "description": "Specifies whether metric alerts as either enabled or disabled." } }, "windowSize": { "type": "string", "defaultValue": "PT5M", "allowedValues": [ "PT5M", "PT1H" ], "metadata": { "description": "Defines the interval over which datapoints are grouped using the aggregation type function" } }, "alertSeverity": { "type": "string", "defaultValue": "Informational", "allowedValues": [ "Critical", "Error", "Warning", "Informational", "Verbose" ] }, "actionGroupId": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies the resource id of an Action Group resource. If empty, no action is specifies for metric alerts." } } }, "variables": { "alertServerityLookup": { "Critical": 0, "Error": 1, "Warning": 2, "Informational": 3, "Verbose": 4 }, "alertSeverityNumber": "[variables('alertServerityLookup')[parameters('alertSeverity')]]", "aksResourceId": "[resourceId('Microsoft.ContainerService/managedClusters', parameters('aksClusterName'))]" }, "resources": [ { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Node CPU utilization high', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "actions": "[if(not(empty(parameters('actionGroupId'))), createArray(createObject('actionGroupId', parameters('actionGroupId'))), createArray())]", "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "host", "operator": "Include", "values": [ "*" ] } ], "metricName": "cpuUsagePercentage", "metricNamespace": "Insights.Container/nodes", "name": "Metric1", "operator": "GreaterThan", "threshold": 80, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "Node CPU utilization across the cluster.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('aksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Node working set memory utilization high', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "actions": "[if(not(empty(parameters('actionGroupId'))), createArray(createObject('actionGroupId', parameters('actionGroupId'))), createArray())]", "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "host", "operator": "Include", "values": [ "*" ] } ], "metricName": "memoryWorkingSetPercentage", "metricNamespace": "Insights.Container/nodes", "name": "Metric1", "operator": "GreaterThan", "threshold": 80, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "Node working set memory utilization across the cluster.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('aksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Jobs completed more than 6 hours ago', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "actions": "[if(not(empty(parameters('actionGroupId'))), createArray(createObject('actionGroupId', parameters('actionGroupId'))), createArray())]", "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "controllerName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] } ], "metricName": "completedJobsCount", "metricNamespace": "Insights.Container/pods", "name": "Metric1", "operator": "GreaterThan", "threshold": 0, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors completed jobs (more than 6 hours ago).", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('aksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Container CPU usage high', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "actions": "[if(not(empty(parameters('actionGroupId'))), createArray(createObject('actionGroupId', parameters('actionGroupId'))), createArray())]", "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "controllerName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] } ], "metricName": "cpuExceededPercentage", "metricNamespace": "Insights.Container/containers", "name": "Metric1", "operator": "GreaterThan", "threshold": 90, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors container CPU utilization.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('aksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Container working set memory usage high', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "actions": "[if(not(empty(parameters('actionGroupId'))), createArray(createObject('actionGroupId', parameters('actionGroupId'))), createArray())]", "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "controllerName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] } ], "metricName": "memoryWorkingSetExceededPercentage", "metricNamespace": "Insights.Container/containers", "name": "Metric1", "operator": "GreaterThan", "threshold": 90, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors container working set memory utilization.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('aksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Pods in failed state', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "actions": "[if(not(empty(parameters('actionGroupId'))), createArray(createObject('actionGroupId', parameters('actionGroupId'))), createArray())]", "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "phase", "operator": "Include", "values": [ "Failed" ] } ], "metricName": "podCount", "metricNamespace": "Insights.Container/pods", "name": "Metric1", "operator": "GreaterThan", "threshold": 0, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "Pod status monitoring.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('aksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Disk usage high', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "actions": "[if(not(empty(parameters('actionGroupId'))), createArray(createObject('actionGroupId', parameters('actionGroupId'))), createArray())]", "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "host", "operator": "Include", "values": [ "*" ] }, { "name": "device", "operator": "Include", "values": [ "*" ] } ], "metricName": "DiskUsedPercentage", "metricNamespace": "Insights.Container/nodes", "name": "Metric1", "operator": "GreaterThan", "threshold": 80, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors disk usage for all nodes and storage devices.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('aksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Nodes in not ready state', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "actions": "[if(not(empty(parameters('actionGroupId'))), createArray(createObject('actionGroupId', parameters('actionGroupId'))), createArray())]", "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "status", "operator": "Include", "values": [ "NotReady" ] } ], "metricName": "nodesCount", "metricNamespace": "Insights.Container/nodes", "name": "Metric1", "operator": "GreaterThan", "threshold": 0, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "Node status monitoring.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('aksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Containers getting OOM killed', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "actions": "[if(not(empty(parameters('actionGroupId'))), createArray(createObject('actionGroupId', parameters('actionGroupId'))), createArray())]", "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] }, { "name": "controllerName", "operator": "Include", "values": [ "*" ] } ], "metricName": "oomKilledContainerCount", "metricNamespace": "Insights.Container/pods", "name": "Metric1", "operator": "GreaterThan", "threshold": 0, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors number of containers killed due to out of memory (OOM) error.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('aksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Persistent volume usage high', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "actions": "[if(not(empty(parameters('actionGroupId'))), createArray(createObject('actionGroupId', parameters('actionGroupId'))), createArray())]", "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "podName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetesNamespace", "operator": "Include", "values": [ "*" ] } ], "metricName": "pvUsageExceededPercentage", "metricNamespace": "Insights.Container/persistentvolumes", "name": "Metric1", "operator": "GreaterThan", "threshold": 80, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors persistent volume utilization.", "enabled": false, "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('aksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Pods not in ready state', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "actions": "[if(not(empty(parameters('actionGroupId'))), createArray(createObject('actionGroupId', parameters('actionGroupId'))), createArray())]", "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "controllerName", "operator": "Exclude", "values": [ "overlay-vpa-cert-webhook-check" ] }, { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] } ], "metricName": "PodReadyPercentage", "metricNamespace": "Insights.Container/pods", "name": "Metric1", "operator": "LessThan", "threshold": 80, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors for excessive pods not in the ready state.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('aksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "microsoft.containerservice/managedclusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Restarting container count', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "actions": "[if(not(empty(parameters('actionGroupId'))), createArray(createObject('actionGroupId', parameters('actionGroupId'))), createArray())]", "criteria": { "allOf": [ { "criterionType": "StaticThresholdCriterion", "dimensions": [ { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] }, { "name": "controllerName", "operator": "Include", "values": [ "*" ] } ], "metricName": "restartingContainerCount", "metricNamespace": "Insights.Container/pods", "name": "Metric1", "operator": "GreaterThan", "threshold": 0, "timeAggregation": "Average", "skipMetricValidation": true } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" }, "description": "This alert monitors number of containers restarting across the cluster.", "enabled": "[parameters('metricAlertsEnabled')]", "evaluationFrequency": "[parameters('evalFrequency')]", "scopes": [ "[variables('aksResourceId')]" ], "severity": "[variables('alertSeverityNumber')]", "targetResourceType": "Microsoft.ContainerService/managedClusters", "windowSize": "[parameters('windowSize')]" } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Container CPU usage violates the configured threshold', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "actions": "[if(not(empty(parameters('actionGroupId'))), createArray(createObject('actionGroupId', parameters('actionGroupId'))), createArray())]", "description": "This alert monitors container CPU usage. It uses the threshold defined in the config map.", "severity": "[variables('alertSeverityNumber')]", "enabled": true, "scopes": [ "[variables('aksResourceId')]" ], "evaluationFrequency": "[parameters('evalFrequency')]", "windowSize": "[parameters('windowSize')]", "criteria": { "allOf": [ { "threshold": 0, "name": "Metric1", "metricNamespace": "Insights.Container/containers", "metricName": "cpuThresholdViolated", "dimensions": [ { "name": "controllerName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] } ], "operator": "GreaterThan", "timeAggregation": "Average", "skipMetricValidation": true, "criterionType": "StaticThresholdCriterion" } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" } } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Container working set memory usage violates the configured threshold', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "actions": "[if(not(empty(parameters('actionGroupId'))), createArray(createObject('actionGroupId', parameters('actionGroupId'))), createArray())]", "description": "This alert monitors container working set memory usage. It uses the threshold defined in the config map.", "severity": "[variables('alertSeverityNumber')]", "enabled": "[parameters('metricAlertsEnabled')]", "scopes": [ "[variables('aksResourceId')]" ], "evaluationFrequency": "[parameters('evalFrequency')]", "windowSize": "[parameters('windowSize')]", "criteria": { "allOf": [ { "threshold": 0, "name": "Metric1", "metricNamespace": "Insights.Container/containers", "metricName": "memoryWorkingSetThresholdViolated", "dimensions": [ { "name": "controllerName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetes namespace", "operator": "Include", "values": [ "*" ] } ], "operator": "GreaterThan", "timeAggregation": "Average", "skipMetricValidation": true, "criterionType": "StaticThresholdCriterion" } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" } } }, { "type": "Microsoft.Insights/metricAlerts", "apiVersion": "2018-03-01", "name": "[format('{0} | Persistent Volume usage violates the configured threshold', parameters('aksClusterName'))]", "location": "global", "tags": "[parameters('tags')]", "properties": { "actions": "[if(not(empty(parameters('actionGroupId'))), createArray(createObject('actionGroupId', parameters('actionGroupId'))), createArray())]", "description": "This alert monitors Persistent Volume usage. It uses the threshold defined in the config map.", "severity": "[variables('alertSeverityNumber')]", "enabled": "[parameters('metricAlertsEnabled')]", "scopes": [ "[variables('aksResourceId')]" ], "evaluationFrequency": "[parameters('evalFrequency')]", "windowSize": "[parameters('windowSize')]", "criteria": { "allOf": [ { "threshold": 0, "name": "Metric1", "metricNamespace": "Insights.Container/persistentvolumes", "metricName": "pvUsageThresholdViolated", "dimensions": [ { "name": "podName", "operator": "Include", "values": [ "*" ] }, { "name": "kubernetesNamespace", "operator": "Include", "values": [ "*" ] } ], "operator": "GreaterThan", "timeAggregation": "Average", "skipMetricValidation": true, "criterionType": "StaticThresholdCriterion" } ], "odata.type": "Microsoft.Azure.Monitor.SingleResourceMultipleMetricCriteria" } } } ] } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'actionGroup')]", "[resourceId('Microsoft.Resources/deployments', 'aksCluster')]" ] }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "deploymentScript", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('deploymentScripName')]" }, "managedIdentityName": "[if(equals(parameters('letterCaseType'), 'UpperCamelCase'), createObject('value', format('{0}{1}ScriptManagedIdentity', toUpper(first(parameters('prefix'))), toLower(substring(parameters('prefix'), 1, sub(length(parameters('prefix')), 1))))), if(equals(parameters('letterCaseType'), 'CamelCase'), createObject('value', format('{0}ScriptManagedIdentity', toLower(parameters('prefix')))), createObject('value', format('{0}-script-managed-identity', toLower(parameters('prefix'))))))]", "clusterName": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksCluster'), '2022-09-01').outputs.name.value]" }, "hostName": { "value": "[variables('hostName')]" }, "namespace": { "value": "[parameters('namespace')]" }, "email": { "value": "[parameters('email')]" }, "primaryScriptUri": { "value": "[parameters('deploymentScriptUri')]" }, "resourceGroupName": { "value": "[resourceGroup().name]" }, "applicationGatewayEnabled": "[if(parameters('applicationGatewayEnabled'), createObject('value', 'true'), createObject('value', 'false'))]", "tenantId": { "value": "[subscription().tenantId]" }, "subscriptionId": { "value": "[subscription().subscriptionId]" }, "workloadManagedIdentityClientId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'aksCluster'), '2022-09-01').outputs.workloadManagedIdentityClientId.value]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.20.4.51522", "templateHash": "6605989695398323869" } }, "parameters": { "name": { "type": "string", "defaultValue": "BashScript", "metadata": { "description": "Specifies the name of the deployment script uri." } }, "managedIdentityName": { "type": "string", "defaultValue": "ScriptManagedIdentity", "metadata": { "description": "Specifies the name of the user-defined managed identity used by the deployment script." } }, "primaryScriptUri": { "type": "string", "metadata": { "description": "Specifies the primary script URI." } }, "clusterName": { "type": "string", "metadata": { "description": "Specifies the name of the AKS cluster." } }, "resourceGroupName": { "type": "string", "defaultValue": "[resourceGroup().name]", "metadata": { "description": "Specifies the resource group name" } }, "tenantId": { "type": "string", "defaultValue": "[subscription().tenantId]", "metadata": { "description": "Specifies the Azure AD tenant id." } }, "subscriptionId": { "type": "string", "defaultValue": "[subscription().subscriptionId]", "metadata": { "description": "Specifies the subscription id." } }, "applicationGatewayEnabled": { "type": "string", "metadata": { "description": "Specifies whether creating the Application Gateway and enabling the Application Gateway Ingress Controller or not." } }, "hostName": { "type": "string", "metadata": { "description": "Specifies the hostname of the application." } }, "namespace": { "type": "string", "metadata": { "description": "Specifies the namespace of the application." } }, "serviceAccountName": { "type": "string", "defaultValue": "magic8ball-sa", "metadata": { "description": "Specifies the service account of the application." } }, "workloadManagedIdentityClientId": { "type": "string", "metadata": { "description": "Specifies the client id of the workload user-defined managed identity." } }, "email": { "type": "string", "defaultValue": "admin@contoso.com", "metadata": { "description": "Specifies the email address for the cert-manager cluster issuer." } }, "utcValue": { "type": "string", "defaultValue": "[utcNow()]", "metadata": { "description": "Specifies the current datetime" } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } } }, "resources": [ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2023-01-31", "name": "[parameters('managedIdentityName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]" }, { "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.ContainerService/managedClusters/{0}', parameters('clusterName'))]", "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), resourceId('Microsoft.ContainerService/managedClusters', parameters('clusterName')), subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8'))]", "properties": { "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", "principalId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')), '2023-01-31').principalId]", "principalType": "ServicePrincipal" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))]" ] }, { "type": "Microsoft.Resources/deploymentScripts", "apiVersion": "2020-10-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "kind": "AzureCLI", "identity": { "type": "UserAssigned", "userAssignedIdentities": { "[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName')))]": {} } }, "properties": { "forceUpdateTag": "[parameters('utcValue')]", "azCliVersion": "2.42.0", "timeout": "PT30M", "environmentVariables": [ { "name": "clusterName", "value": "[parameters('clusterName')]" }, { "name": "resourceGroupName", "value": "[parameters('resourceGroupName')]" }, { "name": "applicationGatewayEnabled", "value": "[parameters('applicationGatewayEnabled')]" }, { "name": "tenantId", "value": "[parameters('tenantId')]" }, { "name": "subscriptionId", "value": "[parameters('subscriptionId')]" }, { "name": "hostName", "value": "[parameters('hostName')]" }, { "name": "namespace", "value": "[parameters('namespace')]" }, { "name": "serviceAccountName", "value": "[parameters('serviceAccountName')]" }, { "name": "workloadManagedIdentityClientId", "value": "[parameters('workloadManagedIdentityClientId')]" }, { "name": "email", "value": "[parameters('email')]" } ], "primaryScriptUri": "[parameters('primaryScriptUri')]", "cleanupPreference": "OnSuccess", "retentionInterval": "P1D" }, "dependsOn": [ "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('managedIdentityName'))]" ] } ], "outputs": { "result": { "type": "object", "value": "[reference(resourceId('Microsoft.Resources/deploymentScripts', parameters('name')), '2020-10-01').outputs]" }, "namespace": { "type": "string", "value": "[reference(resourceId('Microsoft.Resources/deploymentScripts', parameters('name')), '2020-10-01').outputs.namespace]" }, "serviceAccountName": { "type": "string", "value": "[reference(resourceId('Microsoft.Resources/deploymentScripts', parameters('name')), '2020-10-01').outputs.serviceAccountName]" }, "prometheus": { "type": "string", "value": "[reference(resourceId('Microsoft.Resources/deploymentScripts', parameters('name')), '2020-10-01').outputs.prometheus]" }, "certManager": { "type": "string", "value": "[reference(resourceId('Microsoft.Resources/deploymentScripts', parameters('name')), '2020-10-01').outputs.certManager]" }, "nginxIngressController": { "type": "string", "value": "[reference(resourceId('Microsoft.Resources/deploymentScripts', parameters('name')), '2020-10-01').outputs.nginxIngressController]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'aksCluster')]" ] }, { "condition": "[parameters('openAiEnabled')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "openAi", "properties": { "expressionEvaluationOptions": { "scope": "inner" }, "mode": "Incremental", "parameters": { "name": { "value": "[parameters('openAiName')]" }, "sku": { "value": "[parameters('openAiSku')]" }, "identity": { "value": "[parameters('openAiIdentity')]" }, "customSubDomainName": "[if(empty(parameters('openAiCustomSubDomainName')), createObject('value', toLower(parameters('openAiName'))), createObject('value', parameters('openAiCustomSubDomainName')))]", "publicNetworkAccess": { "value": "[parameters('openAiPublicNetworkAccess')]" }, "deployments": { "value": "[parameters('openAiDeployments')]" }, "workspaceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'workspace'), '2022-09-01').outputs.id.value]" }, "location": { "value": "[parameters('location')]" }, "tags": { "value": "[parameters('tags')]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.20.4.51522", "templateHash": "3303672797619659359" } }, "parameters": { "name": { "type": "string", "defaultValue": "[format('aks-{0}', uniqueString(resourceGroup().id))]", "metadata": { "description": "Specifies the name of the Azure OpenAI resource." } }, "sku": { "type": "object", "defaultValue": { "name": "S0" }, "metadata": { "description": "Specifies the resource model definition representing SKU." } }, "identity": { "type": "object", "defaultValue": { "type": "SystemAssigned" }, "metadata": { "description": "Specifies the identity of the OpenAI resource." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Specifies the location." } }, "tags": { "type": "object", "metadata": { "description": "Specifies the resource tags." } }, "customSubDomainName": { "type": "string", "defaultValue": "", "metadata": { "description": "Specifies an optional subdomain name used for token-based authentication." } }, "publicNetworkAccess": { "type": "string", "defaultValue": "Enabled", "allowedValues": [ "Enabled", "Disabled" ], "metadata": { "description": "Specifies whether or not public endpoint access is allowed for this account.." } }, "deployments": { "type": "array", "defaultValue": [ { "name": "text-embedding-ada-002", "version": "2", "raiPolicyName": "", "capacity": 1, "scaleType": "Standard" }, { "name": "gpt-35-turbo", "version": "0301", "raiPolicyName": "", "capacity": 1, "scaleType": "Standard" }, { "name": "text-davinci-003", "version": "1", "raiPolicyName": "", "capacity": 1, "scaleType": "Standard" } ], "metadata": { "description": "Specifies the OpenAI deployments to create." } }, "workspaceId": { "type": "string", "metadata": { "description": "Specifies the workspace id of the Log Analytics used to monitor the Application Gateway." } } }, "variables": { "copy": [ { "name": "openAiLogs", "count": "[length(variables('openAiLogCategories'))]", "input": { "category": "[variables('openAiLogCategories')[copyIndex('openAiLogs')]]", "enabled": true } }, { "name": "openAiMetrics", "count": "[length(variables('openAiMetricCategories'))]", "input": { "category": "[variables('openAiMetricCategories')[copyIndex('openAiMetrics')]]", "enabled": true } } ], "diagnosticSettingsName": "diagnosticSettings", "openAiLogCategories": [ "Audit", "RequestResponse", "Trace" ], "openAiMetricCategories": [ "AllMetrics" ] }, "resources": [ { "type": "Microsoft.CognitiveServices/accounts", "apiVersion": "2022-12-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "sku": "[parameters('sku')]", "kind": "OpenAI", "identity": "[parameters('identity')]", "tags": "[parameters('tags')]", "properties": { "customSubDomainName": "[parameters('customSubDomainName')]", "publicNetworkAccess": "[parameters('publicNetworkAccess')]" } }, { "copy": { "name": "model", "count": "[length(parameters('deployments'))]" }, "type": "Microsoft.CognitiveServices/accounts/deployments", "apiVersion": "2022-12-01", "name": "[format('{0}/{1}', parameters('name'), parameters('deployments')[copyIndex()].name)]", "properties": { "model": { "format": "OpenAI", "name": "[parameters('deployments')[copyIndex()].name]", "version": "[parameters('deployments')[copyIndex()].version]" }, "raiPolicyName": "[parameters('deployments')[copyIndex()].raiPolicyName]", "scaleSettings": { "capacity": "[parameters('deployments')[copyIndex()].capacity]", "scaleType": "[parameters('deployments')[copyIndex()].scaleType]" } }, "dependsOn": [ "[resourceId('Microsoft.CognitiveServices/accounts', parameters('name'))]" ] }, { "type": "Microsoft.Insights/diagnosticSettings", "apiVersion": "2021-05-01-preview", "scope": "[format('Microsoft.CognitiveServices/accounts/{0}', parameters('name'))]", "name": "[variables('diagnosticSettingsName')]", "properties": { "workspaceId": "[parameters('workspaceId')]", "logs": "[variables('openAiLogs')]", "metrics": "[variables('openAiMetrics')]" }, "dependsOn": [ "[resourceId('Microsoft.CognitiveServices/accounts', parameters('name'))]" ] } ], "outputs": { "id": { "type": "string", "value": "[resourceId('Microsoft.CognitiveServices/accounts', parameters('name'))]" }, "name": { "type": "string", "value": "[parameters('name')]" } } } }, "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'workspace')]" ] } ] }