From d63e58cfe925f88402ae38b5cd23793d7610408c Mon Sep 17 00:00:00 2001 From: Gordon Byers Date: Wed, 13 Jul 2022 11:12:41 +0000 Subject: [PATCH 1/4] refactoring kv to modules, realign parameter names --- .github/workflows/ByoVnetCI.yml | 6 +- .../AksDeploy-ByoVnet.parameters.json | 8 +- .../AksDeploy-Private.parameters.json | 4 +- .../classic-custom-vnet-plus-firewall.json | 4 +- .../regressionparams/key-vault.json | 6 +- .../managed-private-privatelink.json | 4 +- .../regressionparams/managed-private.json | 4 +- .../regressionparams/managed-public.json | 4 +- .../regressionparams/open-secure.json | 4 +- .../optimised-for-well-architected.json | 4 +- bicep/keyvault.bicep | 80 +++++++++ bicep/keyvaultrbac.bicep | 74 ++++++++ bicep/main.bicep | 168 ++++++------------ helper/src/components/addonsTab.js | 2 +- helper/src/components/clusterTab.js | 2 +- helper/src/components/deployTab.js | 16 +- helper/src/config.json | 6 +- helper/src/configpresets/principals.json | 10 +- samples/flux/aks-baseline-config.bicep | 2 +- samples/flux/azure-docs-config.bicep | 2 +- samples/peered-vnet/main.bicep | 2 +- samples/windows/main.bicep | 2 +- 22 files changed, 252 insertions(+), 162 deletions(-) create mode 100644 bicep/keyvault.bicep create mode 100644 bicep/keyvaultrbac.bicep diff --git a/.github/workflows/ByoVnetCI.yml b/.github/workflows/ByoVnetCI.yml index 9319aa3b7..40fb08f54 100644 --- a/.github/workflows/ByoVnetCI.yml +++ b/.github/workflows/ByoVnetCI.yml @@ -203,7 +203,7 @@ jobs: } else { Write-Output "-- Looks like $feature is registered properly" } } - if($params.parameters.azureKeyvaultSecretsProvider.value -eq $true) { + if($params.parameters.keyVaultAksCSI.value -eq $true) { $feature='AKS-AzureKeyVaultSecretsProvider' write-output "-- $feature" $featureCsi = $aksfeatures | Where-Object {$_.name -like "*$feature"} @@ -336,7 +336,7 @@ jobs: $paramFileContent=Get-Content $paramFilePath $params=$paramFileContent|ConvertFrom-Json - if($params.parameters.createKV.value -eq $true) { + if($params.parameters.keyVaultCreate.value -eq $true) { Write-Output "Checking for already existing soft deleted KV" #lets do this properly and interrogate the whatif file for the KVNAME @@ -641,7 +641,7 @@ jobs: } Write-Output "Checking for CSI Secrets driver" - if($params.parameters.azureKeyvaultSecretsProvider.value -eq $true) { + if($params.parameters.keyVaultAksCSI.value -eq $true) { $csiEnabled=az aks show -n $AKSNAME -g $RG --query "addonProfiles.omsagent.enabled" -o tsv write-output $csiEnabled diff --git a/.github/workflows_dep/AksDeploy-ByoVnet.parameters.json b/.github/workflows_dep/AksDeploy-ByoVnet.parameters.json index 84b9c6ddf..615f8ee3c 100644 --- a/.github/workflows_dep/AksDeploy-ByoVnet.parameters.json +++ b/.github/workflows_dep/AksDeploy-ByoVnet.parameters.json @@ -65,10 +65,10 @@ "SystemPoolType" : { "value" : "Standard" }, - "createKV" : { + "creatkeyVaultCreateeKV" : { "value" : true }, - "azureKeyvaultSecretsProvider" : { + "keyVaultAksCSI" : { "value" : true }, "appgwKVIntegration" : { @@ -87,10 +87,10 @@ "guard" ] }, - "KeyVaultSoftDelete" : { + "keyVaultSoftDelete" : { "value" : false }, - "KeyVaultPurgeProtection" : { + "keyVaultPurgeProtection" : { "value" : false }, "dnsZoneId" : { diff --git a/.github/workflows_dep/AksDeploy-Private.parameters.json b/.github/workflows_dep/AksDeploy-Private.parameters.json index 8b7ab44ff..943d4956d 100644 --- a/.github/workflows_dep/AksDeploy-Private.parameters.json +++ b/.github/workflows_dep/AksDeploy-Private.parameters.json @@ -74,10 +74,10 @@ "appgwKVIntegration": { "value": true }, - "azureKeyvaultSecretsProvider": { + "keyVaultAksCSI": { "value": true }, - "createKV": { + "keyVaultCreate": { "value": true }, "upgradeChannel": { diff --git a/.github/workflows_dep/regressionparams/classic-custom-vnet-plus-firewall.json b/.github/workflows_dep/regressionparams/classic-custom-vnet-plus-firewall.json index 980679350..a48f7f9fa 100644 --- a/.github/workflows_dep/regressionparams/classic-custom-vnet-plus-firewall.json +++ b/.github/workflows_dep/regressionparams/classic-custom-vnet-plus-firewall.json @@ -44,10 +44,10 @@ "networkPlugin": { "value": "azure" }, - "KeyVaultSoftDelete" : { + "keyVaultSoftDelete" : { "value" : false }, - "KeyVaultPurgeProtection" : { + "keyVaultPurgeProtection" : { "value" : false } } diff --git a/.github/workflows_dep/regressionparams/key-vault.json b/.github/workflows_dep/regressionparams/key-vault.json index b8c030cb8..beb61140f 100644 --- a/.github/workflows_dep/regressionparams/key-vault.json +++ b/.github/workflows_dep/regressionparams/key-vault.json @@ -32,13 +32,13 @@ "appgwKVIntegration": { "value": true }, - "azureKeyvaultSecretsProvider": { + "keyVaultAksCSI": { "value": true }, - "createKV": { + "keyVaultCreate": { "value": true }, - "kvIPAllowlist": { + "keyVaultIPAllowlist": { "value": [ "1.2.3.4/32" ] diff --git a/.github/workflows_dep/regressionparams/managed-private-privatelink.json b/.github/workflows_dep/regressionparams/managed-private-privatelink.json index b77a7f010..079064eae 100644 --- a/.github/workflows_dep/regressionparams/managed-private-privatelink.json +++ b/.github/workflows_dep/regressionparams/managed-private-privatelink.json @@ -74,10 +74,10 @@ "appgwKVIntegration": { "value": true }, - "azureKeyvaultSecretsProvider": { + "keyVaultAksCSI": { "value": true }, - "createKV": { + "keyVaultCreate": { "value": true }, "upgradeChannel": { diff --git a/.github/workflows_dep/regressionparams/managed-private.json b/.github/workflows_dep/regressionparams/managed-private.json index a80ac7ff3..41b94ee52 100644 --- a/.github/workflows_dep/regressionparams/managed-private.json +++ b/.github/workflows_dep/regressionparams/managed-private.json @@ -59,10 +59,10 @@ "appgwKVIntegration": { "value": true }, - "createKV": { + "keyVaultCreate": { "value": true }, - "azureKeyvaultSecretsProvider": { + "keyVaultAksCSI": { "value": true }, "upgradeChannel": { diff --git a/.github/workflows_dep/regressionparams/managed-public.json b/.github/workflows_dep/regressionparams/managed-public.json index e491669bf..b40bf6bae 100644 --- a/.github/workflows_dep/regressionparams/managed-public.json +++ b/.github/workflows_dep/regressionparams/managed-public.json @@ -53,10 +53,10 @@ "appgwKVIntegration": { "value": true }, - "createKV": { + "keyVaultCreate": { "value": true }, - "azureKeyvaultSecretsProvider": { + "keyVaultAksCSI": { "value": true }, "upgradeChannel": { diff --git a/.github/workflows_dep/regressionparams/open-secure.json b/.github/workflows_dep/regressionparams/open-secure.json index f2870a8d0..fc77c7055 100644 --- a/.github/workflows_dep/regressionparams/open-secure.json +++ b/.github/workflows_dep/regressionparams/open-secure.json @@ -23,10 +23,10 @@ "azurepolicy": { "value": "audit" }, - "azureKeyvaultSecretsProvider": { + "keyVaultAksCSI": { "value": true }, - "createKV": { + "keyVaultCreate": { "value": true } } diff --git a/.github/workflows_dep/regressionparams/optimised-for-well-architected.json b/.github/workflows_dep/regressionparams/optimised-for-well-architected.json index ab5dfb595..3ad1104ea 100644 --- a/.github/workflows_dep/regressionparams/optimised-for-well-architected.json +++ b/.github/workflows_dep/regressionparams/optimised-for-well-architected.json @@ -73,10 +73,10 @@ "appgwKVIntegration": { "value": true }, - "azureKeyvaultSecretsProvider": { + "keyVaultAksCSI": { "value": true }, - "createKV": { + "keyVaultCreate": { "value": true }, "upgradeChannel": { diff --git a/bicep/keyvault.bicep b/bicep/keyvault.bicep new file mode 100644 index 000000000..3a6283f3d --- /dev/null +++ b/bicep/keyvault.bicep @@ -0,0 +1,80 @@ +@minLength(2) +@description('The location to use for the deployment. defaults to Resource Groups location.') +param location string = resourceGroup().location + +@minLength(3) +@maxLength(20) +@description('Used to name all resources') +param resourceName string + +@description('Enable support for private links') +param privateLinks bool = false + +@description('If soft delete protection is enabled') +param keyVaultSoftDelete bool = true + +@description('If purge protection is enabled') +param keyVaultPurgeProtection bool = true + +@description('Add IP to KV firewall allow-list') +param keyVaultIPAllowlist array = [] + +param logAnalyticsWorkspaceId string = '' + +var akvRawName = 'kv-${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}' +var akvName = length(akvRawName) > 24 ? substring(akvRawName, 0, 24) : akvRawName + +var kvIPRules = [for kvIp in keyVaultIPAllowlist: { + value: kvIp +}] + +resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' = { + name: akvName + location: location + properties: { + tenantId: subscription().tenantId + sku: { + family: 'A' + name: 'standard' + } + // publicNetworkAccess: whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. + publicNetworkAccess: privateLinks && empty(keyVaultIPAllowlist) ? 'disabled' : 'enabled' + + networkAcls: privateLinks && !empty(keyVaultIPAllowlist) ? { + bypass: 'AzureServices' + defaultAction: 'Deny' + ipRules: kvIPRules + virtualNetworkRules: [] + } : {} + + enableRbacAuthorization: true + enabledForDeployment: false + enabledForDiskEncryption: false + enabledForTemplateDeployment: false + enableSoftDelete: keyVaultSoftDelete + enablePurgeProtection: keyVaultPurgeProtection ? true : json('null') + } +} + +resource kvDiags 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(logAnalyticsWorkspaceId)) { + name: 'kvDiags' + scope: kv + properties: { + workspaceId: logAnalyticsWorkspaceId + logs: [ + { + category: 'AuditEvent' + enabled: true + } + ] + metrics: [ + { + category: 'AllMetrics' + enabled: true + } + ] + } +} + +output keyVaultName string = kv.name +output keyVaultId string = kv.id diff --git a/bicep/keyvaultrbac.bicep b/bicep/keyvaultrbac.bicep new file mode 100644 index 000000000..753ff02d3 --- /dev/null +++ b/bicep/keyvaultrbac.bicep @@ -0,0 +1,74 @@ +param keyVaultName string + +@description('An array of Service Principal IDs') +param rbacSecretUserSps array = [] + +@description('An array of Service Principal IDs') +param rbacSecretOfficerSps array = [] + +@description('An array of Service Principal IDs') +param rbacCertOfficerSps array = [] + +@description('An array of User IDs') +param rbacSecretOfficerUsers array = [] + +@description('An array of User IDs') +param rbacCertOfficerUsers array = [] + +var keyVaultSecretsUserRole = resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') +var keyVaultSecretsOfficerRole = resourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') +var keyVaultCertsOfficerRole = resourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') + +resource kv 'Microsoft.KeyVault/vaults@2021-11-01-preview' existing = { + name: keyVaultName +} + +resource rbacSecretUserSp 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for rbacSp in rbacSecretUserSps : if(!empty(rbacSp)) { + scope: kv + name: guid(kv.id, rbacSp, keyVaultSecretsUserRole) + properties: { + roleDefinitionId: keyVaultSecretsUserRole + principalType: 'ServicePrincipal' + principalId: rbacSp + } +}] + +resource rbacSecretOfficerSp 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for rbacSp in rbacSecretOfficerSps : if(!empty(rbacSp)) { + scope: kv + name: guid(kv.id, rbacSp, keyVaultSecretsOfficerRole) + properties: { + roleDefinitionId: keyVaultSecretsOfficerRole + principalType: 'ServicePrincipal' + principalId: rbacSp + } +}] + +resource rbacCertsOfficerSp 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for rbacSp in rbacCertOfficerSps : if(!empty(rbacSp)) { + scope: kv + name: guid(kv.id, rbacSp, keyVaultCertsOfficerRole) + properties: { + roleDefinitionId: keyVaultCertsOfficerRole + principalType: 'ServicePrincipal' + principalId: rbacSp + } +}] + +resource rbacSecretOfficerUser 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for rbacSp in rbacSecretOfficerUsers : if(!empty(rbacSp)) { + scope: kv + name: guid(kv.id, rbacSp, keyVaultSecretsOfficerRole) + properties: { + roleDefinitionId: keyVaultSecretsOfficerRole + principalType: 'User' + principalId: rbacSp + } +}] + +resource rbacCertsOfficerUser 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = [for rbacSp in rbacCertOfficerUsers : if(!empty(rbacSp)) { + scope: kv + name: guid(kv.id, rbacSp, keyVaultCertsOfficerRole) + properties: { + roleDefinitionId: keyVaultCertsOfficerRole + principalType: 'User' + principalId: rbacSp + } +}] diff --git a/bicep/main.bicep b/bicep/main.bicep index 5826a59e0..770cbd4a9 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -137,7 +137,7 @@ module network './network.bicep' = if (custom_vnet) { privateLinks: privateLinks privateLinkSubnetAddressPrefix: privateLinkSubnetAddressPrefix privateLinkAcrId: privateLinks && !empty(registries_sku) ? acr.id : '' - privateLinkAkvId: privateLinks && createKV ? kv.id : '' + privateLinkAkvId: privateLinks && keyVaultCreate ? kv.outputs.keyVaultId : '' acrPrivatePool: acrPrivatePool acrAgentPoolSubnetAddressPrefix: acrAgentPoolSubnetAddressPrefix bastion: bastion @@ -193,131 +193,64 @@ module dnsZone './dnsZone.bicep' = if (!empty(dnsZoneId)) { | . \ | |____ | | \ / / _____ \ | `--' | | `----. | | |__|\__\ |_______| |__| \__/ /__/ \__\ \______/ |_______| |__| */ -@description('Installs the AKS KV CSI provider') -param azureKeyvaultSecretsProvider bool = false - -@description('Rotation poll interval for the AKS KV CSI provider') -param kvPollInterval string = '2m' - -@description('Enables Open Service Mesh') -param openServiceMeshAddon bool = false - -@description('Creates a Key Vault') -param createKV bool = false +@description('Creates a KeyVault') +param keyVaultCreate bool = false @description('If soft delete protection is enabled') -param KeyVaultSoftDelete bool = true +param keyVaultSoftDelete bool = true @description('If purge protection is enabled') -param KeyVaultPurgeProtection bool = true +param keyVaultPurgeProtection bool = true @description('Add IP to KV firewall allow-list') -param kvIPAllowlist array = [] +param keyVaultIPAllowlist array = [] -var akvRawName = 'kv-${replace(resourceName, '-', '')}${uniqueString(resourceGroup().id, resourceName)}' -var akvName = length(akvRawName) > 24 ? substring(akvRawName, 0, 24) : akvRawName - -var kvIPRules = [for kvIp in kvIPAllowlist: { - value: kvIp -}] - -resource kv 'Microsoft.KeyVault/vaults@2021-06-01-preview' = if (createKV) { - name: akvName - location: location - properties: { - tenantId: subscription().tenantId - sku: { - family: 'A' - name: 'standard' - } - // publicNetworkAccess: whether the vault will accept traffic from public internet. If set to 'disabled' all traffic except private endpoint traffic and that that originates from trusted services will be blocked. - publicNetworkAccess: privateLinks && empty(kvIPAllowlist) ? 'disabled' : 'enabled' +@description('Installs the AKS KV CSI provider') +param keyVaultAksCSI bool = false - networkAcls: privateLinks && !empty(kvIPAllowlist) ? { - bypass: 'AzureServices' - defaultAction: 'Deny' - ipRules: kvIPRules - virtualNetworkRules: [] - } : {} +@description('Rotation poll interval for the AKS KV CSI provider') +param keyVaultAksCSIPollInterval string = '2m' - //enabledForTemplateDeployment: true - enableRbacAuthorization: true - enabledForDeployment: false - enabledForDiskEncryption: false - enabledForTemplateDeployment: false - enableSoftDelete: KeyVaultSoftDelete - enablePurgeProtection: KeyVaultPurgeProtection ? true : json('null') +module kv 'keyvault.bicep' = if(keyVaultCreate) { + name: 'keyvault' + params: { + resourceName: resourceName + keyVaultPurgeProtection: keyVaultPurgeProtection + keyVaultSoftDelete: keyVaultSoftDelete + keyVaultIPAllowlist: keyVaultIPAllowlist + location: location + privateLinks: privateLinks } } -var keyVaultSecretsUserRole = resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') -resource kvAppGwSecretsUserRole 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = if (createKV && appgwKVIntegration) { - scope: kv - name: guid(aks.id, 'AppGw', keyVaultSecretsUserRole) - properties: { - roleDefinitionId: keyVaultSecretsUserRole - principalType: 'ServicePrincipal' - principalId: deployAppGw ? appGwIdentity.properties.principalId : '' - } -} +@description('The principal ID of the user or service principal that requires access to the Key Vault. Set automatedDeployment to toggle between user and service prinicpal') +param keyVaultOfficerRolePrincipalId string = '' +var keyVaultOfficerRolePrincipalIds = [ + keyVaultOfficerRolePrincipalId +] -resource kvCSIdriverSecretsUserRole 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = if (createKV && azureKeyvaultSecretsProvider) { - scope: kv - name: guid(aks.id, 'CSIDriver', keyVaultSecretsUserRole) - properties: { - roleDefinitionId: keyVaultSecretsUserRole - principalType: 'ServicePrincipal' - principalId: aks.properties.addonProfiles.azureKeyvaultSecretsProvider.identity.objectId - } -} +@description('Parsing an array with union ensures that duplicates are removed, which is great when dealing with highly conditional elements') +var rbacSecretUserSps = union([deployAppGw && appgwKVIntegration ? appGwIdentity.properties.principalId : ''],[keyVaultAksCSI ? aks.properties.addonProfiles.azureKeyvaultSecretsProvider.identity.objectId : '']) -@description('The principal ID of the service principal that has access to the Key Vault') -param kvOfficerRolePrincipalId string = '' -var keyVaultSecretsOfficerRole = resourceId('Microsoft.Authorization/roleDefinitions', 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7') -resource kvUserSecretOfficerRole 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = if (createKV && !empty(kvOfficerRolePrincipalId)) { - scope: kv - name: guid(aks.id, 'usersecret', keyVaultSecretsOfficerRole) - properties: { - roleDefinitionId: keyVaultSecretsOfficerRole - principalType: automatedDeployment ? 'ServicePrincipal' : 'User' - principalId: kvOfficerRolePrincipalId - } -} +@description('A seperate module is used for RBAC to avoid delaying the KeyVault creation and causing a circular reference.') +module kvRbac 'keyvaultrbac.bicep' = if (keyVaultCreate) { + name: 'KeyVaultRbac' + params: { + keyVaultName: kv.outputs.keyVaultName + //service principals + rbacSecretUserSps: rbacSecretUserSps + rbacSecretOfficerSps: !empty(keyVaultOfficerRolePrincipalId) && automatedDeployment ? keyVaultOfficerRolePrincipalIds : [] + rbacCertOfficerSps: !empty(keyVaultOfficerRolePrincipalId) && automatedDeployment ? keyVaultOfficerRolePrincipalIds : [] -var keyVaultCertsOfficerRole = resourceId('Microsoft.Authorization/roleDefinitions', 'a4417e6f-fecd-4de8-b567-7b0420556985') -resource kvUserCertsOfficerRole 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = if (createKV && !empty(kvOfficerRolePrincipalId)) { - scope: kv - name: guid(aks.id, 'usercert', keyVaultCertsOfficerRole) - properties: { - roleDefinitionId: keyVaultCertsOfficerRole - principalType: automatedDeployment ? 'ServicePrincipal' : 'User' - principalId: kvOfficerRolePrincipalId + //users + rbacSecretOfficerUsers: !empty(keyVaultOfficerRolePrincipalId) && !automatedDeployment ? keyVaultOfficerRolePrincipalIds : [] + rbacCertOfficerUsers: !empty(keyVaultOfficerRolePrincipalId) && !automatedDeployment ? keyVaultOfficerRolePrincipalIds : [] } } -output keyVaultName string = createKV ? kv.name : '' -output keyVaultId string = createKV ? kv.id : '' - -resource kvDiags 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (createLaw && createKV) { - name: 'kvDiags' - scope: kv - properties: { - workspaceId:aks_law.id - logs: [ - { - category: 'AuditEvent' - enabled: true - } - ] - metrics: [ - { - category: 'AllMetrics' - enabled: true - } - ] - } -} +output keyVaultName string = keyVaultCreate ? kv.outputs.keyVaultName : '' +output keyVaultId string = keyVaultCreate ? kv.outputs.keyVaultId : '' /* ___ ______ .______ @@ -797,6 +730,9 @@ param omsagent bool = false @description('Enable RBAC using AAD') param enableAzureRBAC bool = false +@description('Enables Open Service Mesh') +param openServiceMeshAddon bool = false + @allowed([ '' 'none' @@ -902,13 +838,13 @@ param DefenderForContainers bool = false param JustUseSystemPool bool = false @allowed([ - 'Cost-Optimised' + 'CostOptimised' 'Standard' 'HighSpec' 'Custom' ]) @description('The System Pool Preset sizing') -param SystemPoolType string = 'Cost-Optimised' +param SystemPoolType string = 'CostOptimised' @description('A custom system pool spec') param SystemPoolCustomPreset object = {} @@ -959,7 +895,7 @@ param oidcIssuer bool = false @description('System Pool presets are derived from the recommended system pool specs') var systemPoolPresets = { - 'Cost-Optimised' : { + CostOptimised : { vmSize: 'Standard_B4ms' count: 1 minCount: 1 @@ -967,7 +903,7 @@ var systemPoolPresets = { enableAutoScaling: true availabilityZones: [] } - 'Standard' : { + Standard : { vmSize: 'Standard_DS2_v2' count: 3 minCount: 3 @@ -979,7 +915,7 @@ var systemPoolPresets = { '3' ] } - 'HighSpec' : { + HighSpec : { vmSize: 'Standard_D4s_v3' count: 3 minCount: 3 @@ -1046,9 +982,9 @@ var aks_addons = union({ azureKeyvaultSecretsProvider: { config: { enableSecretRotation: 'true' - rotationPollInterval: kvPollInterval + rotationPollInterval: keyVaultAksCSIPollInterval } - enabled: azureKeyvaultSecretsProvider + enabled: keyVaultAksCSI } openServiceMesh: { enabled: openServiceMeshAddon @@ -1269,11 +1205,11 @@ param createAksMetricAlerts bool = true param AksMetricAlertMetricFrequencyModel string = 'Long' var AlertFrequencyLookup = { - 'Short': { + Short: { evalFrequency: 'PT1M' windowSize: 'PT5M' } - 'Long': { + Long: { evalFrequency: 'PT15M' windowSize: 'PT1H' } diff --git a/helper/src/components/addonsTab.js b/helper/src/components/addonsTab.js index 6f44016bf..ace8de59d 100644 --- a/helper/src/components/addonsTab.js +++ b/helper/src/components/addonsTab.js @@ -330,7 +330,7 @@ export default function ({ tabValues, updateFn, featureFlag, invalidArray }) { updateFn("kvPollInterval", key)} selectedKey={addons.kvPollInterval} + onChange={(ev, { key }) => updateFn("keyVaultAksCSIPollInterval", key)} selectedKey={addons.keyVaultAksCSIPollInterval} options={[ { key: '2m', text: '2 minutes' }, { key: '5m', text: '5 minutes' }, diff --git a/helper/src/components/clusterTab.js b/helper/src/components/clusterTab.js index 6a69c2f40..857f7a888 100644 --- a/helper/src/components/clusterTab.js +++ b/helper/src/components/clusterTab.js @@ -85,7 +85,7 @@ export default function ({ tabValues, updateFn, featureFlag, invalidArray }) { selectedKey={cluster.SystemPoolType} options={[ { "data-testid":'cluster-systempool-none', key: 'none', text: 'No separate system pool: Use a single pool for System and User workloads' }, - { "data-testid":'cluster-systempool-Cost-Optimised', key: 'Cost-Optimised', text: 'Cost-Optimised: use low-cost Burstable VMs, with 1-3 node autoscale' }, + { "data-testid":'cluster-systempool-Cost-Optimised', key: 'CostOptimised', text: 'CostOptimised: use low-cost Burstable VMs, with 1-3 node autoscale' }, { "data-testid":'cluster-systempool-Standard', key: 'Standard', text: 'Standard: use standard 4-core VMs, with 2-3 node autoscale' } ]} onChange={(ev, { key }) => { sliderUpdateFn({SystemPoolType: key}) }} diff --git a/helper/src/components/deployTab.js b/helper/src/components/deployTab.js index 59a23239f..2d8c5f376 100644 --- a/helper/src/components/deployTab.js +++ b/helper/src/components/deployTab.js @@ -58,7 +58,7 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray, ...(net.afw && { azureFirewalls: true, ...(addons.certMan && {certManagerFW: true}), ...(net.vnet_opt === "custom" && defaults.net.vnetFirewallSubnetAddressPrefix !== net.vnetFirewallSubnetAddressPrefix && { vnetFirewallSubnetAddressPrefix: net.vnetFirewallSubnetAddressPrefix }) }), ...(net.vnet_opt === "custom" && net.vnetprivateend && { privateLinks: true, - ...(addons.csisecret === 'akvNew' && deploy.kvIPAllowlist && apiips_array.length > 0 && {kvIPAllowlist: apiips_array }), + ...(addons.csisecret === 'akvNew' && deploy.keyVaultIPAllowlist && apiips_array.length > 0 && {keyVaultIPAllowlist: apiips_array }), ...(defaults.net.privateLinkSubnetAddressPrefix !== net.privateLinkSubnetAddressPrefix && {privateLinkSubnetAddressPrefix: net.privateLinkSubnetAddressPrefix}), }), ...(addons.monitor === "aci" && { omsagent: true, retentionInDays: addons.retentionInDays, ...( addons.createAksMetricAlerts !== defaults.addons.createAksMetricAlerts && {createAksMetricAlerts: addons.createAksMetricAlerts }) }), @@ -83,9 +83,9 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray, ...(addons.appgwKVIntegration && addons.csisecret === 'akvNew' && { appgwKVIntegration: true }) }) }), - ...(addons.csisecret !== "none" && { azureKeyvaultSecretsProvider: true }), - ...(addons.csisecret === 'akvNew' && { createKV: true, ...(deploy.kvCertSecretRole && { kvOfficerRolePrincipalId: "$(az ad signed-in-user show --query id --out tsv)"}) }), - ...(addons.csisecret !== "none" && addons.kvPollInterval !== defaults.addons.kvPollInterval && { kvPollInterval: addons.kvPollInterval }), + ...(addons.csisecret !== "none" && { keyVaultAksCSI: true }), + ...(addons.csisecret === 'akvNew' && { keyVaultCreate: true, ...(deploy.kvCertSecretRole && { keyVaultOfficerRolePrincipalId: "$(az ad signed-in-user show --query id --out tsv)"}) }), + ...(addons.csisecret !== "none" && addons.keyVaultAksCSIPollInterval !== defaults.addons.keyVaultAksCSIPollInterval && { keyVaultAksCSIPollInterval: addons.keyVaultAksCSIPollInterval }), ...(addons.fluxGitOpsAddon !== defaults.addons.fluxGitOpsAddon && { fluxGitOpsAddon: addons.fluxGitOpsAddon}) } @@ -149,7 +149,7 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray, const params2TfVar = p => Object.keys(p).filter(p => p !== 'adminPrincipalId' && p !== 'acrPushRolePrincipalId' && - p !== 'kvOfficerRolePrincipalId').map(k => { + p !== 'keyVaultOfficerRolePrincipalId').map(k => { const val = p[k] @@ -170,7 +170,7 @@ export default function DeployTab({ defaults, updateFn, tabValues, invalidArray, const params2file = p => Object.keys(p).filter(p => p !== 'adminPrincipalId' && p !== 'acrPushRolePrincipalId' && - p !== 'kvOfficerRolePrincipalId').reduce((a, c) => { return { ...a, parameters: { ...a.parameters, [c]: { value: p[c] } } } }, { + p !== 'keyVaultOfficerRolePrincipalId').reduce((a, c) => { return { ...a, parameters: { ...a.parameters, [c]: { value: p[c] } } } }, { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": {} @@ -338,9 +338,9 @@ az role assignment create --role "Managed Identity Operator" --assignee-principa updateFn("kvCertSecretRole", v)} label="Assign deployment user Certificate and Secret Officer" /> - updateFn("kvIPAllowlist", v)} label="Add current IP to KeyVault firewall (applicable to private link)" /> + updateFn("keyVaultIPAllowlist", v)} label="Add current IP to KeyVault firewall (applicable to private link)" /> - { deploy.kvIPAllowlist && net.vnetprivateend && "Add current IP to KeyVault firewall" will enable KeyVaults PublicNetworkAccess property } + { deploy.keyVaultIPAllowlist && net.vnetprivateend && "Add current IP to KeyVault firewall" will enable KeyVaults PublicNetworkAccess property } diff --git a/helper/src/config.json b/helper/src/config.json index acc516f1a..c6934c2b2 100644 --- a/helper/src/config.json +++ b/helper/src/config.json @@ -15,7 +15,7 @@ "disablePreviews": false, "acrPushRole": true, "kvCertSecretRole": true, - "kvIPAllowlist": false, + "keyVaultIPAllowlist": false, "clusterAdminRole": true, "clusterIPWhitelist" : true, "templateVersions": [{ @@ -33,7 +33,7 @@ "privateDNSZone": "none", "autoscale": true, "upgradeChannel": "none", - "SystemPoolType": "Cost-Optimised", + "SystemPoolType": "CostOptimised", "agentCount": 3, "maxCount": 20, "vmSize": "Standard_DS3_v2", @@ -79,7 +79,7 @@ "retentionInDays": 30, "createAksMetricAlerts": true, "csisecret": "none", - "kvPollInterval": "2m", + "keyVaultAksCSIPollInterval": "2m", "kvId": "", "gitops": "none" }, diff --git a/helper/src/configpresets/principals.json b/helper/src/configpresets/principals.json index d4042b873..67135d9fb 100644 --- a/helper/src/configpresets/principals.json +++ b/helper/src/configpresets/principals.json @@ -58,7 +58,7 @@ "icon": "DeveloperTools", "values": { "cluster": { - "SystemPoolType": "Cost-Optimised", + "SystemPoolType": "CostOptimised", "autoscale": false, "upgradeChannel": "none" }, @@ -100,7 +100,7 @@ "icon": "Touch", "values": { "cluster": { - "SystemPoolType": "Cost-Optimised", + "SystemPoolType": "CostOptimised", "autoscale": true, "upgradeChannel": "stable" }, @@ -148,7 +148,7 @@ "icon": "Unlock", "values": { "deploy": { - "kvIPAllowlist": false + "keyVaultIPAllowlist": false }, "cluster": { "enable_aad": false, @@ -220,7 +220,7 @@ "icon": "Lock12", "values": { "deploy": { - "kvIPAllowlist": false + "keyVaultIPAllowlist": false }, "cluster": { "enable_aad": true, @@ -324,7 +324,7 @@ "icon": "ProtectionCenterLogo32", "values": { "deploy": { - "kvIPAllowlist": true + "keyVaultIPAllowlist": true }, "cluster": { "enable_aad": true, diff --git a/samples/flux/aks-baseline-config.bicep b/samples/flux/aks-baseline-config.bicep index d535de4b2..a9c3e83bf 100644 --- a/samples/flux/aks-baseline-config.bicep +++ b/samples/flux/aks-baseline-config.bicep @@ -32,7 +32,7 @@ module aksconst '../../bicep/main.bicep' = { retentionInDays: 30 agentCount: 1 JustUseSystemPool: false - SystemPoolType: 'Cost-Optimised' + SystemPoolType: 'CostOptimised' createEventGrid: true } } diff --git a/samples/flux/azure-docs-config.bicep b/samples/flux/azure-docs-config.bicep index e97319521..c6689f5f0 100644 --- a/samples/flux/azure-docs-config.bicep +++ b/samples/flux/azure-docs-config.bicep @@ -34,7 +34,7 @@ module aksconst '../../bicep/main.bicep' = { retentionInDays: 30 agentCount: 1 JustUseSystemPool: false - SystemPoolType: 'Cost-Optimised' + SystemPoolType: 'CostOptimised' createEventGrid: true } } diff --git a/samples/peered-vnet/main.bicep b/samples/peered-vnet/main.bicep index 8aa8f1af5..a41799e76 100644 --- a/samples/peered-vnet/main.bicep +++ b/samples/peered-vnet/main.bicep @@ -115,7 +115,7 @@ module gridAks '../../bicep/main.bicep' = { agentCountMax:3 adminPrincipalId: adminPrincipalId JustUseSystemPool: false - SystemPoolType: 'Cost-Optimised' + SystemPoolType: 'CostOptimised' byoAKSSubnetId: gridVnet.outputs.aksSubnetId AutoscaleProfile: aggressiveAutoScaler //agentVMTaints: [for pool in extraAksNodePools: '${nodeTaintKey}=${pool}:NoExecute'] diff --git a/samples/windows/main.bicep b/samples/windows/main.bicep index bc938d4af..9308d3df8 100644 --- a/samples/windows/main.bicep +++ b/samples/windows/main.bicep @@ -38,7 +38,7 @@ module aks '../../bicep/main.bicep' = { agentCount:1 agentCountMax:3 JustUseSystemPool: true - SystemPoolType: 'Cost-Optimised' + SystemPoolType: 'CostOptimised' byoAKSSubnetId: vnet.properties.subnets[0].id } } From b68ad053cf430dabefb1a60eb3929799893aaee6 Mon Sep 17 00:00:00 2001 From: Gordon Byers Date: Wed, 13 Jul 2022 11:21:53 +0000 Subject: [PATCH 2/4] param typo --- .github/workflows_dep/AksDeploy-ByoVnet.parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows_dep/AksDeploy-ByoVnet.parameters.json b/.github/workflows_dep/AksDeploy-ByoVnet.parameters.json index 615f8ee3c..536a82208 100644 --- a/.github/workflows_dep/AksDeploy-ByoVnet.parameters.json +++ b/.github/workflows_dep/AksDeploy-ByoVnet.parameters.json @@ -65,7 +65,7 @@ "SystemPoolType" : { "value" : "Standard" }, - "creatkeyVaultCreateeKV" : { + "keyVaultCreate" : { "value" : true }, "keyVaultAksCSI" : { From dd6e8b0f2fe57328d34beb303571e6673c7508b6 Mon Sep 17 00:00:00 2001 From: Gordon Byers Date: Mon, 18 Jul 2022 13:36:38 +0000 Subject: [PATCH 3/4] Adding nodeResourceGroup output --- bicep/main.bicep | 2 ++ 1 file changed, 2 insertions(+) diff --git a/bicep/main.bicep b/bicep/main.bicep index 770cbd4a9..6e9301e09 100644 --- a/bicep/main.bicep +++ b/bicep/main.bicep @@ -1093,6 +1093,8 @@ resource aks 'Microsoft.ContainerService/managedClusters@2022-05-02-preview' = { } output aksClusterName string = aks.name output aksOidcIssuerUrl string = oidcIssuer ? aks.properties.oidcIssuerProfile.issuerURL : '' +output aksNodeResourceGroup string = aks.properties.nodeResourceGroup +//output aksNodePools array = [for nodepool in agentPoolProfiles: name] var policySetBaseline = '/providers/Microsoft.Authorization/policySetDefinitions/a8640138-9b0a-4a28-b8cb-1666c838647d' var policySetRestrictive = '/providers/Microsoft.Authorization/policySetDefinitions/42b8ef37-b724-4e24-bbc8-7a7708edfe00' From 7fdf0b85cbfea3328283335423f28afab7a29a06 Mon Sep 17 00:00:00 2001 From: Gordonby Date: Tue, 19 Jul 2022 15:53:55 +0100 Subject: [PATCH 4/4] cspell typos Signed-off-by: Gordonby --- docs/ReleasingWizard.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/ReleasingWizard.md b/docs/ReleasingWizard.md index 4ddb4a559..4783f8932 100644 --- a/docs/ReleasingWizard.md +++ b/docs/ReleasingWizard.md @@ -2,12 +2,12 @@ ## Creating a release -Usually a release of the Web UI will be accompanied by changes to the bicep code. In which case a new symantic release tag needs to be chosen (0.8.2 or 0.8.5 etc). +Usually a release of the Web UI will be accompanied by changes to the bicep code. In which case a new symantec release tag needs to be chosen (0.8.2 or 0.8.5 etc). There is a [GitHub action workflow](https://github.com/Azure/AKS-Construction/actions/workflows/release.yml) which is initiated manually but automates the release, all that needs to be provided is the new release tag. ## Releasing just the Web UI -Occassionally there will be UI improvements that we want to release that do not have any dependencies in a new release. +Occasionally there will be UI improvements that we want to release that do not have any dependencies in a new release. For these scenarios, we use the same [GitHub action workflow](https://github.com/Azure/AKS-Construction/actions/workflows/release.yml) but choose not to create a new release. Instead, just repeating the release tag that is current. ## Rolling back the release @@ -15,7 +15,7 @@ For these scenarios, we use the same [GitHub action workflow](https://github.com When the release workflow runs, it stores assets of the UI and bicep code in zip files. If we need to rollback a *bad release* then process is as follows -1. In the [GitHub action workflow](https://github.com/Azure/AKS-Construction/actions/workflows/release.yml) history, locate the release you want to rollback to. +1. In the [GitHub action workflow](https://github.com/Azure/AKS-Construction/actions/workflows/release.yml) history, locate the release you want to rollback to. 2. Download the artifact zip for the `WizardApp` 3. In you local git environment checkout the `gh-pages` branch 4. Extract the contents of the artifact zip over the top of branch