From 450ddd090cb9a044eb67c040d8506bf77f1927f4 Mon Sep 17 00:00:00 2001 From: "Jonathan Gardner (MSFT)" Date: Thu, 7 Mar 2024 09:10:49 -0800 Subject: [PATCH 01/12] Move location to parameter --- .../Bicep/06-AKS-cluster/modules/policy/policy.bicep | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/policy/policy.bicep b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/policy/policy.bicep index 927aca36..9eea4d1f 100644 --- a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/policy/policy.bicep +++ b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/policy/policy.bicep @@ -1,6 +1,8 @@ +param location string = resourceGroup().location + resource DefAKSAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = if (environment().name == 'AzureCloud') { name: 'EnableDefenderForAKS' - location: resourceGroup().location + location: location properties: { policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5' } From bbff10622cec8854670604487ae775ef7e21199f Mon Sep 17 00:00:00 2001 From: "Jonathan Gardner (MSFT)" Date: Thu, 7 Mar 2024 11:57:14 -0800 Subject: [PATCH 02/12] Move policySetDefitionId to parameter. --- .../Bicep/06-AKS-cluster/modules/policy/policy.bicep | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/policy/policy.bicep b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/policy/policy.bicep index 9eea4d1f..565add22 100644 --- a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/policy/policy.bicep +++ b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/policy/policy.bicep @@ -1,10 +1,11 @@ param location string = resourceGroup().location +param policySetDefinitionId string = '/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5' resource DefAKSAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = if (environment().name == 'AzureCloud') { name: 'EnableDefenderForAKS' location: location properties: { - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5' + policyDefinitionId: policySetDefinitionId } identity: { type: 'SystemAssigned' From 706f8258104783bb68eee7b72bd2947de1cf08e9 Mon Sep 17 00:00:00 2001 From: "Jonathan Gardner (MSFT)" Date: Thu, 7 Mar 2024 15:02:03 -0800 Subject: [PATCH 03/12] Remove unused location parameter --- .../06-AKS-cluster/modules/Identity/pvtdnscontribrole.bicep | 1 - 1 file changed, 1 deletion(-) diff --git a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/Identity/pvtdnscontribrole.bicep b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/Identity/pvtdnscontribrole.bicep index ed9ff7fb..bd781cc5 100644 --- a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/Identity/pvtdnscontribrole.bicep +++ b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/Identity/pvtdnscontribrole.bicep @@ -1,6 +1,5 @@ param principalId string param roleGuid string -param location string = resourceGroup().location param pvtdnsAKSZoneName string resource pvtdnsAKSZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = { From fbedd1cca12c90a147bd5f664f7b675d6e4b2abb Mon Sep 17 00:00:00 2001 From: "Jonathan Gardner (MSFT)" Date: Thu, 7 Mar 2024 15:50:45 -0800 Subject: [PATCH 04/12] Add secure string to password parameter --- .../Bicep/03-Network-Hub/deploy-vm.bicep | 1 + 1 file changed, 1 insertion(+) diff --git a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/deploy-vm.bicep b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/deploy-vm.bicep index 81edf19c..74aea56d 100644 --- a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/deploy-vm.bicep +++ b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/deploy-vm.bicep @@ -8,6 +8,7 @@ param pubkeydata string param vmSize string param location string = deployment().location param adminUsername string +@secure() param adminPassword string resource subnetVM 'Microsoft.Network/virtualNetworks/subnets@2020-11-01' existing = { From a43179b5e16a270e3c538bcb5156ba104dfbf796 Mon Sep 17 00:00:00 2001 From: "Jonathan Gardner (MSFT)" Date: Thu, 7 Mar 2024 16:19:27 -0800 Subject: [PATCH 05/12] Remove location from module call --- .../Bicep/06-AKS-cluster/main.bicep | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/main.bicep b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/main.bicep index 755fd693..148e1351 100644 --- a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/main.bicep +++ b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/main.bicep @@ -70,7 +70,9 @@ resource pvtdnsAKSZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = module aksPolicy 'modules/policy/policy.bicep' = { scope: resourceGroup(rg.name) name: 'aksPolicy' - params: {} + params: { + location: location + } } module akslaworkspace 'modules/laworkspace/la.bicep' = { @@ -157,7 +159,6 @@ module aksPvtDNSContrib 'modules/Identity/pvtdnscontribrole.bicep' = { scope: resourceGroup(rg.name) name: 'aksPvtDNSContrib' params: { - location: location principalId: aksIdentity.properties.principalId roleGuid: 'b12aa53e-6015-4669-85d0-8515ebb3ae7f' //Private DNS Zone Contributor pvtdnsAKSZoneName: privateDNSZoneAKSName From 17641566238ec1db94e82f8370067845efb0cd9d Mon Sep 17 00:00:00 2001 From: "Jonathan Gardner (MSFT)" Date: Thu, 7 Mar 2024 16:40:01 -0800 Subject: [PATCH 06/12] Add secure string to password parameter --- .../Bicep/03-Network-Hub/deploy-vm.bicep | 1 + .../Bicep/03-Network-Hub/modules/VM/virtualmachine.bicep | 2 ++ 2 files changed, 3 insertions(+) diff --git a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/deploy-vm.bicep b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/deploy-vm.bicep index 74aea56d..a9fca12a 100644 --- a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/deploy-vm.bicep +++ b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/deploy-vm.bicep @@ -7,6 +7,7 @@ param vnetName string param pubkeydata string param vmSize string param location string = deployment().location +@secure() param adminUsername string @secure() param adminPassword string diff --git a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/modules/VM/virtualmachine.bicep b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/modules/VM/virtualmachine.bicep index ec8b78a7..d477663e 100644 --- a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/modules/VM/virtualmachine.bicep +++ b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/modules/VM/virtualmachine.bicep @@ -2,7 +2,9 @@ param subnetId string param publicKey string param vmSize string param location string = resourceGroup().location +@secure() param adminUsername string +@secure() param adminPassword string //param script64 string From 10fc72636148527b0f359fff9895cf7fbae2662a Mon Sep 17 00:00:00 2001 From: "Jonathan Gardner (MSFT)" Date: Fri, 8 Mar 2024 08:43:54 -0800 Subject: [PATCH 07/12] Change deployment location to westus2 --- .github/workflows/1-deploy-infrastructure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/1-deploy-infrastructure.yml b/.github/workflows/1-deploy-infrastructure.yml index ddf29abe..f6447b03 100644 --- a/.github/workflows/1-deploy-infrastructure.yml +++ b/.github/workflows/1-deploy-infrastructure.yml @@ -13,7 +13,7 @@ on: env: BICEP_ROOT_PATH: Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/ - DEPLOYMENT_LOCATION: eastus + DEPLOYMENT_LOCATION: westus2 HUB_RESOURCE_GROUP: ESLZ-HUB SPOKE_RESOURCE_GROUP: ESLZ-SPOKE MANAGED_RESOURCE_GROUP: eslzakscluster-aksInfraRG From 1396065c48c0e1213b05b21fa5af3b90c05f170c Mon Sep 17 00:00:00 2001 From: "Jonathan Gardner (MSFT)" Date: Fri, 8 Mar 2024 09:55:04 -0800 Subject: [PATCH 08/12] Update managedCluster apiversion --- .../Bicep/06-AKS-cluster/modules/aks/privateaks.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/aks/privateaks.bicep b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/aks/privateaks.bicep index 0a4b8aad..83643e6d 100644 --- a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/aks/privateaks.bicep +++ b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/aks/privateaks.bicep @@ -18,7 +18,7 @@ param autoScalingProfile object param networkPlugin string = 'azure' //param appGatewayIdentityResourceId string -resource aksCluster 'Microsoft.ContainerService/managedClusters@2022-03-02-preview' = { +resource aksCluster 'Microsoft.ContainerService/managedClusters@2024-01-02-preview' = { name: clusterName location: location identity: { From a896951e2f1c2872a0316a6bc3201aacd68742e8 Mon Sep 17 00:00:00 2001 From: "Jonathan Gardner (MSFT)" Date: Fri, 8 Mar 2024 15:16:59 -0800 Subject: [PATCH 09/12] Move managedCluster api to non-preview version --- .../Bicep/06-AKS-cluster/modules/aks/privateaks.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/aks/privateaks.bicep b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/aks/privateaks.bicep index 83643e6d..4dccf739 100644 --- a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/aks/privateaks.bicep +++ b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/aks/privateaks.bicep @@ -18,7 +18,7 @@ param autoScalingProfile object param networkPlugin string = 'azure' //param appGatewayIdentityResourceId string -resource aksCluster 'Microsoft.ContainerService/managedClusters@2024-01-02-preview' = { +resource aksCluster 'Microsoft.ContainerService/managedClusters@2024-01-01' = { name: clusterName location: location identity: { From 0526cf2e723f38c4ab233263cc03f3e9d248a64d Mon Sep 17 00:00:00 2001 From: "Jonathan Gardner (MSFT)" Date: Fri, 8 Mar 2024 15:30:05 -0800 Subject: [PATCH 10/12] Move telemetry to module --- .../Bicep/03-Network-Hub/main.bicep | 34 ++++++++++++------- .../modules/telemetry/telemetry.bicep | 19 +++++++++++ .../Bicep/06-AKS-cluster/main.bicep | 34 ++++++++++++------- .../modules/telemetry/telemetry.bicep | 21 ++++++++++++ 4 files changed, 82 insertions(+), 26 deletions(-) create mode 100644 Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/modules/telemetry/telemetry.bicep create mode 100644 Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/telemetry/telemetry.bicep diff --git a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/main.bicep b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/main.bicep index 71f513e2..e815ddc1 100644 --- a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/main.bicep +++ b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/main.bicep @@ -173,18 +173,26 @@ module routetableroutes 'modules/vnet/routetableroutes.bicep' = { } // Telemetry Deployment -@description('Enable usage and telemetry feedback to Microsoft.') -param enableTelemetry bool = true -var telemetryId = '0d807b2d-f7c3-4710-9a65-e88257df1ea0-${location}' -resource telemetrydeployment 'Microsoft.Resources/deployments@2021-04-01' = if (enableTelemetry) { - name: telemetryId - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#' - contentVersion: '1.0.0.0' - resources: {} - } +module telemetry 'modules/telemetry/telemetry.bicep' = { + name: 'telemetry' + params: { + location: location + enableTelemetry: true } } + +// @description('Enable usage and telemetry feedback to Microsoft.') +// param enableTelemetry bool = true +// var telemetryId = '0d807b2d-f7c3-4710-9a65-e88257df1ea0-${location}' +// resource telemetrydeployment 'Microsoft.Resources/deployments@2021-04-01' = if (enableTelemetry) { +// name: telemetryId +// location: location +// properties: { +// mode: 'Incremental' +// template: { +// '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#' +// contentVersion: '1.0.0.0' +// resources: {} +// } +// } +// } diff --git a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/modules/telemetry/telemetry.bicep b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/modules/telemetry/telemetry.bicep new file mode 100644 index 00000000..1cbb7320 --- /dev/null +++ b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/modules/telemetry/telemetry.bicep @@ -0,0 +1,19 @@ +@description('Enable usage and telemetry feedback to Microsoft.') + +param enableTelemetry bool = true +param location string = deployment().location + +var telemetryId = '0d807b2d-f7c3-4710-9a65-e88257df1ea0-${location}' + +resource telemetrydeployment 'Microsoft.Resources/deployments@2021-04-01' = if (enableTelemetry) { + name: telemetryId + location: location + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#' + contentVersion: '1.0.0.0' + resources: {} + } + } +} diff --git a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/main.bicep b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/main.bicep index 148e1351..7a1c4188 100644 --- a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/main.bicep +++ b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/main.bicep @@ -244,18 +244,26 @@ module appgwroutetableroutes 'modules/vnet/routetableroutes.bicep' = [for i in r }] // Telemetry Deployment -@description('Enable usage and telemetry feedback to Microsoft.') -param enableTelemetry bool = true -var telemetryId = 'a4c036ff-1c94-4378-862a-8e090a88da82-${location}' -resource telemetrydeployment 'Microsoft.Resources/deployments@2021-04-01' = if (enableTelemetry) { - name: telemetryId - location: location - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#' - contentVersion: '1.0.0.0' - resources: {} - } +module telemetry 'modules/telemetry/telemetry.bicep' = { + name: 'telemetry' + params: { + enableTelemetry: true + location: location } } + +// @description('Enable usage and telemetry feedback to Microsoft.') +// param enableTelemetry bool = true +// var telemetryId = 'a4c036ff-1c94-4378-862a-8e090a88da82-${location}' +// resource telemetrydeployment 'Microsoft.Resources/deployments@2021-04-01' = if (enableTelemetry) { +// name: telemetryId +// location: location +// properties: { +// mode: 'Incremental' +// template: { +// '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#' +// contentVersion: '1.0.0.0' +// resources: {} +// } +// } +// } diff --git a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/telemetry/telemetry.bicep b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/telemetry/telemetry.bicep new file mode 100644 index 00000000..e38b65b2 --- /dev/null +++ b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/telemetry/telemetry.bicep @@ -0,0 +1,21 @@ +// Telemetry Deployment +@description('Enable usage and telemetry feedback to Microsoft.') + +param enableTelemetry bool = true +param location string = deployment().location + +var telemetryId = 'a4c036ff-1c94-4378-862a-8e090a88da82-${location}' + +resource telemetrydeployment 'Microsoft.Resources/deployments@2021-04-01' = if (enableTelemetry) { + name: telemetryId + location: location + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#' + contentVersion: '1.0.0.0' + resources: {} + } + } +} + From 3b14e34fccee047e0ea0585a2092f868dee0c7cd Mon Sep 17 00:00:00 2001 From: "Jonathan Gardner (MSFT)" Date: Fri, 8 Mar 2024 16:56:26 -0800 Subject: [PATCH 11/12] Update the module scope --- .../Bicep/03-Network-Hub/modules/telemetry/telemetry.bicep | 4 +++- .../Bicep/06-AKS-cluster/modules/telemetry/telemetry.bicep | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/modules/telemetry/telemetry.bicep b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/modules/telemetry/telemetry.bicep index 1cbb7320..9400a507 100644 --- a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/modules/telemetry/telemetry.bicep +++ b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/03-Network-Hub/modules/telemetry/telemetry.bicep @@ -1,7 +1,9 @@ +targetScope = 'subscription' + @description('Enable usage and telemetry feedback to Microsoft.') param enableTelemetry bool = true -param location string = deployment().location +param location string var telemetryId = '0d807b2d-f7c3-4710-9a65-e88257df1ea0-${location}' diff --git a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/telemetry/telemetry.bicep b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/telemetry/telemetry.bicep index e38b65b2..366b2304 100644 --- a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/telemetry/telemetry.bicep +++ b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/telemetry/telemetry.bicep @@ -1,8 +1,10 @@ +targetScope = 'subscription' + // Telemetry Deployment @description('Enable usage and telemetry feedback to Microsoft.') param enableTelemetry bool = true -param location string = deployment().location +param location string var telemetryId = 'a4c036ff-1c94-4378-862a-8e090a88da82-${location}' From 30f7539bdd450c64add44c612e7e3d6954646d79 Mon Sep 17 00:00:00 2001 From: "Jonathan Gardner (MSFT)" Date: Fri, 8 Mar 2024 17:37:48 -0800 Subject: [PATCH 12/12] Reverting to closer API --- .../Bicep/06-AKS-cluster/modules/aks/privateaks.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/aks/privateaks.bicep b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/aks/privateaks.bicep index 4dccf739..42c1c205 100644 --- a/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/aks/privateaks.bicep +++ b/Scenarios/AKS-Secure-Baseline-PrivateCluster/Bicep/06-AKS-cluster/modules/aks/privateaks.bicep @@ -18,7 +18,7 @@ param autoScalingProfile object param networkPlugin string = 'azure' //param appGatewayIdentityResourceId string -resource aksCluster 'Microsoft.ContainerService/managedClusters@2024-01-01' = { +resource aksCluster 'Microsoft.ContainerService/managedClusters@2022-04-01' = { name: clusterName location: location identity: {