From 418f4620e0e34e892dff8bd29549eef1482fe688 Mon Sep 17 00:00:00 2001 From: brwilkinson Date: Sat, 18 May 2024 12:30:37 -0700 Subject: [PATCH] update vnet output add some bicepparam --- .../aks}/ACU1.D1.parameters.json | 1440 +++++------ .../aks}/AEU1.D2.parameters.json | 2154 ++++++++--------- ADF/bicep/01-ALL-RG.bicep | 140 +- ADF/bicep/SA-Storage.bicep | 1 + ADF/bicep/VNET.bicep | 5 +- ADF/bicep/bicepconfig.json | 11 +- ADF/bicep/x.RBAC-ALL-RA-Resource.bicep | 1 + ADF/release-az/ADOHelper.psm1 | 13 +- ADF/tenants/AKS/ACU1.D1.ado-pipelines-All.yml | 2 +- ADF/tenants/AKS/ACU1.D1.bicepparam | 593 +++++ ADF/tenants/AKS/AEU1.D2.bicepparam | 923 +++++++ ADF/tenants/AKS/deploy.ps1 | 3 +- 12 files changed, 3407 insertions(+), 1879 deletions(-) rename ADF/{tenants/AKS => 0-archive/aks}/ACU1.D1.parameters.json (95%) rename ADF/{tenants/AKS => 0-archive/aks}/AEU1.D2.parameters.json (96%) create mode 100644 ADF/tenants/AKS/ACU1.D1.bicepparam create mode 100644 ADF/tenants/AKS/AEU1.D2.bicepparam diff --git a/ADF/tenants/AKS/ACU1.D1.parameters.json b/ADF/0-archive/aks/ACU1.D1.parameters.json similarity index 95% rename from ADF/tenants/AKS/ACU1.D1.parameters.json rename to ADF/0-archive/aks/ACU1.D1.parameters.json index 6c184964..2cd94abd 100644 --- a/ADF/tenants/AKS/ACU1.D1.parameters.json +++ b/ADF/0-archive/aks/ACU1.D1.parameters.json @@ -1,721 +1,721 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { // AKS - "Prefix": { - "value": "ACU1" - }, - "Environment": { - "value": "D" - }, - "DeploymentID": { - "value": "1" - }, - "Stage": { - "value": { - "RG": 1, - "RBAC": 1, - "PIM": 0, - "UAI": 1, - "SP": 1, - "KV": 0, - "OMS": 1, - "OMSSolutions": 1, - "OMSDataSources": 1, - "OMSUpdateWeekly": 0, - "OMSUpdateMonthly": 0, - "OMSUpates": 1, - "SA": 1, - "CDN": 0, - "StorageSync": 0, - "RSV": 0, - "NSG": 1, - "NetworkWatcher": 0, - "FlowLogs": 1, - "VNet": 1, - "VNetDDOS": 0, - "VNetPeering": 1, - "DNSPublicZone": 0, - "DNSPrivateZone": 0, - "LinkPrivateDns": 0, - "PrivateLink": 1, - "BastionHost": 0, - "CloudShellRelay": 0, - "RT": 0, - "FW": 0, - "VNGW": 0, - "NATGW": 1, - "ERGW": 0, - "LB": 0, - "TM": 0, - "WAFPOLICY": 1, - "WAF": 0, // - "FRONTDOORPOLICY": 0, - "FRONTDOOR": 0, - "SetExternalDNS": 0, - "SetInternalDNS": 0, - "APPCONFIG": 0, - "REDIS": 0, - "APIM": 0, - "ACR": 0, - "SQLMI": 0, - "CosmosDB": 0, - "DASHBOARD": 0, - "ServerFarm": 0, - "WebSite": 0, - "WebSiteContainer": 0, - "ManagedEnv": 0, - "ContainerApp": 0, - "MySQLDB": 0, - "Function": 0, - "SB": 0, - "LT": 0, - "AzureSYN": 0, - // below require secrets from KV - "VMSS": 0, - "ACI": 0, - "AKS": 0, // - "AzureSQL": 0, - "SFM": 0, - "SFMNP": 0, - // VM templates - "ADPrimary": 0, - "ADSecondary": 0, - "InitialDOP": 0, - "VMApp": 0, - "VMAppLinux": 0, - "VMSQL": 0, - "VMFILE": 0 - } - }, - "Extensions": { - "value": { - "MonitoringAgent": 1, - "IaaSDiagnostics": 1, - "DependencyAgent": 1, - "AzureMonitorAgent": 1, - "GuestHealthAgent": 1, - "VMInsights": 1, - "AdminCenter": 1, - "BackupWindowsWorkloadSQL": 0, - "DSC": 0, - "GuestConfig": 1, - "Scripts": 1, - "MSI": 1, - "CertMgmt": 0, - "DomainJoin": 1, - "AADLogin": 0, - "WindowsOpenSSH": 0, - "Antimalware": 1, - "VMSSAzureADEnabled": 0, - "SqlIaasExtension": 0, - "AzureDefender": 0, - "chefClient": 0 - } - }, - "DeploymentInfo": { - "value": { - "uaiInfo": [ - { - "name": "GlobalAcrPull", - "RBAC": [ - { - "Name": "AcrPull", - "RG": "G1", - "Tenant": "HUB", - "Prefix": "ACU1" - } - ] - }, - { - "name": "ML", - "RBAC": [ - { - "Name": "AcrPull", - "RG": "G1", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Key Vault Secrets User", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Key Vault Reader", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - } - // { - // "Name": "Key Vault Administrator", - // "RG": "P0", - // "Tenant": "HUB" - // }, - // { - // "Name": "Desktop Virtualization Virtual Machine Contributor", // only built in role with 'MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION' - // "RG": "P0", - // "Tenant": "HUB" - // } - ] - }, - { - "name": "KeyVaultSecretsGet", - "RBAC": [ - { - "Name": "Key Vault Secrets User", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - } - ] - }, - { - "name": "AKSCluster", - "RBAC": [ - { - "Name": "Private DNS Zone Contributor", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Key Vault Certificates Officer", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Key Vault Secrets User", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Network Contributor" - }, - { - "Name": "Managed Identity Operator" - } - ] - }, - { - "name": "Automation", - "RBAC": [ - { - "Name": "Key Vault Secrets User", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Storage Account Contributor" - }, - { - "Name": "Storage Queue Data Contributor" - }, - { - "Name": "Storage Blob Data Owner" - } - ] - }, - { - "name": "StorageAccountFileContributor", - "RBAC": [ - { - "Name": "Storage File Data SMB Share Contributor", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Storage Blob Data Contributor", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Storage Queue Data Contributor", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - } - ] - }, - { - "Name": "CertificateRequest", - "RBAC": [ - { - "Name": "Key Vault Secrets User", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Key Vault Certificates Officer", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - } - ] - } - ], - "rolesInfo": [ - { - "Name": "brwilkinson", - "RBAC": [ - { - "Name": "Contributor" - } - ] - } - // { - // "Name": "AzureKeyVault", - // "RBAC": [ - // { - // "Name": "Storage Account Key Operator Service Role" - // } - // ] - // } - ], - "PIMInfo": [], - "SPInfo": [ - { - "Name": "ADO_{ADOProject}_{RGNAME}", - "RBAC": [ - { - "Name": "Contributor" - }, - // { - // "Name": "DeploymentScripts_Contributor" - // }, - // { - // "Name": "Managed Identity Operator" - // }, - // { - // "Name": "Monitoring Contributor" - // }, - // { - // "Name": "Load Test Owner" - // }, - { - "Name": "DNS Zone Contributor", - "RG": "G1", - "Prefix": "ACU1", - "Tenant": "HUB" - }, - { - "Name": "Reader and Data Access", - "RG": "G1", - "Prefix": "ACU1", - "Tenant": "HUB" - }, - { - "Name": "Storage Account Contributor", - "RG": "G1", - "Prefix": "ACU1", - "Tenant": "HUB" - }, - { - "Name": "Log Analytics Contributor", - "RG": "G1", - "Prefix": "ACU1", - "Tenant": "HUB" - }, - // { - // "Name": "Automation_Account_Contributor", - // "RG": "P0", - // "Tenant": "HUB" - // }, - { - "Name": "Desktop Virtualization Virtual Machine Contributor", // only built in role with 'MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION' - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Key Vault Secrets User", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Network Contributor", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - } - // { - // "Name": "DNS Zone Contributor", - // "RG": "P0", - // "Tenant": "HUB" - // }, - // { - // "Name": "DNS Zone Contributor", - // "RG": "P0", - // "Tenant": "HUB", - // "PREFIX": "AEU2" - // } - ] - } - ], - "SubnetInfo": [ // 8 * /27 + 3 * /23 - // { - // "name": "snAD01", - // "prefix": "0/27", - // "NSG": 1, - // "FlowLogEnabled": 1, - // "FlowAnalyticsEnabled": 1, - // "NGW": 1 - // }, - // leave above open for DNS Resolver - // { - // "name": "snFE02", - // "prefix": "32/27", - // "NSG": 1, - // "FlowLogEnabled": 1, - // "FlowAnalyticsEnabled": 1, - // "NGW": 1 - // }, - // { - // "name": "snMT02", - // "prefix": "64/27", - // "NSG": 1, - // "FlowLogEnabled": 1, - // "FlowAnalyticsEnabled": 1, - // "delegations": "Microsoft.Web/serverfarms", - // "NGW": 1 - // }, - { - "name": "snMT03", - "prefix": "96/27", - "NSG": 1, - "FlowLogEnabled": 1, - "FlowAnalyticsEnabled": 1, - "delegations": "Microsoft.App/environments", //"Microsoft.ContainerInstance/containerGroups", - "NGW": 1 - }, - // { - // "name": "snAPIM01", - // "NSGRuleName": "APIM", // APIM Dedicated - // "prefix": "128/27", - // "NSG": 1, - // "Route": 0, //1 - // "FlowLogEnabled": 1, - // "FlowAnalyticsEnabled": 1, - // "NGW": 1 - // }, - // { - // "name": "snBE03", - // "prefix": "160/27", - // "NSG": 1, - // "Route": 0, //1 - // "FlowLogEnabled": 1, - // "FlowAnalyticsEnabled": 1, - // "NGW": 1 - // }, - { - "name": "AzureBastionSubnet", - "prefix": "192/26", - "NSG": 1, - "FlowLogEnabled": 1, - "FlowAnalyticsEnabled": 1, - "NGW": 1 - }, - { - "name": "waf01-subnet", // WAF dedicated - "NSGRuleName": "SNWAF01", - "AddDeploymentPrefix": 1, - "prefix": "0/24", - "NSG": 1, - "Route": 0, - "FlowLogEnabled": 1, - "FlowAnalyticsEnabled": 1 - }, - { - "name": "snFE01", - "prefix": "0/23", - "NSG": 1, - "Route": 0, //1 - "FlowLogEnabled": 1, - "FlowAnalyticsEnabled": 1, - "NGW": 1 - }, - { - "name": "snMT01", - "prefix": "0/23", - "NSG": 1, - "Route": 0, //1 - "FlowLogEnabled": 1, - "FlowAnalyticsEnabled": 1, - "NGW": 1 - }, - { - "name": "snMT02", - "prefix": "0/23", - "NSG": 1, - "Route": 0, //1 - "FlowLogEnabled": 1, - "FlowAnalyticsEnabled": 1, - "NGW": 1 - } - ], - "NatGWInfo": [ - { - "Name": "NAT01", - "PIPCount": 1 - } - ], - "BastionInfo": { - "name": "HST01", - "enableTunneling": 1, - "scaleUnits": 2 - }, - "saInfo": [ - { - "name": "diag", - "skuName": "Standard_LRS", - "allNetworks": 1, - "logging": { - "r": 0, - "w": 0, - "d": 1 - }, - "blobVersioning": 1, - "changeFeed": 1, - "softDeletePolicy": { - "enabled": 1, - "days": 7 - }, - "PrivateLinkInfo": [ - { - "Subnet": "snFE01", - "groupID": "blob" - }, - { - "Subnet": "snFE01", - "groupID": "file" - } - ] - } - ], - "KVInfo": [ - { - "Name": "App01", - "skuName": "standard", - "softDelete": true, - "PurgeProtection": true, - "RbacAuthorization": true, - "UserAssignedIdentity": { - "name": "KeyVaultSecretsGetApp", - "permission": "SecretsGetAndList" - }, - "allNetworks": 1, - "privateLinkInfo": [ - { - "Subnet": "snFE01", - "groupID": "vault" - } - ], - "_rolesInfo": [ - { - "Name": "BenWilkinson", - "RBAC": [ - { - "Name": "Key Vault Administrator" - } - ] - } - ] - } - ], - "OMSSolutions": [ - "AzureAutomation", - "ChangeTracking", - "AzureActivity", - "DnsAnalytics", - "AlertManagement", - "NetworkMonitoring", - "InfrastructureInsights", - "VMInsights", - "SecurityInsights", - // testing - "WindowsDefenderATP", - "KeyVaultAnalytics" - // "BehaviorAnalyticsInsights", - // "ServiceFabric" - // disabled - // "Updates", - // "AgentHealthAssessment", - // "ADAssessment", - // "ADReplication", - // "SQLAssessment", - // "AntiMalware", - // "AzureWebAppsAnalytics", - // "CapacityPerformance", - // "Containers", - // "ContainerInsights", - // "SQLAdvancedThreatProtection", - // "AzureSQLAnalytics", - // "AzureNSGAnalytics" - ], - "WAFPolicyInfo": [ - { - "Name": "AGIC01", - "State": "Enabled", - "Mode": "Prevention", - "ruleSetVersion": "3.2", // New rules engine high performance and load capabilities - "enableBotRule": 1, - "customRules": [], - "exclusions": [] - } - ], - "LoadTestInfo": [ - { - "Name": "APIWebTest01", - "location": "westus2" - } - ], - "WAFInfo": [ - { - "Name": "AGIC01", - "WAFPolicyAttached": 1, - "WAFPolicyName": "AGIC01", - "WAFTier": "WAF_v2", - "PrivateIP": "240", - "SSLCerts": [ - { - "name": "AGIC01", - "zone": "aginow.net", - "createCert": 1, - "DnsNames": [ - "*.aginow.net" - ] - } - ], - "_privateLinkInfo": [ - { - "Subnet": "snMT01", - "groupID": "frontendPublic" - } - ], - "backendAddressPools": [ - { - "name": "AGIC01", - "BEIPs": [] - } - ], - "pathRules": [], - "probes": [ - { - "Name": "probe01", - "Path": "/", - "Protocol": "https", - "useBE": 1 - } - ], - "frontEndPorts": [ - { - "Port": 80 - }, - { - "Port": 443 - } - ], - "BackendHttp": [ - { - "Port": 443, - "Protocol": "https", - "CookieBasedAffinity": "Disabled", - "RequestTimeout": 600, - "probeName": "probe01", - "hostnameFromBE": 1 - } - ], - "Listeners": [ - { - "Port": 443, - "BackendPort": 443, - "Protocol": "https", - "Cert": "AGIC01", - "Domain": "aginow.net", - "Hostname": "AGIC01", - "HostnameExcludePrefix": 1, - "Interface": "Public" - }, - { - "Port": 80, - "Protocol": "http", - "Domain": "aginow.net", - "Hostname": "AGIC01", - "HostnameExcludePrefix": 1, - "Interface": "Public", - "httpsRedirect": 1 - } - ] - } - ], - "AKSInfo": [ - { - "Name": "01", - "Version": "1.25.6", - "skuTier": "Free", //Free - "podIdentity": 0, - "privateCluster": 0, - "AllowALLIPs": 1, // Add in NAT Public IP to allow range for VMSSCSE to work. - "AgentPoolsSN": "snMT01", - "WAFName": "AGIC01", - "BrownFields": 0, - "AppGateway": 1, - "AutoScale": 1, - "enableRBAC": 1, - "enableOSM": 0, - "enableIstio": 0, - "enableIngressAppRouting": 0, - "enableAppRoutingDNS": 0, - "enableDefender": 0, - "enablePolicy": 0, - "enableaciConnector": 0, - "aksAADAdminGroups": [ - "brwilkinson" - ], - "AgentPools": [ - { - "name": "system01", - "count": 1, - "osDiskSizeGb": 0, // 0 use default size - "osType": "Linux", - "osSKU": "Mariner", - "maxPods": 110, - "vmSize": "Standard_D2ads_v5", //"Standard_B4ms", // "Standard_D2ads_v5", // AMD --> "Standard_D2plds_v5", Standard_D2ps_v5 // NON AMD Standard_D2ads_v5 - "mode": "System", - "subnet": "snMT01" - } - // { - // "name": "user01", - // "count": 1, - // "maxcount": 1, - // "osDiskSizeGb": 0, - // "osType": "Linux", - // "osSKU": "Mariner", - // "maxPods": 250, - // "vmSize": "Standard_D2ads_v5", - // "mode": "User", - // "subnet": "snMT02" - // } - ] - } - ], - "MLWorkspaceInfo": [ - { - "Name": "03", - "UAI": "ML", - "skuTier": "Basic" //Enterprise - // "KV": "App01" - } - ] - } - } - } +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { // AKS + "Prefix": { + "value": "ACU1" + }, + "Environment": { + "value": "D" + }, + "DeploymentID": { + "value": "1" + }, + "Stage": { + "value": { + "RG": 1, + "RBAC": 1, + "PIM": 0, + "UAI": 1, + "SP": 1, + "KV": 0, + "OMS": 1, + "OMSSolutions": 1, + "OMSDataSources": 1, + "OMSUpdateWeekly": 0, + "OMSUpdateMonthly": 0, + "OMSUpates": 1, + "SA": 1, + "CDN": 0, + "StorageSync": 0, + "RSV": 0, + "NSG": 1, + "NetworkWatcher": 0, + "FlowLogs": 1, + "VNet": 1, + "VNetDDOS": 0, + "VNetPeering": 1, + "DNSPublicZone": 0, + "DNSPrivateZone": 0, + "LinkPrivateDns": 0, + "PrivateLink": 1, + "BastionHost": 0, + "CloudShellRelay": 0, + "RT": 0, + "FW": 0, + "VNGW": 0, + "NATGW": 1, + "ERGW": 0, + "LB": 0, + "TM": 0, + "WAFPOLICY": 1, + "WAF": 0, // + "FRONTDOORPOLICY": 0, + "FRONTDOOR": 0, + "SetExternalDNS": 0, + "SetInternalDNS": 0, + "APPCONFIG": 0, + "REDIS": 0, + "APIM": 0, + "ACR": 0, + "SQLMI": 0, + "CosmosDB": 0, + "DASHBOARD": 0, + "ServerFarm": 0, + "WebSite": 0, + "WebSiteContainer": 0, + "ManagedEnv": 0, + "ContainerApp": 0, + "MySQLDB": 0, + "Function": 0, + "SB": 0, + "LT": 0, + "AzureSYN": 0, + // below require secrets from KV + "VMSS": 0, + "ACI": 0, + "AKS": 0, // + "AzureSQL": 0, + "SFM": 0, + "SFMNP": 0, + // VM templates + "ADPrimary": 0, + "ADSecondary": 0, + "InitialDOP": 0, + "VMApp": 0, + "VMAppLinux": 0, + "VMSQL": 0, + "VMFILE": 0 + } + }, + "Extensions": { + "value": { + "MonitoringAgent": 1, + "IaaSDiagnostics": 1, + "DependencyAgent": 1, + "AzureMonitorAgent": 1, + "GuestHealthAgent": 1, + "VMInsights": 1, + "AdminCenter": 1, + "BackupWindowsWorkloadSQL": 0, + "DSC": 0, + "GuestConfig": 1, + "Scripts": 1, + "MSI": 1, + "CertMgmt": 0, + "DomainJoin": 1, + "AADLogin": 0, + "WindowsOpenSSH": 0, + "Antimalware": 1, + "VMSSAzureADEnabled": 0, + "SqlIaasExtension": 0, + "AzureDefender": 0, + "chefClient": 0 + } + }, + "DeploymentInfo": { + "value": { + "uaiInfo": [ + { + "name": "GlobalAcrPull", + "RBAC": [ + { + "Name": "AcrPull", + "RG": "G1", + "Tenant": "HUB", + "Prefix": "ACU1" + } + ] + }, + { + "name": "ML", + "RBAC": [ + { + "Name": "AcrPull", + "RG": "G1", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Key Vault Secrets User", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Key Vault Reader", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + } + // { + // "Name": "Key Vault Administrator", + // "RG": "P0", + // "Tenant": "HUB" + // }, + // { + // "Name": "Desktop Virtualization Virtual Machine Contributor", // only built in role with 'MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION' + // "RG": "P0", + // "Tenant": "HUB" + // } + ] + }, + { + "name": "KeyVaultSecretsGet", + "RBAC": [ + { + "Name": "Key Vault Secrets User", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + } + ] + }, + { + "name": "AKSCluster", + "RBAC": [ + { + "Name": "Private DNS Zone Contributor", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Key Vault Certificates Officer", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Key Vault Secrets User", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Network Contributor" + }, + { + "Name": "Managed Identity Operator" + } + ] + }, + { + "name": "Automation", + "RBAC": [ + { + "Name": "Key Vault Secrets User", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Storage Account Contributor" + }, + { + "Name": "Storage Queue Data Contributor" + }, + { + "Name": "Storage Blob Data Owner" + } + ] + }, + { + "name": "StorageAccountFileContributor", + "RBAC": [ + { + "Name": "Storage File Data SMB Share Contributor", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Storage Blob Data Contributor", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Storage Queue Data Contributor", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + } + ] + }, + { + "Name": "CertificateRequest", + "RBAC": [ + { + "Name": "Key Vault Secrets User", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Key Vault Certificates Officer", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + } + ] + } + ], + "rolesInfo": [ + { + "Name": "brwilkinson", + "RBAC": [ + { + "Name": "Contributor" + } + ] + } + // { + // "Name": "AzureKeyVault", + // "RBAC": [ + // { + // "Name": "Storage Account Key Operator Service Role" + // } + // ] + // } + ], + "PIMInfo": [], + "SPInfo": [ + { + "Name": "ADO_{ADOProject}_{RGNAME}", + "RBAC": [ + { + "Name": "Contributor" + }, + // { + // "Name": "DeploymentScripts_Contributor" + // }, + // { + // "Name": "Managed Identity Operator" + // }, + // { + // "Name": "Monitoring Contributor" + // }, + // { + // "Name": "Load Test Owner" + // }, + { + "Name": "DNS Zone Contributor", + "RG": "G1", + "Prefix": "ACU1", + "Tenant": "HUB" + }, + { + "Name": "Reader and Data Access", + "RG": "G1", + "Prefix": "ACU1", + "Tenant": "HUB" + }, + { + "Name": "Storage Account Contributor", + "RG": "G1", + "Prefix": "ACU1", + "Tenant": "HUB" + }, + { + "Name": "Log Analytics Contributor", + "RG": "G1", + "Prefix": "ACU1", + "Tenant": "HUB" + }, + // { + // "Name": "Automation_Account_Contributor", + // "RG": "P0", + // "Tenant": "HUB" + // }, + { + "Name": "Desktop Virtualization Virtual Machine Contributor", // only built in role with 'MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION' + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Key Vault Secrets User", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Network Contributor", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + } + // { + // "Name": "DNS Zone Contributor", + // "RG": "P0", + // "Tenant": "HUB" + // }, + // { + // "Name": "DNS Zone Contributor", + // "RG": "P0", + // "Tenant": "HUB", + // "PREFIX": "AEU2" + // } + ] + } + ], + "SubnetInfo": [ // 8 * /27 + 3 * /23 + // { + // "name": "snAD01", + // "prefix": "0/27", + // "NSG": 1, + // "FlowLogEnabled": 1, + // "FlowAnalyticsEnabled": 1, + // "NGW": 1 + // }, + // leave above open for DNS Resolver + // { + // "name": "snFE02", + // "prefix": "32/27", + // "NSG": 1, + // "FlowLogEnabled": 1, + // "FlowAnalyticsEnabled": 1, + // "NGW": 1 + // }, + // { + // "name": "snMT02", + // "prefix": "64/27", + // "NSG": 1, + // "FlowLogEnabled": 1, + // "FlowAnalyticsEnabled": 1, + // "delegations": "Microsoft.Web/serverfarms", + // "NGW": 1 + // }, + { + "name": "snMT03", + "prefix": "96/27", + "NSG": 1, + "FlowLogEnabled": 1, + "FlowAnalyticsEnabled": 1, + "delegations": "Microsoft.App/environments", //"Microsoft.ContainerInstance/containerGroups", + "NGW": 1 + }, + // { + // "name": "snAPIM01", + // "NSGRuleName": "APIM", // APIM Dedicated + // "prefix": "128/27", + // "NSG": 1, + // "Route": 0, //1 + // "FlowLogEnabled": 1, + // "FlowAnalyticsEnabled": 1, + // "NGW": 1 + // }, + // { + // "name": "snBE03", + // "prefix": "160/27", + // "NSG": 1, + // "Route": 0, //1 + // "FlowLogEnabled": 1, + // "FlowAnalyticsEnabled": 1, + // "NGW": 1 + // }, + { + "name": "AzureBastionSubnet", + "prefix": "192/26", + "NSG": 1, + "FlowLogEnabled": 1, + "FlowAnalyticsEnabled": 1, + "NGW": 1 + }, + { + "name": "waf01-subnet", // WAF dedicated + "NSGRuleName": "SNWAF01", + "AddDeploymentPrefix": 1, + "prefix": "0/24", + "NSG": 1, + "Route": 0, + "FlowLogEnabled": 1, + "FlowAnalyticsEnabled": 1 + }, + { + "name": "snFE01", + "prefix": "0/23", + "NSG": 1, + "Route": 0, //1 + "FlowLogEnabled": 1, + "FlowAnalyticsEnabled": 1, + "NGW": 1 + }, + { + "name": "snMT01", + "prefix": "0/23", + "NSG": 1, + "Route": 0, //1 + "FlowLogEnabled": 1, + "FlowAnalyticsEnabled": 1, + "NGW": 1 + }, + { + "name": "snMT02", + "prefix": "0/23", + "NSG": 1, + "Route": 0, //1 + "FlowLogEnabled": 1, + "FlowAnalyticsEnabled": 1, + "NGW": 1 + } + ], + "NatGWInfo": [ + { + "Name": "NAT01", + "PIPCount": 1 + } + ], + "BastionInfo": { + "name": "HST01", + "enableTunneling": 1, + "scaleUnits": 2 + }, + "saInfo": [ + { + "name": "diag", + "skuName": "Standard_LRS", + "allNetworks": 1, + "logging": { + "r": 0, + "w": 0, + "d": 1 + }, + "blobVersioning": 1, + "changeFeed": 1, + "softDeletePolicy": { + "enabled": 1, + "days": 7 + }, + "PrivateLinkInfo": [ + { + "Subnet": "snFE01", + "groupID": "blob" + }, + { + "Subnet": "snFE01", + "groupID": "file" + } + ] + } + ], + "KVInfo": [ + { + "Name": "App01", + "skuName": "standard", + "softDelete": true, + "PurgeProtection": true, + "RbacAuthorization": true, + "UserAssignedIdentity": { + "name": "KeyVaultSecretsGetApp", + "permission": "SecretsGetAndList" + }, + "allNetworks": 1, + "privateLinkInfo": [ + { + "Subnet": "snFE01", + "groupID": "vault" + } + ], + "_rolesInfo": [ + { + "Name": "BenWilkinson", + "RBAC": [ + { + "Name": "Key Vault Administrator" + } + ] + } + ] + } + ], + "OMSSolutions": [ + "AzureAutomation", + "ChangeTracking", + "AzureActivity", + "DnsAnalytics", + "AlertManagement", + "NetworkMonitoring", + "InfrastructureInsights", + "VMInsights", + "SecurityInsights", + // testing + "WindowsDefenderATP", + "KeyVaultAnalytics" + // "BehaviorAnalyticsInsights", + // "ServiceFabric" + // disabled + // "Updates", + // "AgentHealthAssessment", + // "ADAssessment", + // "ADReplication", + // "SQLAssessment", + // "AntiMalware", + // "AzureWebAppsAnalytics", + // "CapacityPerformance", + // "Containers", + // "ContainerInsights", + // "SQLAdvancedThreatProtection", + // "AzureSQLAnalytics", + // "AzureNSGAnalytics" + ], + "WAFPolicyInfo": [ + { + "Name": "AGIC01", + "State": "Enabled", + "Mode": "Prevention", + "ruleSetVersion": "3.2", // New rules engine high performance and load capabilities + "enableBotRule": 1, + "customRules": [], + "exclusions": [] + } + ], + "LoadTestInfo": [ + { + "Name": "APIWebTest01", + "location": "westus2" + } + ], + "WAFInfo": [ + { + "Name": "AGIC01", + "WAFPolicyAttached": 1, + "WAFPolicyName": "AGIC01", + "WAFTier": "WAF_v2", + "PrivateIP": "240", + "SSLCerts": [ + { + "name": "AGIC01", + "zone": "aginow.net", + "createCert": 1, + "DnsNames": [ + "*.aginow.net" + ] + } + ], + "_privateLinkInfo": [ + { + "Subnet": "snMT01", + "groupID": "frontendPublic" + } + ], + "backendAddressPools": [ + { + "name": "AGIC01", + "BEIPs": [] + } + ], + "pathRules": [], + "probes": [ + { + "Name": "probe01", + "Path": "/", + "Protocol": "https", + "useBE": 1 + } + ], + "frontEndPorts": [ + { + "Port": 80 + }, + { + "Port": 443 + } + ], + "BackendHttp": [ + { + "Port": 443, + "Protocol": "https", + "CookieBasedAffinity": "Disabled", + "RequestTimeout": 600, + "probeName": "probe01", + "hostnameFromBE": 1 + } + ], + "Listeners": [ + { + "Port": 443, + "BackendPort": 443, + "Protocol": "https", + "Cert": "AGIC01", + "Domain": "aginow.net", + "Hostname": "AGIC01", + "HostnameExcludePrefix": 1, + "Interface": "Public" + }, + { + "Port": 80, + "Protocol": "http", + "Domain": "aginow.net", + "Hostname": "AGIC01", + "HostnameExcludePrefix": 1, + "Interface": "Public", + "httpsRedirect": 1 + } + ] + } + ], + "AKSInfo": [ + { + "Name": "01", + "Version": "1.28.3", + "skuTier": "Free", //Free + "podIdentity": 0, + "privateCluster": 0, + "AllowALLIPs": 1, // Add in NAT Public IP to allow range for VMSSCSE to work. + "AgentPoolsSN": "snMT01", + "WAFName": "AGIC01", + "BrownFields": 1, + "AppGateway": 0, + "AutoScale": 1, + "enableRBAC": 1, + "enableOSM": 0, + "enableIstio": 0, + "enableIngressAppRouting": 1, + "enableAppRoutingDNS": 0, + "enableDefender": 0, + "enablePolicy": 0, + "enableaciConnector": 0, + "aksAADAdminGroups": [ + "brwilkinson" + ], + "AgentPools": [ + { + "name": "system01", + "count": 1, + "osDiskSizeGb": 0, // 0 use default size + "osType": "Linux", + "osSKU": "Mariner", + "maxPods": 110, + "vmSize": "Standard_D2ads_v5", //"Standard_B4ms", // "Standard_D2ads_v5", // AMD --> "Standard_D2plds_v5", Standard_D2ps_v5 // NON AMD Standard_D2ads_v5 + "mode": "System", + "subnet": "snMT01" + } + // { + // "name": "user01", + // "count": 1, + // "maxcount": 1, + // "osDiskSizeGb": 0, + // "osType": "Linux", + // "osSKU": "Mariner", + // "maxPods": 250, + // "vmSize": "Standard_D2ads_v5", + // "mode": "User", + // "subnet": "snMT02" + // } + ] + } + ], + "MLWorkspaceInfo": [ + { + "Name": "03", + "UAI": "ML", + "skuTier": "Basic" //Enterprise + // "KV": "App01" + } + ] + } + } + } } \ No newline at end of file diff --git a/ADF/tenants/AKS/AEU1.D2.parameters.json b/ADF/0-archive/aks/AEU1.D2.parameters.json similarity index 96% rename from ADF/tenants/AKS/AEU1.D2.parameters.json rename to ADF/0-archive/aks/AEU1.D2.parameters.json index e567591d..7fd2f58d 100644 --- a/ADF/tenants/AKS/AEU1.D2.parameters.json +++ b/ADF/0-archive/aks/AEU1.D2.parameters.json @@ -1,1078 +1,1078 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { // AKS - "Prefix": { - "value": "AEU1" - }, - "Environment": { - "value": "D" - }, - "DeploymentID": { - "value": "2" - }, - "Stage": { - "value": { - "RG": 1, - "RBAC": 1, - "PIM": 0, - "UAI": 1, - "SP": 0, - "KV": 0, - "OMS": 1, - "OMSSolutions": 1, - "OMSDataSources": 1, - "OMSUpdateWeekly": 0, - "OMSUpdateMonthly": 0, - "OMSUpates": 1, - "SA": 1, - "CDN": 0, - "StorageSync": 0, - "RSV": 0, - "NSG": 1, - "NetworkWatcher": 0, - "FlowLogs": 1, - "VNet": 1, - "VNetDDOS": 0, - "VNetPeering": 1, - "DNSPublicZone": 0, - "DNSPrivateZone": 0, - "LinkPrivateDns": 0, - "PrivateLink": 1, - "BastionHost": 0, - "CloudShellRelay": 0, - "RT": 0, - "FW": 0, - "VNGW": 0, - "NATGW": 0, // disable based on cost in lab - "ERGW": 0, - "LB": 0, - "TM": 0, - "WAFPOLICY": 1, - "WAF": 0, // - "FRONTDOORPOLICY": 0, - "FRONTDOOR": 0, - "SetExternalDNS": 0, - "SetInternalDNS": 0, - "APPCONFIG": 0, - "REDIS": 0, - "APIM": 0, - "ACR": 0, - "SQLMI": 0, - "CosmosDB": 0, - "DASHBOARD": 0, - "ServerFarm": 0, - "WebSite": 0, - "WebSiteContainer": 0, - "ManagedEnv": 0, - "ContainerApp": 0, - "MySQLDB": 0, - "Function": 0, - "SB": 0, - "LT": 0, - "AzureSYN": 0, - // below require secrets from KV - "VMSS": 0, - "ACI": 0, - "AKS": 0, // - "AzureSQL": 0, - "SFM": 0, - "SFMNP": 0, - // VM templates - "ADPrimary": 0, - "ADSecondary": 0, - "InitialDOP": 0, - "VMApp": 0, - "VMAppLinux": 0, - "VMSQL": 0, - "VMFILE": 0 - } - }, - "Extensions": { - "value": { - "MonitoringAgent": 1, - "IaaSDiagnostics": 1, - "DependencyAgent": 1, - "AzureMonitorAgent": 1, - "GuestHealthAgent": 1, - "VMInsights": 1, - "AdminCenter": 1, - "BackupWindowsWorkloadSQL": 0, - "DSC": 0, - "GuestConfig": 1, - "Scripts": 1, - "MSI": 1, - "CertMgmt": 0, - "DomainJoin": 1, - "AADLogin": 0, - "WindowsOpenSSH": 0, - "Antimalware": 1, - "VMSSAzureADEnabled": 0, - "SqlIaasExtension": 0, - "AzureDefender": 0, - "chefClient": 0 - } - }, - "DeploymentInfo": { - "value": { - "uaiInfo": [ - { - "Name": "Reader", - "RBAC": [ - { - "Name": "Reader" - } - ] - }, - { - "name": "GlobalAcrPull", - "RBAC": [ - { - "Name": "AcrPull", - "RG": "G1", - "Tenant": "HUB", - "Prefix": "ACU1" - } - ] - }, - { - "name": "ML", - "RBAC": [ - { - "Name": "AcrPull", - "RG": "G1", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Key Vault Secrets User", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Key Vault Reader", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - } - // { - // "Name": "Key Vault Administrator", - // "RG": "P0", - // "Tenant": "HUB" - // }, - // { - // "Name": "Desktop Virtualization Virtual Machine Contributor", // only built in role with 'MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION' - // "RG": "P0", - // "Tenant": "HUB" - // } - ] - }, - { - "name": "KeyVaultSecretsGet", - "RBAC": [ - { - "Name": "Key Vault Secrets User", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - } - ] - }, - { - "name": "AKSCluster", - "RBAC": [ - { - "Name": "Private DNS Zone Contributor", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Key Vault Certificates Officer", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Key Vault Secrets User", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Network Contributor" - }, - { - "Name": "Managed Identity Operator" - } - ] - }, - { - "name": "Automation", - "RBAC": [ - { - "Name": "Key Vault Secrets User", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Storage Account Contributor" - }, - { - "Name": "Storage Queue Data Contributor" - }, - { - "Name": "Storage Blob Data Owner" - } - ] - }, - { - "name": "AppService", - "RBAC": [ - { - "Name": "Key Vault Secrets User", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Storage Account Contributor" - }, - { - "Name": "Storage Queue Data Contributor" - }, - { - "Name": "Storage Blob Data Owner" - }, - { - "Name": "Reader" - } - ] - }, - { - "name": "StorageAccountFileContributor", - "RBAC": [ - { - "Name": "Storage File Data SMB Share Contributor", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Storage Blob Data Contributor", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Storage Queue Data Contributor", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - } - ] - }, - { - "Name": "CertificateRequest", - "RBAC": [ - { - "Name": "Key Vault Secrets User", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Key Vault Certificates Officer", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - } - ] - } - ], - "rolesInfo": [ - { - "Name": "brwilkinson", - "RBAC": [ - { - "Name": "Contributor" - } - ] - } - // { - // "Name": "AzureKeyVault", - // "RBAC": [ - // { - // "Name": "Storage Account Key Operator Service Role" - // } - // ] - // } - ], - "PIMInfo": [], - "SPInfo": [ - { - "Name": "ADO_{ADOProject}_{RGNAME}", - "RBAC": [ - { - "Name": "Contributor" - }, - // { - // "Name": "DeploymentScripts_Contributor" - // }, - // { - // "Name": "Managed Identity Operator" - // }, - // { - // "Name": "Monitoring Contributor" - // }, - // { - // "Name": "Load Test Owner" - // }, - { - "Name": "DNS Zone Contributor", - "RG": "G1", - "Prefix": "ACU1", - "Tenant": "HUB" - }, - { - "Name": "Reader and Data Access", - "RG": "G1", - "Prefix": "ACU1", - "Tenant": "HUB" - }, - { - "Name": "Storage Account Contributor", - "RG": "G1", - "Prefix": "ACU1", - "Tenant": "HUB" - }, - { - "Name": "Log Analytics Contributor", - "RG": "G1", - "Prefix": "ACU1", - "Tenant": "HUB" - }, - // { - // "Name": "Automation_Account_Contributor", - // "RG": "P0", - // "Tenant": "HUB" - // }, - { - "Name": "Desktop Virtualization Virtual Machine Contributor", // only built in role with 'MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION' - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Key Vault Secrets User", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - }, - { - "Name": "Network Contributor", - "RG": "P0", - "Tenant": "HUB", - "Prefix": "ACU1" - } - // { - // "Name": "DNS Zone Contributor", - // "RG": "P0", - // "Tenant": "HUB" - // }, - // { - // "Name": "DNS Zone Contributor", - // "RG": "P0", - // "Tenant": "HUB", - // "PREFIX": "AEU2" - // } - ] - } - ], - "SubnetInfo": [ // 8 * /27 + 3 * /23 - // { - // "name": "snAD01", - // "prefix": "0/27", - // "NSG": 1, - // "FlowLogEnabled": 1, - // "FlowAnalyticsEnabled": 1, - // "NGW": 1 - // }, - // leave above open for DNS Resolver - // { - // "name": "snFE02", - // "prefix": "32/27", - // "NSG": 1, - // "FlowLogEnabled": 1, - // "FlowAnalyticsEnabled": 1, - // "NGW": 1 - // }, - // { - // "name": "snMT02", - // "prefix": "64/27", - // "NSG": 1, - // "FlowLogEnabled": 1, - // "FlowAnalyticsEnabled": 1, - // "delegations": "Microsoft.Web/serverfarms", - // "NGW": 1 - // }, - { - "name": "snMT03", - "prefix": "96/27", - "NSG": 1, - "FlowLogEnabled": 1, - "FlowAnalyticsEnabled": 1, - "delegations": "Microsoft.App/environments", //"Microsoft.ContainerInstance/containerGroups", - "NGW": 0 // disable temp based on $s - }, - { - "name": "snAPIM01", - "NSGRuleName": "APIM", // APIM Dedicated - "prefix": "128/27", - "NSG": 1, - "Route": 0, //1 - "FlowLogEnabled": 1, - "FlowAnalyticsEnabled": 1, - "NGW": 0 // disable temp based on $s - }, - // { - // "name": "snBE03", - // "prefix": "160/27", - // "NSG": 1, - // "Route": 0, //1 - // "FlowLogEnabled": 1, - // "FlowAnalyticsEnabled": 1, - // "NGW": 1 - // }, - { - "name": "AzureBastionSubnet", - "prefix": "192/26", - "NSG": 1, - "FlowLogEnabled": 1, - "FlowAnalyticsEnabled": 1, - "NGW": 0 // disable temp based on $s - }, - { - "name": "waf01-subnet", // WAF dedicated - "NSGRuleName": "SNWAF01", - "AddDeploymentPrefix": 1, - "prefix": "0/24", - "NSG": 1, - "Route": 0, - "FlowLogEnabled": 1, - "FlowAnalyticsEnabled": 1 - }, - { - "name": "snFE01", - "prefix": "0/23", - "NSG": 1, - "Route": 0, //1 - "FlowLogEnabled": 1, - "FlowAnalyticsEnabled": 1, - "NGW": 0 // disable temp based on $s - }, - { - "name": "snMT01", - "prefix": "0/23", - "NSG": 1, - "Route": 0, //1 - "FlowLogEnabled": 1, - "FlowAnalyticsEnabled": 1, - "NGW": 0 // disable temp based on $s - }, - { - "name": "snMT02", - "prefix": "0/23", - "NSG": 1, - "Route": 0, //1 - "FlowLogEnabled": 1, - "FlowAnalyticsEnabled": 1, - "NGW": 0 // disable temp based on $s - } - ], - "NatGWInfo": [ - { - "Name": "NAT01", - "PIPCount": 1 - } - ], - "BastionInfo": { - "name": "HST01", - "enableTunneling": 1, - "scaleUnits": 2 - }, - "saInfo": [ - { - "name": "diag", - "skuName": "Standard_LRS", - "allNetworks": 1, - "logging": { - "r": 0, - "w": 0, - "d": 1 - }, - "blobVersioning": 1, - "changeFeed": 1, - "softDeletePolicy": { - "enabled": 1, - "days": 7 - }, - "PrivateLinkInfo": [ - { - "Subnet": "snFE01", - "groupID": "blob" - }, - { - "Subnet": "snFE01", - "groupID": "file" - } - ], - "containers": [ - { - "name": "runbooks" - } - ] - }, - { - "name": "data1", - "skuName": "Standard_LRS", - "allNetworks": 1, - "logging": { - "r": 0, - "w": 0, - "d": 1 - }, - "blobVersioning": 1, - "changeFeed": 1, - "softDeletePolicy": { - "enabled": 1, - "days": 7 - }, - "containers": [ - { - "name": "vmrequest" - } - ] - } - ], - "KVInfo": [ - { - "Name": "App01", - "skuName": "standard", - "softDelete": true, - "PurgeProtection": true, - "RbacAuthorization": true, - "UserAssignedIdentity": { - "name": "KeyVaultSecretsGetApp", - "permission": "SecretsGetAndList" - }, - "allNetworks": 1, - "privateLinkInfo": [ - { - "Subnet": "snFE01", - "groupID": "vault" - } - ], - "_rolesInfo": [ - { - "Name": "BenWilkinson", - "RBAC": [ - { - "Name": "Key Vault Administrator" - } - ] - } - ] - } - ], - "OMSSolutions": [ - "AzureAutomation", - "ChangeTracking", - "AzureActivity", - "DnsAnalytics", - "AlertManagement", - "NetworkMonitoring", - "InfrastructureInsights", - "VMInsights", - "SecurityInsights", - // testing - "WindowsDefenderATP", - "KeyVaultAnalytics" - // "BehaviorAnalyticsInsights", - // "ServiceFabric" - // disabled - // "Updates", - // "AgentHealthAssessment", - // "ADAssessment", - // "ADReplication", - // "SQLAssessment", - // "AntiMalware", - // "AzureWebAppsAnalytics", - // "CapacityPerformance", - // "Containers", - // "ContainerInsights", - // "SQLAdvancedThreatProtection", - // "AzureSQLAnalytics", - // "AzureNSGAnalytics" - ], - "appConfigurationInfo": [ - { - "name": "01", - "sku": "standard", - "publicNetworkAccess": 1 - } - ], - "WAFPolicyInfo": [ - { - "Name": "AGIC01", - "State": "Enabled", - "Mode": "Prevention", - "ruleSetVersion": "3.2", // New rules engine high performance and load capabilities - "enableBotRule": 1, - "customRules": [], - "exclusions": [] - } - ], - "LoadTestInfo": [ - { - "Name": "APIWebTest01", - "location": "westus2" - } - ], - "WAFInfo": [ - { - "Name": "AGIC01", - "WAFPolicyAttached": 1, - "WAFPolicyName": "AGIC01", - "WAFTier": "WAF_v2", - "PrivateIP": "240", - "SSLCerts": [ - { - "name": "AGIC01", - "zone": "aginow.net", - "createCert": 1, - "DnsNames": [ - "*.aginow.net" - ] - } - ], - "_privateLinkInfo": [ - { - "Subnet": "snMT01", - "groupID": "frontendPublic" - } - ], - "backendAddressPools": [ - { - "name": "AGIC01", - "BEIPs": [] - } - ], - "pathRules": [], - "probes": [ - { - "Name": "probe01", - "Path": "/", - "Protocol": "https", - "useBE": 1 - } - ], - "frontEndPorts": [ - { - "Port": 80 - }, - { - "Port": 443 - } - ], - "BackendHttp": [ - { - "Port": 443, - "Protocol": "https", - "CookieBasedAffinity": "Disabled", - "RequestTimeout": 600, - "probeName": "probe01", - "hostnameFromBE": 1 - } - ], - "Listeners": [ - { - "Port": 443, - "BackendPort": 443, - "Protocol": "https", - "Cert": "AGIC01", - "Domain": "aginow.net", - "Hostname": "AGIC01", - "HostnameExcludePrefix": 1, - "Interface": "Public" - }, - { - "Port": 80, - "Protocol": "http", - "Domain": "aginow.net", - "Hostname": "AGIC01", - "HostnameExcludePrefix": 1, - "Interface": "Public", - "httpsRedirect": 1 - } - ] - } - ], - "AKSInfo": [ - { - "Name": "01", - "Version": "1.25.6", - "skuTier": "Free", //Free - "podIdentity": 0, - "privateCluster": 0, - "AllowALLIPs": 1, // Add in NAT Public IP to allow range for VMSSCSE to work. - "AgentPoolsSN": "snMT01", - "WAFName": "AGIC01", - "BrownFields": 0, - "AppGateway": 1, - "AutoScale": 1, - "enableRBAC": 1, - "enableOSM": 0, - "enableIstio": 1, - "enableIngressAppRouting": 0, - "enableAppRoutingDNS": 0, - "enableDefender": 0, - "enablePolicy": 0, - "enableaciConnector": 0, - "aksAADAdminGroups": [ - "brwilkinson" - ], - "namespaces": [ - { - "name": "testrbac", - "rolesInfo": [ - { - "Name": "brwilkinson", - "RBAC": [ - { - "Name": "Azure Kubernetes Service RBAC Writer" - } - ] - } - ] - } - ], - "AgentPools": [ - { - "name": "system01", - "count": 1, - "osDiskSizeGb": 0, // 0 use default size - "osType": "Linux", - "osSKU": "Mariner", - "maxPods": 110, - "vmSize": "Standard_B4ms", // "Standard_D2ads_v5", // AMD --> "Standard_D2plds_v5", Standard_D2ps_v5 // NON AMD Standard_D2ads_v5 - "mode": "System", - "subnet": "snMT01" - } - // { - // "name": "user01", - // "count": 1, - // "maxcount": 1, - // "osDiskSizeGb": 0, - // "osType": "Linux", - // "osSKU": "Mariner", - // "maxPods": 250, - // "vmSize": "Standard_D2ads_v5", - // "mode": "User", - // "subnet": "snMT02" - // } - ] - } - ], - "MLWorkspaceInfo": [ - { - "Name": "03", - "UAI": "ML", - "skuTier": "Basic" //Enterprise - // "KV": "App01" - } - ], - "managedEnvInfo": [ - { - "Name": "02", - "_Subnet": "snMT03", - // "internal": 0, - "workloadProfiles": [ - { - "workloadProfileType": "Consumption", - "name": "Consumption" - } - ] - // { - // "workloadProfileType": "D4", - // "name": "Dedicated-D4", - // "minimumCount": 1, - // "maximumCount": 1 - // } - // ] - } - ], - "containerAppInfo": [ - { - "Name": "01", - "kubeENV": "02", - "image": "mcr.microsoft.com/azuredocs/aks-helloworld:v1", - "imagename": "simple-hello-world-container", - "title": "Hello World 12" - } - // { - // "Name": "02", - // "kubeENV": "01", - // "workloadProfileName": "Dedicated-D4" - // } - ], - "appServiceplanInfo": [ - { - "Name": "WPS01", - "kind": "app", - "perSiteScaling": false, - "reserved": false, - "skuname": "P1v2", - "skutier": "PremiumV2", - "skucapacity": 1, - "deploy": 1 - }, - { - "Name": "ASP01", - "kind": "elastic", - "perSiteScaling": false, - "reserved": false, - "skuname": "EP1", - "skutier": "ElasticPremium", - "skucapacity": 1, - "maxWorkerCount": 100, - "deploy": 1 - } - ], - "FunctionInfo": [ - { - "Name": "VMR01", - "kind": "functionapp", - "AppSVCPlan": "ASP01", - "saname": "data1", - "stack": "powershell", - "_Subnet": "snMT01", - "preWarmedCount": 1, - "customDNS": 0, - "_authsettingsV2": { - "applicationId": "84a491fe-f713-42f9-8e13-66bfb5dcc09b", // clientid needs access to the keyvault to read the secret - "requireAuthentication": 1 - } - } - ], - "WebSiteInfo": [ - { - "Name": "WPS01", - "kind": "app", - "AppSVCPlan": "WPS01", - "stack": "dotnet", - "saname": "diag", - "customDNS": 0, - "_privateLinkInfo": [ - { - "Subnet": "snFE01", - "groupID": "sites" - } - ] - }, - { - "Name": "WPS02", - "kind": "app", - "AppSVCPlan": "WPS01", - "stack": "dotnet", - "saname": "diag", - "customDNS": 0, - "_privateLinkInfo": [ - { - "Subnet": "snFE01", - "groupID": "sites" - } - ] - } - ], - "LBInfo": [ - { - "Name": "SSH01", - "Sku": "Standard", - "Type": "Public", - "BackEnd": [ - "SSH01" - ], - "FrontEnd": [ - { - "LBFEName": "SSH", - "PublicIP": "Static" - } - ], - "NATRules": [ - { - "Name": "SSH", - "protocol": "Tcp", - "frontendPort": 22, - "backendPort": 22, - "enableFloatingIP": false, - "idleTimeoutInMinutes": 4, - "LBFEName": "SSH" - } - ], - "Probes": [ - // { - // "ProbeName": "HTTP", - // "LBBEProbePort": 80 - // } - // { - // "ProbeName": "HTTPS", - // "LBBEProbePort": 443, - // "protocol": "Tcp" - // } - ], - "Services": [ - // { - // "LBFEName": "APIM", - // "LBBEName": "APIM", - // "RuleName": "APIM-HTTPS", - // "LBFEPort": 443, - // "LBBEPort": 443, - // "ProbeName": "HTTPS", - // "DirectReturn": false - // } - ] - } - ], - "Appservers": { - "AppServers": [ - { - "Name": "UBU01", - "Role": "UBU", - "_DSC": "PULL", - "_DDRole": "64GB", - "OSType": "ubuntu-server-focal", - "runCommands": "setupUbuntu.sh", - "OSstorageAccountType": "Standard_LRS", - "HotPatch": true, - "HRW": 0, - "DeployJIT": 1, - "_shutdown": { - "time": "2100", - "enabled": 0 - }, - "Zone": 1, - "NICs": [ - { - "Subnet": "snFE01", - "Primary": 1, - "FastNic": 1, - "StaticIP": "61", - "PublicIP": "Static" - // "PLB": "SSH01", - // "NATRules": [ - // "SSH" - // ] - } - ] - }, - { - "Name": "JMP01", - "Role": "JMP", - "DDRole": "64GB", - "OSType": "Server2022", //"Server2022", - "runCommands": "setupWindows.ps1", - "ExcludeAdminCenter": 1, - "ExcludeDomainJoin": 1, - "OSstorageAccountType": "Standard_LRS", - "HotPatch": true, - "HRW": 0, - "DeployJIT": 0, - "shutdown": { - "time": "2100", - "enabled": 0 - }, - "Zone": 1, - "NICs": [ - { - "Subnet": "snFE01", - "Primary": 1, - "FastNic": 1, - "PublicIP": "Static", - "StaticIP": "62" - } - ] - }, - { - "Name": "JMP02", - "Role": "JMP", - "DDRole": "64GB", - "OSType": "Server2022", //"Server2022", - "runCommands": "setupWindows.ps1", - "ExcludeAdminCenter": 0, - "ExcludeDomainJoin": 1, - "OSstorageAccountType": "Standard_LRS", - "HotPatch": true, - "HRW": 0, - "DeployJIT": 0, - "shutdown": { - "time": "2100", - "enabled": 0 - }, - "Zone": 1, - "NICs": [ - { - "Subnet": "snFE01", - "Primary": 1, - "FastNic": 1, - "PublicIP": "Static", - "StaticIP": "63" - } - ] - } - ] - }, - "APIMInfo": [ - { - "name": "01", - "apimSku": "Premium", - "Subnet": "snAPIM01", - "virtualNetworkType": "Internal", - "_redisCache": "APIM01", - "stv1": 0, - "capacity": 1, - "_publicAccess": 0, - "_privateLinkInfo": [ - { - "Subnet": "snAPIM01", - "groupID": "Gateway" - } - ], - "_SSLCerts": [ - { - "name": "api.ppe", - "zone": "aginow.net", - "createCert": 1 - } - ], - "_additionalLocations": [ - { - "prefix": "AEU1", - "Subnet": "snAPIM01", - "capacity": 1, - "_privateLinkInfo": [ - { - "Subnet": "snAPIM01", - "groupID": "Gateway" - } - ] - } - ] - } - ] - } - } - } +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { // AKS + "Prefix": { + "value": "AEU1" + }, + "Environment": { + "value": "D" + }, + "DeploymentID": { + "value": "2" + }, + "Stage": { + "value": { + "RG": 1, + "RBAC": 1, + "PIM": 0, + "UAI": 1, + "SP": 0, + "KV": 0, + "OMS": 1, + "OMSSolutions": 1, + "OMSDataSources": 1, + "OMSUpdateWeekly": 0, + "OMSUpdateMonthly": 0, + "OMSUpates": 1, + "SA": 1, + "CDN": 0, + "StorageSync": 0, + "RSV": 0, + "NSG": 1, + "NetworkWatcher": 0, + "FlowLogs": 1, + "VNet": 1, + "VNetDDOS": 0, + "VNetPeering": 1, + "DNSPublicZone": 0, + "DNSPrivateZone": 0, + "LinkPrivateDns": 0, + "PrivateLink": 1, + "BastionHost": 0, + "CloudShellRelay": 0, + "RT": 0, + "FW": 0, + "VNGW": 0, + "NATGW": 0, // disable based on cost in lab + "ERGW": 0, + "LB": 0, + "TM": 0, + "WAFPOLICY": 1, + "WAF": 0, // + "FRONTDOORPOLICY": 0, + "FRONTDOOR": 0, + "SetExternalDNS": 0, + "SetInternalDNS": 0, + "APPCONFIG": 0, + "REDIS": 0, + "APIM": 0, + "ACR": 0, + "SQLMI": 0, + "CosmosDB": 0, + "DASHBOARD": 0, + "ServerFarm": 0, + "WebSite": 0, + "WebSiteContainer": 0, + "ManagedEnv": 0, + "ContainerApp": 0, + "MySQLDB": 0, + "Function": 0, + "SB": 0, + "LT": 0, + "AzureSYN": 0, + // below require secrets from KV + "VMSS": 0, + "ACI": 0, + "AKS": 0, // + "AzureSQL": 0, + "SFM": 0, + "SFMNP": 0, + // VM templates + "ADPrimary": 0, + "ADSecondary": 0, + "InitialDOP": 0, + "VMApp": 0, + "VMAppLinux": 0, + "VMSQL": 0, + "VMFILE": 0 + } + }, + "Extensions": { + "value": { + "MonitoringAgent": 1, + "IaaSDiagnostics": 1, + "DependencyAgent": 1, + "AzureMonitorAgent": 1, + "GuestHealthAgent": 1, + "VMInsights": 1, + "AdminCenter": 1, + "BackupWindowsWorkloadSQL": 0, + "DSC": 0, + "GuestConfig": 1, + "Scripts": 1, + "MSI": 1, + "CertMgmt": 0, + "DomainJoin": 1, + "AADLogin": 0, + "WindowsOpenSSH": 0, + "Antimalware": 1, + "VMSSAzureADEnabled": 0, + "SqlIaasExtension": 0, + "AzureDefender": 0, + "chefClient": 0 + } + }, + "DeploymentInfo": { + "value": { + "uaiInfo": [ + { + "Name": "Reader", + "RBAC": [ + { + "Name": "Reader" + } + ] + }, + { + "name": "GlobalAcrPull", + "RBAC": [ + { + "Name": "AcrPull", + "RG": "G1", + "Tenant": "HUB", + "Prefix": "ACU1" + } + ] + }, + { + "name": "ML", + "RBAC": [ + { + "Name": "AcrPull", + "RG": "G1", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Key Vault Secrets User", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Key Vault Reader", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + } + // { + // "Name": "Key Vault Administrator", + // "RG": "P0", + // "Tenant": "HUB" + // }, + // { + // "Name": "Desktop Virtualization Virtual Machine Contributor", // only built in role with 'MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION' + // "RG": "P0", + // "Tenant": "HUB" + // } + ] + }, + { + "name": "KeyVaultSecretsGet", + "RBAC": [ + { + "Name": "Key Vault Secrets User", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + } + ] + }, + { + "name": "AKSCluster", + "RBAC": [ + { + "Name": "Private DNS Zone Contributor", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Key Vault Certificates Officer", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Key Vault Secrets User", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Network Contributor" + }, + { + "Name": "Managed Identity Operator" + } + ] + }, + { + "name": "Automation", + "RBAC": [ + { + "Name": "Key Vault Secrets User", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Storage Account Contributor" + }, + { + "Name": "Storage Queue Data Contributor" + }, + { + "Name": "Storage Blob Data Owner" + } + ] + }, + { + "name": "AppService", + "RBAC": [ + { + "Name": "Key Vault Secrets User", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Storage Account Contributor" + }, + { + "Name": "Storage Queue Data Contributor" + }, + { + "Name": "Storage Blob Data Owner" + }, + { + "Name": "Reader" + } + ] + }, + { + "name": "StorageAccountFileContributor", + "RBAC": [ + { + "Name": "Storage File Data SMB Share Contributor", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Storage Blob Data Contributor", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Storage Queue Data Contributor", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + } + ] + }, + { + "Name": "CertificateRequest", + "RBAC": [ + { + "Name": "Key Vault Secrets User", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Key Vault Certificates Officer", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + } + ] + } + ], + "rolesInfo": [ + { + "Name": "brwilkinson", + "RBAC": [ + { + "Name": "Contributor" + } + ] + } + // { + // "Name": "AzureKeyVault", + // "RBAC": [ + // { + // "Name": "Storage Account Key Operator Service Role" + // } + // ] + // } + ], + "PIMInfo": [], + "SPInfo": [ + { + "Name": "ADO_{ADOProject}_{RGNAME}", + "RBAC": [ + { + "Name": "Contributor" + }, + // { + // "Name": "DeploymentScripts_Contributor" + // }, + // { + // "Name": "Managed Identity Operator" + // }, + // { + // "Name": "Monitoring Contributor" + // }, + // { + // "Name": "Load Test Owner" + // }, + { + "Name": "DNS Zone Contributor", + "RG": "G1", + "Prefix": "ACU1", + "Tenant": "HUB" + }, + { + "Name": "Reader and Data Access", + "RG": "G1", + "Prefix": "ACU1", + "Tenant": "HUB" + }, + { + "Name": "Storage Account Contributor", + "RG": "G1", + "Prefix": "ACU1", + "Tenant": "HUB" + }, + { + "Name": "Log Analytics Contributor", + "RG": "G1", + "Prefix": "ACU1", + "Tenant": "HUB" + }, + // { + // "Name": "Automation_Account_Contributor", + // "RG": "P0", + // "Tenant": "HUB" + // }, + { + "Name": "Desktop Virtualization Virtual Machine Contributor", // only built in role with 'MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION' + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Key Vault Secrets User", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + }, + { + "Name": "Network Contributor", + "RG": "P0", + "Tenant": "HUB", + "Prefix": "ACU1" + } + // { + // "Name": "DNS Zone Contributor", + // "RG": "P0", + // "Tenant": "HUB" + // }, + // { + // "Name": "DNS Zone Contributor", + // "RG": "P0", + // "Tenant": "HUB", + // "PREFIX": "AEU2" + // } + ] + } + ], + "SubnetInfo": [ // 8 * /27 + 3 * /23 + // { + // "name": "snAD01", + // "prefix": "0/27", + // "NSG": 1, + // "FlowLogEnabled": 1, + // "FlowAnalyticsEnabled": 1, + // "NGW": 1 + // }, + // leave above open for DNS Resolver + // { + // "name": "snFE02", + // "prefix": "32/27", + // "NSG": 1, + // "FlowLogEnabled": 1, + // "FlowAnalyticsEnabled": 1, + // "NGW": 1 + // }, + // { + // "name": "snMT02", + // "prefix": "64/27", + // "NSG": 1, + // "FlowLogEnabled": 1, + // "FlowAnalyticsEnabled": 1, + // "delegations": "Microsoft.Web/serverfarms", + // "NGW": 1 + // }, + { + "name": "snMT03", + "prefix": "96/27", + "NSG": 1, + "FlowLogEnabled": 1, + "FlowAnalyticsEnabled": 1, + "delegations": "Microsoft.App/environments", //"Microsoft.ContainerInstance/containerGroups", + "NGW": 0 // disable temp based on $s + }, + { + "name": "snAPIM01", + "NSGRuleName": "APIM", // APIM Dedicated + "prefix": "128/27", + "NSG": 1, + "Route": 0, //1 + "FlowLogEnabled": 1, + "FlowAnalyticsEnabled": 1, + "NGW": 0 // disable temp based on $s + }, + // { + // "name": "snBE03", + // "prefix": "160/27", + // "NSG": 1, + // "Route": 0, //1 + // "FlowLogEnabled": 1, + // "FlowAnalyticsEnabled": 1, + // "NGW": 1 + // }, + { + "name": "AzureBastionSubnet", + "prefix": "192/26", + "NSG": 1, + "FlowLogEnabled": 1, + "FlowAnalyticsEnabled": 1, + "NGW": 0 // disable temp based on $s + }, + { + "name": "waf01-subnet", // WAF dedicated + "NSGRuleName": "SNWAF01", + "AddDeploymentPrefix": 1, + "prefix": "0/24", + "NSG": 1, + "Route": 0, + "FlowLogEnabled": 1, + "FlowAnalyticsEnabled": 1 + }, + { + "name": "snFE01", + "prefix": "0/23", + "NSG": 1, + "Route": 0, //1 + "FlowLogEnabled": 1, + "FlowAnalyticsEnabled": 1, + "NGW": 0 // disable temp based on $s + }, + { + "name": "snMT01", + "prefix": "0/23", + "NSG": 1, + "Route": 0, //1 + "FlowLogEnabled": 1, + "FlowAnalyticsEnabled": 1, + "NGW": 0 // disable temp based on $s + }, + { + "name": "snMT02", + "prefix": "0/23", + "NSG": 1, + "Route": 0, //1 + "FlowLogEnabled": 1, + "FlowAnalyticsEnabled": 1, + "NGW": 0 // disable temp based on $s + } + ], + "NatGWInfo": [ + { + "Name": "NAT01", + "PIPCount": 1 + } + ], + "BastionInfo": { + "name": "HST01", + "enableTunneling": 1, + "scaleUnits": 2 + }, + "saInfo": [ + { + "name": "diag", + "skuName": "Standard_LRS", + "allNetworks": 1, + "logging": { + "r": 0, + "w": 0, + "d": 1 + }, + "blobVersioning": 1, + "changeFeed": 1, + "softDeletePolicy": { + "enabled": 1, + "days": 7 + }, + "PrivateLinkInfo": [ + { + "Subnet": "snFE01", + "groupID": "blob" + }, + { + "Subnet": "snFE01", + "groupID": "file" + } + ], + "containers": [ + { + "name": "runbooks" + } + ] + }, + { + "name": "data1", + "skuName": "Standard_LRS", + "allNetworks": 1, + "logging": { + "r": 0, + "w": 0, + "d": 1 + }, + "blobVersioning": 1, + "changeFeed": 1, + "softDeletePolicy": { + "enabled": 1, + "days": 7 + }, + "containers": [ + { + "name": "vmrequest" + } + ] + } + ], + "KVInfo": [ + { + "Name": "App01", + "skuName": "standard", + "softDelete": true, + "PurgeProtection": true, + "RbacAuthorization": true, + "UserAssignedIdentity": { + "name": "KeyVaultSecretsGetApp", + "permission": "SecretsGetAndList" + }, + "allNetworks": 1, + "privateLinkInfo": [ + { + "Subnet": "snFE01", + "groupID": "vault" + } + ], + "_rolesInfo": [ + { + "Name": "BenWilkinson", + "RBAC": [ + { + "Name": "Key Vault Administrator" + } + ] + } + ] + } + ], + "OMSSolutions": [ + "AzureAutomation", + "ChangeTracking", + "AzureActivity", + "DnsAnalytics", + "AlertManagement", + "NetworkMonitoring", + "InfrastructureInsights", + "VMInsights", + "SecurityInsights", + // testing + "WindowsDefenderATP", + "KeyVaultAnalytics" + // "BehaviorAnalyticsInsights", + // "ServiceFabric" + // disabled + // "Updates", + // "AgentHealthAssessment", + // "ADAssessment", + // "ADReplication", + // "SQLAssessment", + // "AntiMalware", + // "AzureWebAppsAnalytics", + // "CapacityPerformance", + // "Containers", + // "ContainerInsights", + // "SQLAdvancedThreatProtection", + // "AzureSQLAnalytics", + // "AzureNSGAnalytics" + ], + "appConfigurationInfo": [ + { + "name": "01", + "sku": "standard", + "publicNetworkAccess": 1 + } + ], + "WAFPolicyInfo": [ + { + "Name": "AGIC01", + "State": "Enabled", + "Mode": "Prevention", + "ruleSetVersion": "3.2", // New rules engine high performance and load capabilities + "enableBotRule": 1, + "customRules": [], + "exclusions": [] + } + ], + "LoadTestInfo": [ + { + "Name": "APIWebTest01", + "location": "westus2" + } + ], + "WAFInfo": [ + { + "Name": "AGIC01", + "WAFPolicyAttached": 1, + "WAFPolicyName": "AGIC01", + "WAFTier": "WAF_v2", + "PrivateIP": "240", + "SSLCerts": [ + { + "name": "AGIC01", + "zone": "aginow.net", + "createCert": 1, + "DnsNames": [ + "*.aginow.net" + ] + } + ], + "_privateLinkInfo": [ + { + "Subnet": "snMT01", + "groupID": "frontendPublic" + } + ], + "backendAddressPools": [ + { + "name": "AGIC01", + "BEIPs": [] + } + ], + "pathRules": [], + "probes": [ + { + "Name": "probe01", + "Path": "/", + "Protocol": "https", + "useBE": 1 + } + ], + "frontEndPorts": [ + { + "Port": 80 + }, + { + "Port": 443 + } + ], + "BackendHttp": [ + { + "Port": 443, + "Protocol": "https", + "CookieBasedAffinity": "Disabled", + "RequestTimeout": 600, + "probeName": "probe01", + "hostnameFromBE": 1 + } + ], + "Listeners": [ + { + "Port": 443, + "BackendPort": 443, + "Protocol": "https", + "Cert": "AGIC01", + "Domain": "aginow.net", + "Hostname": "AGIC01", + "HostnameExcludePrefix": 1, + "Interface": "Public" + }, + { + "Port": 80, + "Protocol": "http", + "Domain": "aginow.net", + "Hostname": "AGIC01", + "HostnameExcludePrefix": 1, + "Interface": "Public", + "httpsRedirect": 1 + } + ] + } + ], + "AKSInfo": [ + { + "Name": "01", + "Version": "1.25.6", + "skuTier": "Free", //Free + "podIdentity": 0, + "privateCluster": 0, + "AllowALLIPs": 1, // Add in NAT Public IP to allow range for VMSSCSE to work. + "AgentPoolsSN": "snMT01", + "WAFName": "AGIC01", + "BrownFields": 0, + "AppGateway": 1, + "AutoScale": 1, + "enableRBAC": 1, + "enableOSM": 0, + "enableIstio": 1, + "enableIngressAppRouting": 0, + "enableAppRoutingDNS": 0, + "enableDefender": 0, + "enablePolicy": 0, + "enableaciConnector": 0, + "aksAADAdminGroups": [ + "brwilkinson" + ], + "namespaces": [ + { + "name": "testrbac", + "rolesInfo": [ + { + "Name": "brwilkinson", + "RBAC": [ + { + "Name": "Azure Kubernetes Service RBAC Writer" + } + ] + } + ] + } + ], + "AgentPools": [ + { + "name": "system01", + "count": 1, + "osDiskSizeGb": 0, // 0 use default size + "osType": "Linux", + "osSKU": "Mariner", + "maxPods": 110, + "vmSize": "Standard_B4ms", // "Standard_D2ads_v5", // AMD --> "Standard_D2plds_v5", Standard_D2ps_v5 // NON AMD Standard_D2ads_v5 + "mode": "System", + "subnet": "snMT01" + } + // { + // "name": "user01", + // "count": 1, + // "maxcount": 1, + // "osDiskSizeGb": 0, + // "osType": "Linux", + // "osSKU": "Mariner", + // "maxPods": 250, + // "vmSize": "Standard_D2ads_v5", + // "mode": "User", + // "subnet": "snMT02" + // } + ] + } + ], + "MLWorkspaceInfo": [ + { + "Name": "03", + "UAI": "ML", + "skuTier": "Basic" //Enterprise + // "KV": "App01" + } + ], + "managedEnvInfo": [ + { + "Name": "02", + "_Subnet": "snMT03", + // "internal": 0, + "workloadProfiles": [ + { + "workloadProfileType": "Consumption", + "name": "Consumption" + } + ] + // { + // "workloadProfileType": "D4", + // "name": "Dedicated-D4", + // "minimumCount": 1, + // "maximumCount": 1 + // } + // ] + } + ], + "containerAppInfo": [ + { + "Name": "01", + "kubeENV": "02", + "image": "mcr.microsoft.com/azuredocs/aks-helloworld:v1", + "imagename": "simple-hello-world-container", + "title": "Hello World 12" + } + // { + // "Name": "02", + // "kubeENV": "01", + // "workloadProfileName": "Dedicated-D4" + // } + ], + "appServiceplanInfo": [ + { + "Name": "WPS01", + "kind": "app", + "perSiteScaling": false, + "reserved": false, + "skuname": "P1v2", + "skutier": "PremiumV2", + "skucapacity": 1, + "deploy": 1 + }, + { + "Name": "ASP01", + "kind": "elastic", + "perSiteScaling": false, + "reserved": false, + "skuname": "EP1", + "skutier": "ElasticPremium", + "skucapacity": 1, + "maxWorkerCount": 100, + "deploy": 1 + } + ], + "FunctionInfo": [ + { + "Name": "VMR01", + "kind": "functionapp", + "AppSVCPlan": "ASP01", + "saname": "data1", + "stack": "powershell", + "_Subnet": "snMT01", + "preWarmedCount": 1, + "customDNS": 0, + "_authsettingsV2": { + "applicationId": "84a491fe-f713-42f9-8e13-66bfb5dcc09b", // clientid needs access to the keyvault to read the secret + "requireAuthentication": 1 + } + } + ], + "WebSiteInfo": [ + { + "Name": "WPS01", + "kind": "app", + "AppSVCPlan": "WPS01", + "stack": "dotnet", + "saname": "diag", + "customDNS": 0, + "_privateLinkInfo": [ + { + "Subnet": "snFE01", + "groupID": "sites" + } + ] + }, + { + "Name": "WPS02", + "kind": "app", + "AppSVCPlan": "WPS01", + "stack": "dotnet", + "saname": "diag", + "customDNS": 0, + "_privateLinkInfo": [ + { + "Subnet": "snFE01", + "groupID": "sites" + } + ] + } + ], + "LBInfo": [ + { + "Name": "SSH01", + "Sku": "Standard", + "Type": "Public", + "BackEnd": [ + "SSH01" + ], + "FrontEnd": [ + { + "LBFEName": "SSH", + "PublicIP": "Static" + } + ], + "NATRules": [ + { + "Name": "SSH", + "protocol": "Tcp", + "frontendPort": 22, + "backendPort": 22, + "enableFloatingIP": false, + "idleTimeoutInMinutes": 4, + "LBFEName": "SSH" + } + ], + "Probes": [ + // { + // "ProbeName": "HTTP", + // "LBBEProbePort": 80 + // } + // { + // "ProbeName": "HTTPS", + // "LBBEProbePort": 443, + // "protocol": "Tcp" + // } + ], + "Services": [ + // { + // "LBFEName": "APIM", + // "LBBEName": "APIM", + // "RuleName": "APIM-HTTPS", + // "LBFEPort": 443, + // "LBBEPort": 443, + // "ProbeName": "HTTPS", + // "DirectReturn": false + // } + ] + } + ], + "Appservers": { + "AppServers": [ + { + "Name": "UBU01", + "Role": "UBU", + "_DSC": "PULL", + "_DDRole": "64GB", + "OSType": "ubuntu-server-focal", + "runCommands": "setupUbuntu.sh", + "OSstorageAccountType": "Standard_LRS", + "HotPatch": true, + "HRW": 0, + "DeployJIT": 1, + "_shutdown": { + "time": "2100", + "enabled": 0 + }, + "Zone": 1, + "NICs": [ + { + "Subnet": "snFE01", + "Primary": 1, + "FastNic": 1, + "StaticIP": "61", + "PublicIP": "Static" + // "PLB": "SSH01", + // "NATRules": [ + // "SSH" + // ] + } + ] + }, + { + "Name": "JMP01", + "Role": "JMP", + "DDRole": "64GB", + "OSType": "Server2022", //"Server2022", + "runCommands": "setupWindows.ps1", + "ExcludeAdminCenter": 1, + "ExcludeDomainJoin": 1, + "OSstorageAccountType": "Standard_LRS", + "HotPatch": true, + "HRW": 0, + "DeployJIT": 0, + "shutdown": { + "time": "2100", + "enabled": 0 + }, + "Zone": 1, + "NICs": [ + { + "Subnet": "snFE01", + "Primary": 1, + "FastNic": 1, + "PublicIP": "Static", + "StaticIP": "62" + } + ] + }, + { + "Name": "JMP02", + "Role": "JMP", + "DDRole": "64GB", + "OSType": "Server2022", //"Server2022", + "runCommands": "setupWindows.ps1", + "ExcludeAdminCenter": 0, + "ExcludeDomainJoin": 1, + "OSstorageAccountType": "Standard_LRS", + "HotPatch": true, + "HRW": 0, + "DeployJIT": 0, + "shutdown": { + "time": "2100", + "enabled": 0 + }, + "Zone": 1, + "NICs": [ + { + "Subnet": "snFE01", + "Primary": 1, + "FastNic": 1, + "PublicIP": "Static", + "StaticIP": "63" + } + ] + } + ] + }, + "APIMInfo": [ + { + "name": "01", + "apimSku": "Premium", + "Subnet": "snAPIM01", + "virtualNetworkType": "Internal", + "_redisCache": "APIM01", + "stv1": 0, + "capacity": 1, + "_publicAccess": 0, + "_privateLinkInfo": [ + { + "Subnet": "snAPIM01", + "groupID": "Gateway" + } + ], + "_SSLCerts": [ + { + "name": "api.ppe", + "zone": "aginow.net", + "createCert": 1 + } + ], + "_additionalLocations": [ + { + "prefix": "AEU1", + "Subnet": "snAPIM01", + "capacity": 1, + "_privateLinkInfo": [ + { + "Subnet": "snAPIM01", + "groupID": "Gateway" + } + ] + } + ] + } + ] + } + } + } } \ No newline at end of file diff --git a/ADF/bicep/01-ALL-RG.bicep b/ADF/bicep/01-ALL-RG.bicep index 73465c31..c9a32bba 100644 --- a/ADF/bicep/01-ALL-RG.bicep +++ b/ADF/bicep/01-ALL-RG.bicep @@ -285,58 +285,58 @@ module dp_Deployment_DNSResolver 'DNSResolver.bicep' = if (bool(Stage.?DNSResolv ] } -/* -module dp_Deployment_CloudTestAccount 'CloudTestAccount.bicep' = if (bool(Stage.?CloudTestAccount ?? 0)) { - name: 'dp${Deployment}-CloudTestAccount' - params: { - // move these to Splatting later - DeploymentID: DeploymentID - DeploymentInfo: DeploymentInfo - Environment: Environment - Extensions: Extensions - Global: Global - Prefix: Prefix - Stage: Stage - } - dependsOn: [ - dp_Deployment_VNET - ] -} +// /* +// module dp_Deployment_CloudTestAccount 'CloudTestAccount.bicep' = if (bool(Stage.?CloudTestAccount ?? 0)) { +// name: 'dp${Deployment}-CloudTestAccount' +// params: { +// // move these to Splatting later +// DeploymentID: DeploymentID +// DeploymentInfo: DeploymentInfo +// Environment: Environment +// Extensions: Extensions +// Global: Global +// Prefix: Prefix +// Stage: Stage +// } +// dependsOn: [ +// dp_Deployment_VNET +// ] +// } -module dp_Deployment_CloudTestImages 'CloudTestImage.bicep' = if (bool(Stage.?CloudTestImages ?? 0)) { - name: 'dp${Deployment}-CloudTestImages' - params: { - // move these to Splatting later - DeploymentID: DeploymentID - DeploymentInfo: DeploymentInfo - Environment: Environment - Extensions: Extensions - Global: Global - Prefix: Prefix - Stage: Stage - } - dependsOn: [ - dp_Deployment_VNET - ] -} +// module dp_Deployment_CloudTestImages 'CloudTestImage.bicep' = if (bool(Stage.?CloudTestImages ?? 0)) { +// name: 'dp${Deployment}-CloudTestImages' +// params: { +// // move these to Splatting later +// DeploymentID: DeploymentID +// DeploymentInfo: DeploymentInfo +// Environment: Environment +// Extensions: Extensions +// Global: Global +// Prefix: Prefix +// Stage: Stage +// } +// dependsOn: [ +// dp_Deployment_VNET +// ] +// } -module dp_Deployment_CloudTestHostedPool 'CloudTestDevOpsPool.bicep' = if (bool(Stage.?CloudTestHostedPool ?? 0)) { - name: 'dp${Deployment}-CloudTestHostedPool' - params: { - // move these to Splatting later - DeploymentID: DeploymentID - DeploymentInfo: DeploymentInfo - Environment: Environment - Extensions: Extensions - Global: Global - Prefix: Prefix - Stage: Stage - } - dependsOn: [ - dp_Deployment_VNET - ] -} -*/ +// module dp_Deployment_CloudTestHostedPool 'CloudTestDevOpsPool.bicep' = if (bool(Stage.?CloudTestHostedPool ?? 0)) { +// name: 'dp${Deployment}-CloudTestHostedPool' +// params: { +// // move these to Splatting later +// DeploymentID: DeploymentID +// DeploymentInfo: DeploymentInfo +// Environment: Environment +// Extensions: Extensions +// Global: Global +// Prefix: Prefix +// Stage: Stage +// } +// dependsOn: [ +// dp_Deployment_VNET +// ] +// } +// */ module dp_Deployment_KV 'KV.bicep' = if (bool(Stage.KV)) { name: 'dp${Deployment}-KV' @@ -590,26 +590,26 @@ module dp_Deployment_SFM 'SFM.bicep' = if (bool(Stage.?SFM ?? 0)) { ] } -module dp_Deployment_SFMNP 'SFMNP.bicep' = if (bool(Stage.?SFMNP ?? 0)) { - name: 'dp${Deployment}-SFMNP' - params: { - // move these to Splatting later - DeploymentID: DeploymentID - DeploymentInfo: DeploymentInfo - Environment: Environment - Extensions: Extensions - Global: Global - Prefix: Prefix - Stage: Stage - } - dependsOn: [ - dp_Deployment_VNET - dp_Deployment_DNSResolver - dp_Deployment_LB - dp_Deployment_SFM - dp_Deployment_APPCONFIG - ] -} +// module dp_Deployment_SFMNP 'SFMNP.bicep' = if (bool(Stage.?SFMNP ?? 0)) { +// name: 'dp${Deployment}-SFMNP' +// params: { +// // move these to Splatting later +// DeploymentID: DeploymentID +// DeploymentInfo: DeploymentInfo +// Environment: Environment +// Extensions: Extensions +// Global: Global +// Prefix: Prefix +// Stage: Stage +// } +// dependsOn: [ +// dp_Deployment_VNET +// dp_Deployment_DNSResolver +// dp_Deployment_LB +// dp_Deployment_SFM +// dp_Deployment_APPCONFIG +// ] +// } module dp_Deployment_KVCert 'KVCertificate.bicep' = if (bool(Stage.?KVCert ?? 0)) { name: 'dp${Deployment}-KVCertificate' diff --git a/ADF/bicep/SA-Storage.bicep b/ADF/bicep/SA-Storage.bicep index 46dc459e..dd5e5865 100644 --- a/ADF/bicep/SA-Storage.bicep +++ b/ADF/bicep/SA-Storage.bicep @@ -47,6 +47,7 @@ var fileShares = contains(storageInfo, 'fileShares') ? storageInfo.fileShares : var containers = contains(storageInfo, 'containers') ? storageInfo.containers : [] resource SA 'Microsoft.Storage/storageAccounts@2021-09-01' = { + #disable-next-line BCP334 name: toLower('${DeploymentURI}sa${storageInfo.name}') location: resourceGroup().location sku: { diff --git a/ADF/bicep/VNET.bicep b/ADF/bicep/VNET.bicep index d4785d77..be1ed13f 100644 --- a/ADF/bicep/VNET.bicep +++ b/ADF/bicep/VNET.bicep @@ -123,6 +123,7 @@ resource VNETDiagnostics 'microsoft.insights/diagnosticSettings@2017-05-01-previ } dependsOn: [ VNETAll + VNET ] } @@ -145,6 +146,7 @@ resource VNETPeering 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2 } dependsOn: [ VNETAll + VNETDiagnostics ] } @@ -160,8 +162,9 @@ module VNETPeeringHUB 'VNET-Peering.bicep' = if (bool(Stage.VNetPeering)) { } dependsOn: [ VNETAll + VNETPeering ] } output VNetID array = addressPrefixes -output subnetIdArray array = [for (item, index) in SubnetInfo: VNET.properties.subnets[index].id] +// output subnetIdArray array = [for (item, index) in SubnetInfo: VNET.properties.subnets[index].id] diff --git a/ADF/bicep/bicepconfig.json b/ADF/bicep/bicepconfig.json index e407de11..9ef4850b 100644 --- a/ADF/bicep/bicepconfig.json +++ b/ADF/bicep/bicepconfig.json @@ -1,10 +1,11 @@ { "experimentalFeaturesEnabled": { - // "paramsFiles": false, // now GA - // "extensibility": true, - // "resourceTypedParamsAndOutputs": false, - // "userDefinedTypes": false, - // "symbolicNameCodegen": true + "extensibility": true, + "compileTimeImports": true, + "symbolicNameCodegen": true, + "userDefinedFunctions": true, + "resourceTypedParamsAndOutputs": true, + "prettyPrinting": true }, "analyzers": { "core": { diff --git a/ADF/bicep/x.RBAC-ALL-RA-Resource.bicep b/ADF/bicep/x.RBAC-ALL-RA-Resource.bicep index 0938dd21..8fdd2a94 100644 --- a/ADF/bicep/x.RBAC-ALL-RA-Resource.bicep +++ b/ADF/bicep/x.RBAC-ALL-RA-Resource.bicep @@ -22,6 +22,7 @@ param roledescription string = '' // leave these for logging in the portal // var resourceid = join(string(segment)), '","', ''), '["', ''), '"]', '') // currently no join() method // // ---------------------------------------------- +#disable-next-line no-deployments-resources resource ResourceRoleAssignment 'Microsoft.Resources/deployments@2021-04-01' = { name: take('dp-RRA-${description}-${last(split(resourceId,'/'))}',64) properties: { diff --git a/ADF/release-az/ADOHelper.psm1 b/ADF/release-az/ADOHelper.psm1 index 13b78843..29727e2c 100644 --- a/ADF/release-az/ADOHelper.psm1 +++ b/ADF/release-az/ADOHelper.psm1 @@ -1,4 +1,6 @@ +<# #requires -Modules Az.Accounts,Az.KeyVault,Az.ServiceFabric +#> function validateTenant { @@ -393,9 +395,11 @@ function Set-ADOSFMServiceConnection function Set-ADOAZServiceConnection { - #Requires -Module Microsoft.Graph.Applications - #Requires -Module Microsoft.Graph.Authentication - #Requires -Module AZ.Accounts +<# + # Requires -Module Microsoft.Graph.Applications + # Requires -Module Microsoft.Graph.Authentication + # Requires -Module AZ.Accounts +#> param ( [ValidateSet('ACU1', 'AEU2', 'AEU1', 'AWCU')] @@ -726,10 +730,11 @@ function Set-ADOServiceConnectionAdmin function New-ADOAZServiceConnection { +<# #Requires -Module Microsoft.Graph.Applications #Requires -Module Microsoft.Graph.Authentication #Requires -Module AZ.Accounts - +#> <# .SYNOPSIS Generate a new AZ Service Connection diff --git a/ADF/tenants/AKS/ACU1.D1.ado-pipelines-All.yml b/ADF/tenants/AKS/ACU1.D1.ado-pipelines-All.yml index 76ff39f3..2e5c135d 100644 --- a/ADF/tenants/AKS/ACU1.D1.ado-pipelines-All.yml +++ b/ADF/tenants/AKS/ACU1.D1.ado-pipelines-All.yml @@ -4,7 +4,7 @@ trigger: none # include: [ main ] # paths: # include: - # - ADF/tenants/AKS/ACU1.D1.parameters.json + # - ADF/tenants/AKS/ACU1.D1.bicepparam # - ADF/tenants/AKS/ACU1.D1.ado-pipelines-All.yml variables: diff --git a/ADF/tenants/AKS/ACU1.D1.bicepparam b/ADF/tenants/AKS/ACU1.D1.bicepparam new file mode 100644 index 00000000..f1597c82 --- /dev/null +++ b/ADF/tenants/AKS/ACU1.D1.bicepparam @@ -0,0 +1,593 @@ +using '../../bicep/00-ALL-SUB.bicep' + +param Global = union( + loadJsonContent('Global-${Prefix}.json'), + loadJsonContent('Global-Global.json'), + loadJsonContent('Global-Config.json') +) + +param Prefix = 'ACU1' + +param Environment = 'D' + +param DeploymentID = '1' + +param Stage = { + RG: 1 + RBAC: 1 + PIM: 0 + UAI: 1 + SP: 1 + KV: 0 + OMS: 1 + OMSSolutions: 1 + OMSDataSources: 1 + OMSUpdateWeekly: 0 + OMSUpdateMonthly: 0 + OMSUpates: 1 + SA: 1 + CDN: 0 + StorageSync: 0 + RSV: 0 + NSG: 1 + NetworkWatcher: 0 + FlowLogs: 1 + VNet: 1 + VNetDDOS: 0 + VNetPeering: 1 + DNSPublicZone: 0 + DNSPrivateZone: 0 + LinkPrivateDns: 0 + PrivateLink: 0 + BastionHost: 0 + CloudShellRelay: 0 + RT: 0 + FW: 0 + VNGW: 0 + NATGW: 1 + ERGW: 0 + LB: 0 + TM: 0 + WAFPOLICY: 1 + WAF: 0 + FRONTDOORPOLICY: 0 + FRONTDOOR: 0 + SetExternalDNS: 0 + SetInternalDNS: 0 + APPCONFIG: 0 + REDIS: 0 + APIM: 0 + ACR: 0 + SQLMI: 0 + CosmosDB: 0 + DASHBOARD: 0 + ServerFarm: 0 + WebSite: 0 + WebSiteContainer: 0 + ManagedEnv: 0 + ContainerApp: 0 + MySQLDB: 0 + Function: 0 + SB: 0 + LT: 0 + AzureSYN: 0 + VMSS: 0 + ACI: 0 + AKS: 1 + AzureSQL: 0 + SFM: 0 + SFMNP: 0 + ADPrimary: 0 + ADSecondary: 0 + InitialDOP: 0 + VMApp: 0 + VMAppLinux: 0 + VMSQL: 0 + VMFILE: 0 +} + +param Extensions = { + MonitoringAgent: 1 + IaaSDiagnostics: 1 + DependencyAgent: 1 + AzureMonitorAgent: 1 + GuestHealthAgent: 1 + VMInsights: 1 + AdminCenter: 1 + BackupWindowsWorkloadSQL: 0 + DSC: 0 + GuestConfig: 1 + Scripts: 1 + MSI: 1 + CertMgmt: 0 + DomainJoin: 1 + AADLogin: 0 + WindowsOpenSSH: 0 + Antimalware: 1 + VMSSAzureADEnabled: 0 + SqlIaasExtension: 0 + AzureDefender: 0 + chefClient: 0 +} + +param DeploymentInfo = { + uaiInfo: [ + { + name: 'GlobalAcrPull' + RBAC: [ + { + Name: 'AcrPull' + RG: 'G1' + Tenant: 'HUB' + Prefix: 'ACU1' + } + ] + } + { + name: 'ML' + RBAC: [ + { + Name: 'AcrPull' + RG: 'G1' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Key Vault Secrets User' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Key Vault Reader' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + ] + } + { + name: 'KeyVaultSecretsGet' + RBAC: [ + { + Name: 'Key Vault Secrets User' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + ] + } + { + name: 'AKSCluster' + RBAC: [ + { + Name: 'Private DNS Zone Contributor' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Key Vault Certificates Officer' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Key Vault Secrets User' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Network Contributor' + } + { + Name: 'Managed Identity Operator' + } + ] + } + { + name: 'Automation' + RBAC: [ + { + Name: 'Key Vault Secrets User' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Storage Account Contributor' + } + { + Name: 'Storage Queue Data Contributor' + } + { + Name: 'Storage Blob Data Owner' + } + ] + } + { + name: 'StorageAccountFileContributor' + RBAC: [ + { + Name: 'Storage File Data SMB Share Contributor' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Storage Blob Data Contributor' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Storage Queue Data Contributor' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + ] + } + { + Name: 'CertificateRequest' + RBAC: [ + { + Name: 'Key Vault Secrets User' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Key Vault Certificates Officer' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + ] + } + ] + rolesInfo: [ + { + Name: 'brwilkinson' + RBAC: [ + { + Name: 'Contributor' + } + ] + } + ] + PIMInfo: [] + SPInfo: [ + { + Name: 'ADO_{ADOProject}_{RGNAME}' + RBAC: [ + { + Name: 'Contributor' + } + { + Name: 'DNS Zone Contributor' + RG: 'G1' + Prefix: 'ACU1' + Tenant: 'HUB' + } + { + Name: 'Reader and Data Access' + RG: 'G1' + Prefix: 'ACU1' + Tenant: 'HUB' + } + { + Name: 'Storage Account Contributor' + RG: 'G1' + Prefix: 'ACU1' + Tenant: 'HUB' + } + { + Name: 'Log Analytics Contributor' + RG: 'G1' + Prefix: 'ACU1' + Tenant: 'HUB' + } + { + Name: 'Desktop Virtualization Virtual Machine Contributor' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Key Vault Secrets User' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Network Contributor' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + ] + } + ] + SubnetInfo: [ + { + name: 'snMT03' + prefix: '96/27' + NSG: 1 + FlowLogEnabled: 1 + FlowAnalyticsEnabled: 1 + delegations: 'Microsoft.App/environments' + NGW: 1 + } + { + name: 'AzureBastionSubnet' + prefix: '192/26' + NSG: 1 + FlowLogEnabled: 1 + FlowAnalyticsEnabled: 1 + NGW: 1 + } + { + name: 'waf01-subnet' + NSGRuleName: 'SNWAF01' + AddDeploymentPrefix: 1 + prefix: '0/24' + NSG: 1 + Route: 0 + FlowLogEnabled: 1 + FlowAnalyticsEnabled: 1 + } + { + name: 'snFE01' + prefix: '0/23' + NSG: 1 + Route: 0 + FlowLogEnabled: 1 + FlowAnalyticsEnabled: 1 + NGW: 1 + } + { + name: 'snMT01' + prefix: '0/23' + NSG: 1 + Route: 0 + FlowLogEnabled: 1 + FlowAnalyticsEnabled: 1 + NGW: 1 + } + { + name: 'snMT02' + prefix: '0/23' + NSG: 1 + Route: 0 + FlowLogEnabled: 1 + FlowAnalyticsEnabled: 1 + NGW: 1 + } + ] + NatGWInfo: [ + { + Name: 'NAT01' + PIPCount: 1 + } + ] + BastionInfo: { + name: 'HST01' + enableTunneling: 1 + scaleUnits: 2 + } + saInfo: [ + { + name: 'diag' + skuName: 'Standard_LRS' + allNetworks: 1 + logging: { + r: 0 + w: 0 + d: 1 + } + blobVersioning: 1 + changeFeed: 1 + softDeletePolicy: { + enabled: 1 + days: 7 + } + PrivateLinkInfo: [ + { + Subnet: 'snFE01' + groupID: 'blob' + } + { + Subnet: 'snFE01' + groupID: 'file' + } + ] + } + ] + KVInfo: [ + { + Name: 'App01' + skuName: 'standard' + softDelete: true + PurgeProtection: true + RbacAuthorization: true + UserAssignedIdentity: { + name: 'KeyVaultSecretsGetApp' + permission: 'SecretsGetAndList' + } + allNetworks: 1 + privateLinkInfo: [ + { + Subnet: 'snFE01' + groupID: 'vault' + } + ] + _rolesInfo: [ + { + Name: 'BenWilkinson' + RBAC: [ + { + Name: 'Key Vault Administrator' + } + ] + } + ] + } + ] + OMSSolutions: [ + 'AzureAutomation' + 'ChangeTracking' + 'AzureActivity' + 'DnsAnalytics' + 'AlertManagement' + 'NetworkMonitoring' + 'InfrastructureInsights' + 'VMInsights' + 'SecurityInsights' + 'WindowsDefenderATP' + 'KeyVaultAnalytics' + ] + WAFPolicyInfo: [ + { + Name: 'AGIC01' + State: 'Enabled' + Mode: 'Prevention' + ruleSetVersion: '3.2' + enableBotRule: 1 + customRules: [] + exclusions: [] + } + ] + LoadTestInfo: [ + { + Name: 'APIWebTest01' + location: 'westus2' + } + ] + WAFInfo: [ + { + Name: 'AGIC01' + WAFPolicyAttached: 1 + WAFPolicyName: 'AGIC01' + WAFTier: 'WAF_v2' + PrivateIP: '240' + SSLCerts: [ + { + name: 'AGIC01' + zone: 'aginow.net' + createCert: 1 + DnsNames: [ + '*.aginow.net' + ] + } + ] + _privateLinkInfo: [ + { + Subnet: 'snMT01' + groupID: 'frontendPublic' + } + ] + backendAddressPools: [ + { + name: 'AGIC01' + BEIPs: [] + } + ] + pathRules: [] + probes: [ + { + Name: 'probe01' + Path: '/' + Protocol: 'https' + useBE: 1 + } + ] + frontEndPorts: [ + { + Port: 80 + } + { + Port: 443 + } + ] + BackendHttp: [ + { + Port: 443 + Protocol: 'https' + CookieBasedAffinity: 'Disabled' + RequestTimeout: 600 + probeName: 'probe01' + hostnameFromBE: 1 + } + ] + Listeners: [ + { + Port: 443 + BackendPort: 443 + Protocol: 'https' + Cert: 'AGIC01' + Domain: 'aginow.net' + Hostname: 'AGIC01' + HostnameExcludePrefix: 1 + Interface: 'Public' + } + { + Port: 80 + Protocol: 'http' + Domain: 'aginow.net' + Hostname: 'AGIC01' + HostnameExcludePrefix: 1 + Interface: 'Public' + httpsRedirect: 1 + } + ] + } + ] + AKSInfo: [ + { + Name: '01' + Version: '1.28.3' + skuTier: 'Free' + podIdentity: 0 + privateCluster: 0 + AllowALLIPs: 1 + AgentPoolsSN: 'snMT01' + WAFName: 'AGIC01' + BrownFields: 1 + AppGateway: 0 + AutoScale: 1 + enableRBAC: 1 + enableOSM: 0 + enableIstio: 0 + enableIngressAppRouting: 1 + enableAppRoutingDNS: 0 + enableDefender: 0 + enablePolicy: 0 + enableaciConnector: 0 + aksAADAdminGroups: [ + 'brwilkinson' + ] + AgentPools: [ + { + name: 'system01' + count: 1 + osDiskSizeGb: 0 + osType: 'Linux' + osSKU: 'Mariner' + maxPods: 110 + vmSize: 'Standard_D2ads_v5' + mode: 'System' + subnet: 'snMT01' + } + ] + } + ] + MLWorkspaceInfo: [ + { + Name: '03' + UAI: 'ML' + skuTier: 'Basic' + } + ] +} diff --git a/ADF/tenants/AKS/AEU1.D2.bicepparam b/ADF/tenants/AKS/AEU1.D2.bicepparam new file mode 100644 index 00000000..92606cba --- /dev/null +++ b/ADF/tenants/AKS/AEU1.D2.bicepparam @@ -0,0 +1,923 @@ +using '../../bicep/00-ALL-SUB.bicep' + +param Global = union( + loadJsonContent('Global-${Prefix}.json'), + loadJsonContent('Global-Global.json'), + loadJsonContent('Global-Config.json') +) + +param Prefix = 'AEU1' + +param Environment = 'D' + +param DeploymentID = '2' + +param Stage = { + RG: 1 + RBAC: 1 + PIM: 0 + UAI: 1 + SP: 0 + KV: 0 + OMS: 1 + OMSSolutions: 1 + OMSDataSources: 1 + OMSUpdateWeekly: 0 + OMSUpdateMonthly: 0 + OMSUpates: 1 + SA: 1 + CDN: 0 + StorageSync: 0 + RSV: 0 + NSG: 1 + NetworkWatcher: 0 + FlowLogs: 1 + VNet: 1 + VNetDDOS: 0 + VNetPeering: 1 + DNSPublicZone: 0 + DNSPrivateZone: 0 + LinkPrivateDns: 0 + PrivateLink: 1 + BastionHost: 0 + CloudShellRelay: 0 + RT: 0 + FW: 0 + VNGW: 0 + NATGW: 0 + ERGW: 0 + LB: 0 + TM: 0 + WAFPOLICY: 1 + WAF: 0 + FRONTDOORPOLICY: 0 + FRONTDOOR: 0 + SetExternalDNS: 0 + SetInternalDNS: 0 + APPCONFIG: 0 + REDIS: 0 + APIM: 0 + ACR: 0 + SQLMI: 0 + CosmosDB: 0 + DASHBOARD: 0 + ServerFarm: 0 + WebSite: 0 + WebSiteContainer: 0 + ManagedEnv: 0 + ContainerApp: 0 + MySQLDB: 0 + Function: 0 + SB: 0 + LT: 0 + AzureSYN: 0 + VMSS: 0 + ACI: 0 + AKS: 0 + AzureSQL: 0 + SFM: 0 + SFMNP: 0 + ADPrimary: 0 + ADSecondary: 0 + InitialDOP: 0 + VMApp: 0 + VMAppLinux: 0 + VMSQL: 0 + VMFILE: 0 +} + +param Extensions = { + MonitoringAgent: 1 + IaaSDiagnostics: 1 + DependencyAgent: 1 + AzureMonitorAgent: 1 + GuestHealthAgent: 1 + VMInsights: 1 + AdminCenter: 1 + BackupWindowsWorkloadSQL: 0 + DSC: 0 + GuestConfig: 1 + Scripts: 1 + MSI: 1 + CertMgmt: 0 + DomainJoin: 1 + AADLogin: 0 + WindowsOpenSSH: 0 + Antimalware: 1 + VMSSAzureADEnabled: 0 + SqlIaasExtension: 0 + AzureDefender: 0 + chefClient: 0 +} + +param DeploymentInfo = { + uaiInfo: [ + { + Name: 'Reader' + RBAC: [ + { + Name: 'Reader' + } + ] + } + { + name: 'GlobalAcrPull' + RBAC: [ + { + Name: 'AcrPull' + RG: 'G1' + Tenant: 'HUB' + Prefix: 'ACU1' + } + ] + } + { + name: 'ML' + RBAC: [ + { + Name: 'AcrPull' + RG: 'G1' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Key Vault Secrets User' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Key Vault Reader' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + ] + } + { + name: 'KeyVaultSecretsGet' + RBAC: [ + { + Name: 'Key Vault Secrets User' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + ] + } + { + name: 'AKSCluster' + RBAC: [ + { + Name: 'Private DNS Zone Contributor' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Key Vault Certificates Officer' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Key Vault Secrets User' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Network Contributor' + } + { + Name: 'Managed Identity Operator' + } + ] + } + { + name: 'Automation' + RBAC: [ + { + Name: 'Key Vault Secrets User' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Storage Account Contributor' + } + { + Name: 'Storage Queue Data Contributor' + } + { + Name: 'Storage Blob Data Owner' + } + ] + } + { + name: 'AppService' + RBAC: [ + { + Name: 'Key Vault Secrets User' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Storage Account Contributor' + } + { + Name: 'Storage Queue Data Contributor' + } + { + Name: 'Storage Blob Data Owner' + } + { + Name: 'Reader' + } + ] + } + { + name: 'StorageAccountFileContributor' + RBAC: [ + { + Name: 'Storage File Data SMB Share Contributor' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Storage Blob Data Contributor' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Storage Queue Data Contributor' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + ] + } + { + Name: 'CertificateRequest' + RBAC: [ + { + Name: 'Key Vault Secrets User' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Key Vault Certificates Officer' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + ] + } + ] + rolesInfo: [ + { + Name: 'brwilkinson' + RBAC: [ + { + Name: 'Contributor' + } + ] + } + ] + PIMInfo: [] + SPInfo: [ + { + Name: 'ADO_{ADOProject}_{RGNAME}' + RBAC: [ + { + Name: 'Contributor' + } + { + Name: 'DNS Zone Contributor' + RG: 'G1' + Prefix: 'ACU1' + Tenant: 'HUB' + } + { + Name: 'Reader and Data Access' + RG: 'G1' + Prefix: 'ACU1' + Tenant: 'HUB' + } + { + Name: 'Storage Account Contributor' + RG: 'G1' + Prefix: 'ACU1' + Tenant: 'HUB' + } + { + Name: 'Log Analytics Contributor' + RG: 'G1' + Prefix: 'ACU1' + Tenant: 'HUB' + } + { + Name: 'Desktop Virtualization Virtual Machine Contributor' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Key Vault Secrets User' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + { + Name: 'Network Contributor' + RG: 'P0' + Tenant: 'HUB' + Prefix: 'ACU1' + } + ] + } + ] + SubnetInfo: [ + { + name: 'snMT03' + prefix: '96/27' + NSG: 1 + FlowLogEnabled: 1 + FlowAnalyticsEnabled: 1 + delegations: 'Microsoft.App/environments' + NGW: 0 + } + { + name: 'snAPIM01' + NSGRuleName: 'APIM' + prefix: '128/27' + NSG: 1 + Route: 0 + FlowLogEnabled: 1 + FlowAnalyticsEnabled: 1 + NGW: 0 + } + { + name: 'AzureBastionSubnet' + prefix: '192/26' + NSG: 1 + FlowLogEnabled: 1 + FlowAnalyticsEnabled: 1 + NGW: 0 + } + { + name: 'waf01-subnet' + NSGRuleName: 'SNWAF01' + AddDeploymentPrefix: 1 + prefix: '0/24' + NSG: 1 + Route: 0 + FlowLogEnabled: 1 + FlowAnalyticsEnabled: 1 + } + { + name: 'snFE01' + prefix: '0/23' + NSG: 1 + Route: 0 + FlowLogEnabled: 1 + FlowAnalyticsEnabled: 1 + NGW: 0 + } + { + name: 'snMT01' + prefix: '0/23' + NSG: 1 + Route: 0 + FlowLogEnabled: 1 + FlowAnalyticsEnabled: 1 + NGW: 0 + } + { + name: 'snMT02' + prefix: '0/23' + NSG: 1 + Route: 0 + FlowLogEnabled: 1 + FlowAnalyticsEnabled: 1 + NGW: 0 + } + ] + NatGWInfo: [ + { + Name: 'NAT01' + PIPCount: 1 + } + ] + BastionInfo: { + name: 'HST01' + enableTunneling: 1 + scaleUnits: 2 + } + saInfo: [ + { + name: 'diag' + skuName: 'Standard_LRS' + allNetworks: 1 + logging: { + r: 0 + w: 0 + d: 1 + } + blobVersioning: 1 + changeFeed: 1 + softDeletePolicy: { + enabled: 1 + days: 7 + } + PrivateLinkInfo: [ + { + Subnet: 'snFE01' + groupID: 'blob' + } + { + Subnet: 'snFE01' + groupID: 'file' + } + ] + containers: [ + { + name: 'runbooks' + } + ] + } + { + name: 'data1' + skuName: 'Standard_LRS' + allNetworks: 1 + logging: { + r: 0 + w: 0 + d: 1 + } + blobVersioning: 1 + changeFeed: 1 + softDeletePolicy: { + enabled: 1 + days: 7 + } + containers: [ + { + name: 'vmrequest' + } + ] + } + ] + KVInfo: [ + { + Name: 'App01' + skuName: 'standard' + softDelete: true + PurgeProtection: true + RbacAuthorization: true + UserAssignedIdentity: { + name: 'KeyVaultSecretsGetApp' + permission: 'SecretsGetAndList' + } + allNetworks: 1 + privateLinkInfo: [ + { + Subnet: 'snFE01' + groupID: 'vault' + } + ] + _rolesInfo: [ + { + Name: 'BenWilkinson' + RBAC: [ + { + Name: 'Key Vault Administrator' + } + ] + } + ] + } + ] + OMSSolutions: [ + 'AzureAutomation' + 'ChangeTracking' + 'AzureActivity' + 'DnsAnalytics' + 'AlertManagement' + 'NetworkMonitoring' + 'InfrastructureInsights' + 'VMInsights' + 'SecurityInsights' + 'WindowsDefenderATP' + 'KeyVaultAnalytics' + ] + appConfigurationInfo: [ + { + name: '01' + sku: 'standard' + publicNetworkAccess: 1 + } + ] + WAFPolicyInfo: [ + { + Name: 'AGIC01' + State: 'Enabled' + Mode: 'Prevention' + ruleSetVersion: '3.2' + enableBotRule: 1 + customRules: [] + exclusions: [] + } + ] + LoadTestInfo: [ + { + Name: 'APIWebTest01' + location: 'westus2' + } + ] + WAFInfo: [ + { + Name: 'AGIC01' + WAFPolicyAttached: 1 + WAFPolicyName: 'AGIC01' + WAFTier: 'WAF_v2' + PrivateIP: '240' + SSLCerts: [ + { + name: 'AGIC01' + zone: 'aginow.net' + createCert: 1 + DnsNames: [ + '*.aginow.net' + ] + } + ] + _privateLinkInfo: [ + { + Subnet: 'snMT01' + groupID: 'frontendPublic' + } + ] + backendAddressPools: [ + { + name: 'AGIC01' + BEIPs: [] + } + ] + pathRules: [] + probes: [ + { + Name: 'probe01' + Path: '/' + Protocol: 'https' + useBE: 1 + } + ] + frontEndPorts: [ + { + Port: 80 + } + { + Port: 443 + } + ] + BackendHttp: [ + { + Port: 443 + Protocol: 'https' + CookieBasedAffinity: 'Disabled' + RequestTimeout: 600 + probeName: 'probe01' + hostnameFromBE: 1 + } + ] + Listeners: [ + { + Port: 443 + BackendPort: 443 + Protocol: 'https' + Cert: 'AGIC01' + Domain: 'aginow.net' + Hostname: 'AGIC01' + HostnameExcludePrefix: 1 + Interface: 'Public' + } + { + Port: 80 + Protocol: 'http' + Domain: 'aginow.net' + Hostname: 'AGIC01' + HostnameExcludePrefix: 1 + Interface: 'Public' + httpsRedirect: 1 + } + ] + } + ] + AKSInfo: [ + { + Name: '01' + Version: '1.25.6' + skuTier: 'Free' + podIdentity: 0 + privateCluster: 0 + AllowALLIPs: 1 + AgentPoolsSN: 'snMT01' + WAFName: 'AGIC01' + BrownFields: 0 + AppGateway: 1 + AutoScale: 1 + enableRBAC: 1 + enableOSM: 0 + enableIstio: 1 + enableIngressAppRouting: 0 + enableAppRoutingDNS: 0 + enableDefender: 0 + enablePolicy: 0 + enableaciConnector: 0 + aksAADAdminGroups: [ + 'brwilkinson' + ] + namespaces: [ + { + name: 'testrbac' + rolesInfo: [ + { + Name: 'brwilkinson' + RBAC: [ + { + Name: 'Azure Kubernetes Service RBAC Writer' + } + ] + } + ] + } + ] + AgentPools: [ + { + name: 'system01' + count: 1 + osDiskSizeGb: 0 + osType: 'Linux' + osSKU: 'Mariner' + maxPods: 110 + vmSize: 'Standard_B4ms' + mode: 'System' + subnet: 'snMT01' + } + ] + } + ] + MLWorkspaceInfo: [ + { + Name: '03' + UAI: 'ML' + skuTier: 'Basic' + } + ] + managedEnvInfo: [ + { + Name: '02' + _Subnet: 'snMT03' + workloadProfiles: [ + { + workloadProfileType: 'Consumption' + name: 'Consumption' + } + ] + } + ] + containerAppInfo: [ + { + Name: '01' + kubeENV: '02' + image: 'mcr.microsoft.com/azuredocs/aks-helloworld:v1' + imagename: 'simple-hello-world-container' + title: 'Hello World 12' + } + ] + appServiceplanInfo: [ + { + Name: 'WPS01' + kind: 'app' + perSiteScaling: false + reserved: false + skuname: 'P1v2' + skutier: 'PremiumV2' + skucapacity: 1 + deploy: 1 + } + { + Name: 'ASP01' + kind: 'elastic' + perSiteScaling: false + reserved: false + skuname: 'EP1' + skutier: 'ElasticPremium' + skucapacity: 1 + maxWorkerCount: 100 + deploy: 1 + } + ] + FunctionInfo: [ + { + Name: 'VMR01' + kind: 'functionapp' + AppSVCPlan: 'ASP01' + saname: 'data1' + stack: 'powershell' + _Subnet: 'snMT01' + preWarmedCount: 1 + customDNS: 0 + _authsettingsV2: { + applicationId: '84a491fe-f713-42f9-8e13-66bfb5dcc09b' + requireAuthentication: 1 + } + } + ] + WebSiteInfo: [ + { + Name: 'WPS01' + kind: 'app' + AppSVCPlan: 'WPS01' + stack: 'dotnet' + saname: 'diag' + customDNS: 0 + _privateLinkInfo: [ + { + Subnet: 'snFE01' + groupID: 'sites' + } + ] + } + { + Name: 'WPS02' + kind: 'app' + AppSVCPlan: 'WPS01' + stack: 'dotnet' + saname: 'diag' + customDNS: 0 + _privateLinkInfo: [ + { + Subnet: 'snFE01' + groupID: 'sites' + } + ] + } + ] + LBInfo: [ + { + Name: 'SSH01' + Sku: 'Standard' + Type: 'Public' + BackEnd: [ + 'SSH01' + ] + FrontEnd: [ + { + LBFEName: 'SSH' + PublicIP: 'Static' + } + ] + NATRules: [ + { + Name: 'SSH' + protocol: 'Tcp' + frontendPort: 22 + backendPort: 22 + enableFloatingIP: false + idleTimeoutInMinutes: 4 + LBFEName: 'SSH' + } + ] + Probes: [] + Services: [] + } + ] + Appservers: { + AppServers: [ + { + Name: 'UBU01' + Role: 'UBU' + _DSC: 'PULL' + _DDRole: '64GB' + OSType: 'ubuntu-server-focal' + runCommands: 'setupUbuntu.sh' + OSstorageAccountType: 'Standard_LRS' + HotPatch: true + HRW: 0 + DeployJIT: 1 + _shutdown: { + time: '2100' + enabled: 0 + } + Zone: 1 + NICs: [ + { + Subnet: 'snFE01' + Primary: 1 + FastNic: 1 + StaticIP: '61' + PublicIP: 'Static' + } + ] + } + { + Name: 'JMP01' + Role: 'JMP' + DDRole: '64GB' + OSType: 'Server2022' + runCommands: 'setupWindows.ps1' + ExcludeAdminCenter: 1 + ExcludeDomainJoin: 1 + OSstorageAccountType: 'Standard_LRS' + HotPatch: true + HRW: 0 + DeployJIT: 0 + shutdown: { + time: '2100' + enabled: 0 + } + Zone: 1 + NICs: [ + { + Subnet: 'snFE01' + Primary: 1 + FastNic: 1 + PublicIP: 'Static' + StaticIP: '62' + } + ] + } + { + Name: 'JMP02' + Role: 'JMP' + DDRole: '64GB' + OSType: 'Server2022' + runCommands: 'setupWindows.ps1' + ExcludeAdminCenter: 0 + ExcludeDomainJoin: 1 + OSstorageAccountType: 'Standard_LRS' + HotPatch: true + HRW: 0 + DeployJIT: 0 + shutdown: { + time: '2100' + enabled: 0 + } + Zone: 1 + NICs: [ + { + Subnet: 'snFE01' + Primary: 1 + FastNic: 1 + PublicIP: 'Static' + StaticIP: '63' + } + ] + } + ] + } + APIMInfo: [ + { + name: '01' + apimSku: 'Premium' + Subnet: 'snAPIM01' + virtualNetworkType: 'Internal' + _redisCache: 'APIM01' + stv1: 0 + capacity: 1 + _publicAccess: 0 + _privateLinkInfo: [ + { + Subnet: 'snAPIM01' + groupID: 'Gateway' + } + ] + _SSLCerts: [ + { + name: 'api.ppe' + zone: 'aginow.net' + createCert: 1 + } + ] + _additionalLocations: [ + { + prefix: 'AEU1' + Subnet: 'snAPIM01' + capacity: 1 + _privateLinkInfo: [ + { + Subnet: 'snAPIM01' + groupID: 'Gateway' + } + ] + } + ] + } + ] +} diff --git a/ADF/tenants/AKS/deploy.ps1 b/ADF/tenants/AKS/deploy.ps1 index d1c13e1f..31915cb9 100644 --- a/ADF/tenants/AKS/deploy.ps1 +++ b/ADF/tenants/AKS/deploy.ps1 @@ -28,9 +28,10 @@ AzSet -App $App -Enviro D1 # Global - Only Needed in secondary Region AzDeploy @Current -Prefix ACU1 -TF ADF:/bicep/00-ALL-SUB.bicep -AzDeploy @Current -Prefix ACU1 -TF ADF:/bicep/01-ALL-RG.bicep +AzDeploy @Current -Prefix ACU1 -TF ADF:/bicep/01-ALL-RG.bicep -WhatIf # Deploy only AKS layer for testing. +AzDeploy @Current -Prefix ACU1 -TF ADF:/bicep/WAF.bicep AzDeploy @Current -Prefix ACU1 -TF ADF:/bicep/AKS.bicep # Repeat above for other environments, however can do those in yaml pipelines instead