Skip to content

Commit

Permalink
feat: fix ps rule error for waf aligned aks - `avm/res/container-serv…
Browse files Browse the repository at this point in the history
…ice/managed-cluster` (#3228)

## Description

<!--
>Thank you for your contribution !
> Please include a summary of the change and which issue is fixed.
> Please also include the context.
> List any dependencies that are required for this change.

Fixes #123
Fixes #456
Closes #123
Closes #456
-->
Fixes issue with ps rule for WAF. For some reason it still complains
about default, But I don't think the ps rule should be running on the
default test as it is not required.

I am unsure how to change that. Happy to do so with some guidance.

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.container-service.managed-cluster](https://github.com/PixelRobots/bicep-registry-modules/actions/workflows/avm.res.container-service.managed-cluster.yml/badge.svg?branch=fix-ps-rule-error-aks-rh)](https://github.com/PixelRobots/bicep-registry-modules/actions/workflows/avm.res.container-service.managed-cluster.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [x] Azure Verified Module updates:
- [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [x] Update to documentation

## Checklist

- [ ] I'm sure there are no other open Pull Requests for the same
update/change
- [ ] I have run `Set-AVMModule` locally to generate the supporting
module files.
- [ ] My corresponding pipelines / checks run clean and green without
any errors or warnings

<!-- Please keep up to date with the contribution guide at
https://aka.ms/avm/contribute/bicep -->

---------

Signed-off-by: PixelRobots <[email protected]>
Co-authored-by: Alexander Sehr <[email protected]>
Co-authored-by: Erika Gressi <[email protected]>
  • Loading branch information
3 people authored Oct 12, 2024
1 parent 456d2bd commit 016b727
Show file tree
Hide file tree
Showing 8 changed files with 461 additions and 92 deletions.
348 changes: 298 additions & 50 deletions avm/res/container-service/managed-cluster/README.md

Large diffs are not rendered by default.

34 changes: 25 additions & 9 deletions avm/res/container-service/managed-cluster/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -156,8 +156,8 @@ param primaryAgentPoolProfile array
@description('Optional. Define one or more secondary/additional agent pools.')
param agentPools agentPoolType

@description('Optional. Whether or not to use AKS Automatic mode.')
param maintenanceConfiguration maintenanceConfigurationType
@description('Optional. Maintenance Window for Cluster auto upgrade and node OS upgrade.')
param maintenanceConfigurations maintenanceConfigurationType

@description('Optional. Specifies whether the cost analysis add-on is enabled or not. If Enabled `enableStorageProfileDiskCSIDriver` is set to true as it is needed.')
param costAnalysisEnabled bool = false
Expand Down Expand Up @@ -270,6 +270,15 @@ param autoScalerProfileSkipNodesWithSystemPods bool = true
@description('Optional. Auto-upgrade channel on the AKS cluster.')
param autoUpgradeProfileUpgradeChannel string = 'stable'

@allowed([
'NodeImage'
'None'
'SecurityPatch'
'Unmanaged'
])
@description('Optional. Auto-upgrade channel on the Node Os.')
param autoNodeOsUpgradeProfileUpgradeChannel string = 'Unmanaged'

@description('Optional. Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing.')
param podIdentityProfileAllowNetworkPluginKubenet bool = false

Expand Down Expand Up @@ -684,6 +693,7 @@ resource managedCluster 'Microsoft.ContainerService/managedClusters@2024-03-02-p
}
autoUpgradeProfile: {
upgradeChannel: autoUpgradeProfileUpgradeChannel
nodeOSUpgradeChannel: autoNodeOsUpgradeProfileUpgradeChannel
}
apiServerAccessProfile: {
authorizedIPRanges: authorizedIPRanges
Expand Down Expand Up @@ -757,13 +767,16 @@ resource managedCluster 'Microsoft.ContainerService/managedClusters@2024-03-02-p
}
}

module managedCluster_maintenanceConfigurations 'maintenance-configurations/main.bicep' = if (!empty(maintenanceConfiguration)) {
name: '${uniqueString(deployment().name, location)}-ManagedCluster-MaintenanceConfigurations'
params: {
maintenanceWindow: maintenanceConfiguration!.maintenanceWindow
managedClusterName: managedCluster.name
module managedCluster_maintenanceConfigurations 'maintenance-configurations/main.bicep' = [
for (maintenanceConfiguration, index) in (maintenanceConfigurations ?? []): if (!empty(maintenanceConfiguration)) {
name: '${uniqueString(deployment().name, location)}-ManagedCluster-MaintenanceConfigurations-${index}'
params: {
name: maintenanceConfiguration!.name
maintenanceWindow: maintenanceConfiguration!.maintenanceWindow
managedClusterName: managedCluster.name
}
}
}
]

module managedCluster_agentPools 'agent-pool/main.bicep' = [
for (agentPool, index) in (agentPools ?? []): {
Expand Down Expand Up @@ -1202,6 +1215,9 @@ type customerManagedKeyType = {
}?

type maintenanceConfigurationType = {
@description('Required. Name of maintenance window.')
name: ('aksManagedAutoUpgradeSchedule' | 'aksManagedNodeOSUpgradeSchedule')

@description('Required. Maintenance window for the maintenance configuration.')
maintenanceWindow: object
}?
}[]?
70 changes: 52 additions & 18 deletions avm/res/container-service/managed-cluster/main.json
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.29.47.4906",
"templateHash": "6707709888421096485"
"version": "0.30.23.60470",
"templateHash": "13565722664676041295"
},
"name": "Azure Kubernetes Service (AKS) Managed Clusters",
"description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.",
Expand Down Expand Up @@ -671,12 +671,25 @@
"nullable": true
},
"maintenanceConfigurationType": {
"type": "object",
"properties": {
"maintenanceWindow": {
"type": "object",
"metadata": {
"description": "Required. Maintenance window for the maintenance configuration."
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string",
"allowedValues": [
"aksManagedAutoUpgradeSchedule",
"aksManagedNodeOSUpgradeSchedule"
],
"metadata": {
"description": "Required. Name of maintenance window."
}
},
"maintenanceWindow": {
"type": "object",
"metadata": {
"description": "Required. Maintenance window for the maintenance configuration."
}
}
}
},
Expand Down Expand Up @@ -985,10 +998,10 @@
"description": "Optional. Define one or more secondary/additional agent pools."
}
},
"maintenanceConfiguration": {
"maintenanceConfigurations": {
"$ref": "#/definitions/maintenanceConfigurationType",
"metadata": {
"description": "Optional. Whether or not to use AKS Automatic mode."
"description": "Optional. Maintenance Window for Cluster auto upgrade and node OS upgrade."
}
},
"costAnalysisEnabled": {
Expand Down Expand Up @@ -1228,6 +1241,19 @@
"description": "Optional. Auto-upgrade channel on the AKS cluster."
}
},
"autoNodeOsUpgradeProfileUpgradeChannel": {
"type": "string",
"defaultValue": "Unmanaged",
"allowedValues": [
"NodeImage",
"None",
"SecurityPatch",
"Unmanaged"
],
"metadata": {
"description": "Optional. Auto-upgrade channel on the Node Os."
}
},
"podIdentityProfileAllowNetworkPluginKubenet": {
"type": "bool",
"defaultValue": false,
Expand Down Expand Up @@ -1676,7 +1702,8 @@
"skip-nodes-with-system-pods": "[toLower(string(parameters('autoScalerProfileSkipNodesWithSystemPods')))]"
},
"autoUpgradeProfile": {
"upgradeChannel": "[parameters('autoUpgradeProfileUpgradeChannel')]"
"upgradeChannel": "[parameters('autoUpgradeProfileUpgradeChannel')]",
"nodeOSUpgradeChannel": "[parameters('autoNodeOsUpgradeProfileUpgradeChannel')]"
},
"apiServerAccessProfile": {
"authorizedIPRanges": "[parameters('authorizedIPRanges')]",
Expand Down Expand Up @@ -1818,18 +1845,25 @@
]
},
"managedCluster_maintenanceConfigurations": {
"condition": "[not(empty(parameters('maintenanceConfiguration')))]",
"copy": {
"name": "managedCluster_maintenanceConfigurations",
"count": "[length(coalesce(parameters('maintenanceConfigurations'), createArray()))]"
},
"condition": "[not(empty(coalesce(parameters('maintenanceConfigurations'), createArray())[copyIndex()]))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2022-09-01",
"name": "[format('{0}-ManagedCluster-MaintenanceConfigurations', uniqueString(deployment().name, parameters('location')))]",
"name": "[format('{0}-ManagedCluster-MaintenanceConfigurations-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]",
"properties": {
"expressionEvaluationOptions": {
"scope": "inner"
},
"mode": "Incremental",
"parameters": {
"name": {
"value": "[coalesce(parameters('maintenanceConfigurations'), createArray())[copyIndex()].name]"
},
"maintenanceWindow": {
"value": "[parameters('maintenanceConfiguration').maintenanceWindow]"
"value": "[coalesce(parameters('maintenanceConfigurations'), createArray())[copyIndex()].maintenanceWindow]"
},
"managedClusterName": {
"value": "[parameters('name')]"
Expand All @@ -1841,8 +1875,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.29.47.4906",
"templateHash": "12168542117744033419"
"version": "0.30.23.60470",
"templateHash": "2505380725266419010"
},
"name": "Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations",
"description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Maintenance Configurations.",
Expand Down Expand Up @@ -2038,8 +2072,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.29.47.4906",
"templateHash": "2004205618690542488"
"version": "0.30.23.60470",
"templateHash": "4315564225725874539"
},
"name": "Azure Kubernetes Service (AKS) Managed Cluster Agent Pools",
"description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster Agent Pool.",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,23 +39,26 @@ module testDeployment '../../../main.bicep' = [
params: {
name: '${namePrefix}${serviceShort}001'
location: resourceLocation
maintenanceConfiguration: {
maintenanceWindow: {
schedule: {
daily: null
weekly: {
intervalWeeks: 1
dayOfWeek: 'Sunday'
maintenanceConfigurations: [
{
name: 'aksManagedAutoUpgradeSchedule'
maintenanceWindow: {
schedule: {
daily: null
weekly: {
intervalWeeks: 1
dayOfWeek: 'Sunday'
}
absoluteMonthly: null
relativeMonthly: null
}
absoluteMonthly: null
relativeMonthly: null
durationHours: 4
utcOffset: '+00:00'
startDate: '2024-07-03'
startTime: '00:00'
}
durationHours: 4
utcOffset: '+00:00'
startDate: '2024-07-03'
startTime: '00:00'
}
}
]
managedIdentities: {
systemAssigned: true
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,39 @@ module testDeployment '../../../main.bicep' = [
}
]
autoUpgradeProfileUpgradeChannel: 'stable'
autoNodeOsUpgradeProfileUpgradeChannel: 'Unmanaged'
maintenanceConfigurations: [
{
name: 'aksManagedAutoUpgradeSchedule'
maintenanceWindow: {
schedule: {
weekly: {
intervalWeeks: 1
dayOfWeek: 'Sunday'
}
}
durationHours: 4
utcOffset: '+00:00'
startDate: '2024-07-15'
startTime: '00:00'
}
}
{
name: 'aksManagedNodeOSUpgradeSchedule'
maintenanceWindow: {
schedule: {
weekly: {
intervalWeeks: 1
dayOfWeek: 'Sunday'
}
}
durationHours: 4
utcOffset: '+00:00'
startDate: '2024-07-15'
startTime: '00:00'
}
}
]
enableWorkloadIdentity: true
enableOidcIssuerProfile: true
networkPlugin: 'azure'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,39 @@ module testDeployment '../../../main.bicep' = [
}
]
autoUpgradeProfileUpgradeChannel: 'stable'
autoNodeOsUpgradeProfileUpgradeChannel: 'Unmanaged'
maintenanceConfigurations: [
{
name: 'aksManagedAutoUpgradeSchedule'
maintenanceWindow: {
schedule: {
weekly: {
intervalWeeks: 1
dayOfWeek: 'Sunday'
}
}
durationHours: 4
utcOffset: '+00:00'
startDate: '2024-07-15'
startTime: '00:00'
}
}
{
name: 'aksManagedNodeOSUpgradeSchedule'
maintenanceWindow: {
schedule: {
weekly: {
intervalWeeks: 1
dayOfWeek: 'Sunday'
}
}
durationHours: 4
utcOffset: '+00:00'
startDate: '2024-07-15'
startTime: '00:00'
}
}
]
networkPlugin: 'azure'
networkPolicy: 'azure'
skuTier: 'Standard'
Expand Down
2 changes: 1 addition & 1 deletion avm/res/container-service/managed-cluster/version.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
"version": "0.3",
"version": "0.4",
"pathFilters": [
"./main.json"
]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,8 @@ spec:
# Azure API Management
- Azure.APIM.MultiRegion # Team agreed this is too expensive for most use cases and is safe to ignore. Would require dependencies for a min deployment.
- Azure.APIM.ManagedIdentity
# AKS specific
- Azure.AKS.MaintenanceWindow # Excluded as it requires user input
if:
name: "."
contains:
Expand Down

0 comments on commit 016b727

Please sign in to comment.