-
Notifications
You must be signed in to change notification settings - Fork 23
/
Copy pathmain.bicep
73 lines (66 loc) · 2.12 KB
/
main.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
param nameseed string = 'kubeflow'
param location string = resourceGroup().location
param signedinuser string
//---------Kubernetes Construction---------
module aksconst './AKS-Construction/bicep/main.bicep' = {
name: 'aksconstruction'
params: {
location: location
resourceName: nameseed
enable_aad: true
enableAzureRBAC: true
registries_sku: 'Standard'
omsagent: true
retentionInDays: 30
agentCountMax: 10
agentVMSize: 'Standard_D2ds_v4'
osDiskType: 'Managed'
AksPaidSkuForSLA: true
networkPolicy: 'azure'
azurepolicy: 'audit'
acrPushRolePrincipalId: signedinuser
adminPrincipalId: signedinuser
AksDisableLocalAccounts: true
custom_vnet: true
upgradeChannel: 'stable'
//Workload Identity requires OidcIssuer to be configured on AKS
// oidcIssuer: true
//We'll also enable the CSI driver for Key Vault
keyVaultAksCSI: true
}
}
output aksOidcIssuerUrl string = aksconst.outputs.aksOidcIssuerUrl
output aksClusterName string = aksconst.outputs.aksClusterName
// deploy keyvault
module keyVault './AKS-Construction/bicep/keyvault.bicep' = {
name: 'kv${nameseed}'
params: {
resourceName: 'app${nameseed}'
keyVaultPurgeProtection: false
keyVaultSoftDelete: false
location: location
privateLinks: false
}
}
output kvAppName string = keyVault.outputs.keyVaultName
resource kubeflowidentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = {
name: 'kubeflow'
location: location
// resource fedCreds 'federatedIdentityCredentials' = {
// name: nameseed
// properties: {
// audiences: aksconst.outputs.aksOidcFedIdentityProperties.audiences
// issuer: aksconst.outputs.aksOidcFedIdentityProperties.issuer
// subject: 'system:serviceaccount:superapp:serversa'
// }
// }
}
output kubeflowidentityClientId string = kubeflowidentity.properties.clientId
output kubeflowidentityId string = kubeflowidentity.id
module kvSuperappRbac './KVRBAC.bicep' = {
name: 'kubeflowKvRbac'
params: {
appclientId: kubeflowidentity.properties.principalId
kvName: keyVault.outputs.keyVaultName
}
}