Security changes (#225)

* Bicep Module switch out to enable additional capabilities. * Updated documentation to add in sections about platform design.
Azure · Nov 2, 2024 · e4500aa · e4500aa
1 parent d4be482
commit e4500aa
Show file tree

Hide file tree

Showing 72 changed files with 14,386 additions and 2,489 deletions.
diff --git a/bicep/README.md b/bicep/README.md
@@ -7,8 +7,6 @@ graph TD
   MonitoringResources["Monitoring Resources: logAnalytics"]
   ConditionalNetwork["Network Resources: Conditional Deployments"]
   ClusterNSG["clusterNetworkSecurityGroup - !vnetInjection"]
-  BastionNSG["bastionNetworkSecurityGroup - !vnetInjection and enableBastion"]
-  MachineNSG["machineNetworkSecurityGroup - !vnetInjection and enableBastion"]
   Network["network - !vnetInjection"]
   CommonResources["Common Resources"]
   AppInsights["appInsights"]
@@ -20,9 +18,6 @@ graph TD
   ScriptFileShares["scriptFileShares"]
   CommonDatabase["commonDatabase"]
   RedisCache["redisCache"]
-  ManageResources["Manage Resources"]
-  BastionHost["bastionHost - enableBastion"]
-  VirtualMachine["virtualMachine - enableBastion"]
   PartitionResources["Partition Resources"]
   PartitionStorage["partitionStorage"]
   PartitionDatabase["partitionDatabase"]
@@ -48,8 +43,6 @@ graph TD
   IdentityResources --> MonitoringResources
   MonitoringResources --> ConditionalNetwork
   ConditionalNetwork -->|"!vnetInjection"| ClusterNSG
-  ConditionalNetwork -->|"!vnetInjection and enableBastion"| BastionNSG
-  ConditionalNetwork -->|"!vnetInjection and enableBastion"| MachineNSG
   ConditionalNetwork -->|"!vnetInjection"| Network
   ClusterNSG --> CommonResources
   BastionNSG --> CommonResources
@@ -64,9 +57,6 @@ graph TD
   CommonStorage --> ScriptFileShares
   KeyVault --> CommonDatabase
   CommonResources --> RedisCache
-  CommonResources --> ManageResources
-  ManageResources -->|"enableBastion"| BastionHost
-  BastionHost --> |"enableBastion"| VirtualMachine
   CommonResources --> PartitionResources
   PartitionResources --> PartitionStorage
   PartitionResources --> PartitionDatabase

diff --git a/bicep/main.bicep b/bicep/main.bicep
@@ -17,10 +17,7 @@ param applicationClientSecret string
 @description('Specify the Enterprise Application Object Id. (This is the unique ID of the service principal object associated with the application.)')
 param applicationClientPrincipalOid string
 
-@description('Feature Flag: Enable Burstable Server Types')
-param enableBurstable bool = false
-
-@description('Use customized server types.')
+@description('The size of the VM to use for the cluster.')
 param customVMSize string = ''
 
 @allowed([
@@ -35,12 +32,6 @@ param ingressType string = 'External'
 @description('Feature Flag: Enable Storage accounts public access.')
 param enableBlobPublicAccess bool = false
 
-@description('Feature Flag: Enable management with a virtual machine and bastion host.')
-param enableManage bool = false
-
-@description('(Optional) If manage then the ssh user name for the virtual machine.')
-param vmAdminUsername string = 'azureUser'
-
 @description('Feature Flag: Enable AKS Enhanced Subnet Support (Azure CNI)')
 param enablePodSubnet bool = false
 
@@ -88,6 +79,7 @@ param experimentalSoftware object = {
   adminUI: false
 }
 
+
 // This would be a type but bugs exist for ARM Templates so is object instead.
 @description('Cluster Network Overrides - {ingress} (Both/Internal/External), {serviceCidr}, {dnsServiceIP}')
 param clusterNetwork object = {
@@ -96,16 +88,6 @@ param clusterNetwork object = {
   dnsServiceIP: ''
 }
 
-@allowed([
-  'kubenet'
-  'azure'
-])
-@description('The network plugin to use for the Kubernetes cluster.')
-param clusterNetworkPlugin string = 'azure'
-
-@description('Optional: Specify the AD Users and/or Groups that can manage the cluster.')
-param clusterAdminIds array = []
-
 /////////////////////////////////
 //  Configuration 
 /////////////////////////////////
@@ -210,7 +192,7 @@ module logAnalytics 'br/public:avm/res/operational-insights/workspace:0.3.4' = {
 //*****************************************************************//
 //  Network Resources                                              //
 //*****************************************************************//
-module networkBlade 'modules/blade_network.bicep' = {
+module networkBlade 'modules/blade_network.bicep' = if (enableVnetInjection) {
   name: 'network-blade'
   params: {
     bladeConfig: {
@@ -228,7 +210,6 @@ module networkBlade 'modules/blade_network.bicep' = {
     workspaceResourceId: logAnalytics.outputs.resourceId
     identityId: stampIdentity.outputs.principalId
 
-    enableBastion: enableManage
     enablePodSubnet: enablePodSubnet
     enableVnetInjection: enableVnetInjection
 
@@ -281,10 +262,12 @@ module commonBlade 'modules/blade_common.bicep' = {
     enableTelemetry: enableTelemetry
     deploymentScriptIdentity: stampIdentity.outputs.name
 
+    userAssignedIdentityName: stampIdentity.outputs.name
+
     workspaceResourceId: logAnalytics.outputs.resourceId
     workspaceName: logAnalytics.outputs.name
 
-    subnetId: networkBlade.outputs.aksSubnetId
+    subnetId: enableVnetInjection ? networkBlade.outputs.aksSubnetId : ''
     cmekConfiguration: cmekConfiguration
 
     enablePrivateLink: enablePrivateLink
@@ -294,60 +277,11 @@ module commonBlade 'modules/blade_common.bicep' = {
     applicationClientSecret: applicationClientSecret
     applicationClientPrincipalOid: applicationClientPrincipalOid
   }
-  dependsOn: [
-    networkBlade
-  ]
-}
-
-
-//*****************************************************************//
-//  Manage Resources                                               //
-//*****************************************************************//
-module manageBlade 'modules/blade_manage.bicep' = {
-  name: 'manage-blade'
-  params: {
-    bladeConfig: {
-      sectionName: 'manageblade'
-      displayName: 'Manage Resources'
-    }
-
-    tags: {
-      id: rg_unique_id
-    }
-
-    manageLayerConfig: {
-      machine: {
-        vmSize: 'Standard_DS3_v2'
-        imagePublisher: 'Canonical'
-        imageOffer: 'UbuntuServer'
-        imageSku: '18.04-LTS'
-        authenticationType: 'password'
-      }
-      bastion: {
-        skuName: 'Basic'
-      }
-    }
-
-    location: location
-    enableTelemetry: enableTelemetry
-
-    workspaceName: logAnalytics.outputs.name
-    kvName: commonBlade.outputs.keyvaultName
-
-    // Feature Flags
-    enableBastion: enableManage
-
-    vmAdminUsername: vmAdminUsername
-    vnetId: networkBlade.outputs.vnetId
-    vmSubnetId: networkBlade.outputs.vmSubnetId
-  }
-  dependsOn: [
+  dependsOn: enableVnetInjection ? [
     networkBlade
-    commonBlade
-  ]
+  ] :[]
 }
 
-
 //*****************************************************************//
 //  Partition Resources                                            //
 //*****************************************************************//
@@ -367,21 +301,22 @@ module partitionBlade 'modules/blade_partition.bicep' = {
     workspaceResourceId: logAnalytics.outputs.resourceId
 
     kvName: commonBlade.outputs.keyvaultName
-    subnetId: networkBlade.outputs.aksSubnetId
+    subnetId: enableVnetInjection ? networkBlade.outputs.aksSubnetId : ''
 
     enableBlobPublicAccess: enableBlobPublicAccess
     enablePrivateLink: enablePrivateLink
 
     storageDNSZoneId: commonBlade.outputs.storageDNSZoneId
     cosmosDNSZoneId: commonBlade.outputs.cosmosDNSZoneId
 
-    partitionSize: enableBurstable ? 'Burstable' : 'Standard'
     partitions: configuration.partitions
     managedIdentityName: stampIdentity.outputs.name
   }
-  dependsOn: [
+  dependsOn: enableVnetInjection ? [
     networkBlade
     commonBlade
+  ] :[
+    commonBlade
   ]
 }
 
@@ -424,16 +359,13 @@ module serviceBlade 'modules/blade_service.bicep' = {
     partitionStorageNames: partitionBlade.outputs.partitionStorageNames
     partitionServiceBusNames: partitionBlade.outputs.partitionServiceBusNames
 
-    aksSubnetId: networkBlade.outputs.aksSubnetId
-    podSubnetId: enablePodSubnet ? networkBlade.outputs.podSubnetId : ''
-    customVMSize: customVMSize
-    clusterSize: enableBurstable ? 'Burstable' : 'Standard'
-    clusterAdminIds: clusterAdminIds
+    aksSubnetId: enableVnetInjection ? networkBlade.outputs.aksSubnetId : ''
+    podSubnetId: enableVnetInjection && enablePodSubnet ? networkBlade.outputs.podSubnetId : ''
+    vmSize: customVMSize
 
     clusterIngress: ingressType == '' ? 'External' : ingressType
     serviceCidr: clusterNetwork.serviceCidr == '' ? '172.16.0.0/16' : clusterNetwork.serviceCidr
-    dnsServiceIP: clusterNetwork.dnsServiceIP == '' ? '172.16.0.10' : clusterNetwork.v
-    networkPlugin: enablePodSubnet ? 'azure' : clusterNetworkPlugin
+    dnsServiceIP: clusterNetwork.dnsServiceIP == '' ? '172.16.0.10' : clusterNetwork.vnet
 
     softwareBranch: clusterSoftware.branch
     softwareRepository: clusterSoftware.repository
@@ -455,7 +387,6 @@ module serviceBlade 'modules/blade_service.bicep' = {
     ]
   }
   dependsOn: [
-    networkBlade
     commonBlade
     partitionBlade
   ]

diff --git a/bicep/main.parameters.json b/bicep/main.parameters.json
@@ -14,9 +14,6 @@
     "emailAddress": {
       "value": "${EMAIL_ADDRESS}"
     },
-    "enableBurstable": {
-      "value": "${ENABLE_BURSTABLE}"
-    },
     "customVMSize": {
       "value": "${CLUSTER_VM_SIZE}"
     },

diff --git a/bicep/modules/aks_agent_pool.bicep b/bicep/modules/aks_agent_pool.bicep