Adding metric alerts to AKS bicep (#66)

Metric Alerts Ascii Art More Parameter metadata Role assignment naming consistency MonitoringMetricsPublisherRole used for Fast Alerting in bicep.
Azure · Oct 4, 2021 · 24726c0 · 24726c0
1 parent 7771146
commit 24726c0
Show file tree

Hide file tree

Showing 8 changed files with 1,915 additions and 79 deletions.
diff --git a/bicep/aksmetricalerts.bicep b/bicep/aksmetricalerts.bicep
diff --git a/bicep/aksnetcontrib.bicep b/bicep/aksnetcontrib.bicep
@@ -25,7 +25,7 @@ resource uai 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' exist
 }
 
 resource existing_vnet_cont 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
-  name:  '${guid(user_identity_principalId, existingAksSubnetName)}'
+  name:  '${guid(user_identity_principalId, existingAksSubnetName)}' 
   scope: existingAksSubnet 
   properties: {
     roleDefinitionId: networkContributorRole

diff --git a/bicep/calcAzFwIp.bicep b/bicep/calcAzFwIp.bicep
@@ -1,4 +1,7 @@
 // As per https://github.com/Azure/bicep/issues/2189#issuecomment-815962675 this file is being used as a UDF
+// Takes a subnet range and returns the AzFirewall private Ip address
+
+@description('A subnet address for the Azure Firewall')
 param vnetFirewallSubnetAddressPrefix string
 
 var subnetOctets  = split(vnetFirewallSubnetAddressPrefix,'.')

diff --git a/bicep/compiled/main.json b/bicep/compiled/main.json
diff --git a/bicep/dnsZone.bicep b/bicep/dnsZone.bicep
@@ -14,7 +14,7 @@ resource privateDns 'Microsoft.Network/privateDnsZones@2020-06-01' existing = if
 var DNSZoneContributor = resourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')
 resource dnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (!isPrivate) {
   scope: dns
-  name: guid(resourceGroup().id, principalId)
+  name: guid(resourceGroup().id, principalId, DNSZoneContributor)
   properties: {
     roleDefinitionId: DNSZoneContributor
     principalType: 'ServicePrincipal'
@@ -25,7 +25,7 @@ resource dnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-prev
 var PrivateDNSZoneContributor = resourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')
 resource privateDnsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (isPrivate) {
   scope: privateDns
-  name: guid(resourceGroup().id, principalId)
+  name: guid(resourceGroup().id, principalId, PrivateDNSZoneContributor)
   properties: {
     roleDefinitionId: PrivateDNSZoneContributor
     principalType: 'ServicePrincipal'

diff --git a/bicep/main.bicep b/bicep/main.bicep
diff --git a/bicep/network.bicep b/bicep/network.bicep
@@ -105,15 +105,3 @@ resource aks_vnet_cont 'Microsoft.Network/virtualNetworks/subnets/providers/role
     principalType: 'ServicePrincipal'
   }
 }
-
-/*
-resource aks_vnet_cont 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = if (!empty(aksPrincipleId)) {
-  scope: existingAKSSubnet
-  name: guid(resourceGroup().id, aksPrincipleId)
-  properties: {
-    roleDefinitionId: networkContributorRole
-    principalId: aksPrincipleId
-    principalType: 'ServicePrincipal'
-  }
-}
-*/
diff --git a/referencearchs.md b/referencearchs.md
@@ -29,3 +29,4 @@ When the AKS Baseline is updated, changes are evaluated and rolled into this pro
 1. Networking. Hub/Spoke networks typically already exist, and tightly bundling with Kubernetes doesn't work well here. BYO subnets are supported.
 1. AppGw Public Listener. AppGw is the WAF ingress point for inbound internet traffic, however private listeners are also valid for fully private environments.
 1. Cluster SLA. Is defaulted to off in interests of a more cost optimised default configuration, a parameter can be provided to opt in for the paid SLA.
+1. Monitoring Alerts. Parametrised metric analysis frequency, created two presets (1 as per baseline, 2 less frequent), set default to be much less frequent. Added extra monitoring alerts as per in-cluster suggestions.