Skip to content

Commit

Permalink
fix: AKS - Removed unused CMK implementation (#4035)
Browse files Browse the repository at this point in the history 
## Description

- Removed unused CMK implementation

## Pipeline Reference

<!-- Insert your Pipeline Status Badge below -->

| Pipeline |
| -------- |
|
[![avm.res.container-service.managed-cluster](https://github.com/AlexanderSehr/bicep-registry-modules/actions/workflows/avm.res.container-service.managed-cluster.yml/badge.svg?branch=users%2Falsehr%2FcmkUpdateAKS&event=workflow_dispatch)](https://github.com/AlexanderSehr/bicep-registry-modules/actions/workflows/avm.res.container-service.managed-cluster.yml)
|

## Type of Change

<!-- Use the checkboxes [x] on the options that are relevant. -->

- [ ] Update to CI Environment or utilities (Non-module affecting
changes)
- [ ] Azure Verified Module updates:
- [x] Bugfix containing backwards-compatible bug fixes, and I have NOT
bumped the MAJOR or MINOR version in `version.json`:
- [ ] Someone has opened a bug report issue, and I have included "Closes
#{bug_report_issue_number}" in the PR description.
- [ ] The bug was found by the module author, and no one has opened an
issue to report it yet.
- [ ] Feature update backwards compatible feature updates, and I have
bumped the MINOR version in `version.json`.
- [ ] Breaking changes and I have bumped the MAJOR version in
`version.json`.
  - [ ] Update to documentation
  • Loading branch information
@AlexanderSehr
AlexanderSehr authored Dec 20, 2024
1 parent e6edf90 commit f6527fa
Show file tree
Hide file tree
Showing 5 changed files with 1 addition and 185 deletions.
74 changes: 0 additions & 74 deletions avm/res/container-service/managed-cluster/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -384,11 +384,6 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
]
autoNodeOsUpgradeProfileUpgradeChannel: 'Unmanaged'
autoUpgradeProfileUpgradeChannel: 'stable'
customerManagedKey: {
keyName: '<keyName>'
keyVaultNetworkAccess: 'Public'
keyVaultResourceId: '<keyVaultResourceId>'
}
diagnosticSettings: [
{
eventHubAuthorizationRuleResourceId: '<eventHubAuthorizationRuleResourceId>'
Expand Down Expand Up @@ -653,13 +648,6 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:<vers
"autoUpgradeProfileUpgradeChannel": {
"value": "stable"
},
"customerManagedKey": {
"value": {
"keyName": "<keyName>",
"keyVaultNetworkAccess": "Public",
"keyVaultResourceId": "<keyVaultResourceId>"
}
},
"diagnosticSettings": {
"value": [
{
Expand Down Expand Up @@ -962,11 +950,6 @@ param agentPools = [
]
param autoNodeOsUpgradeProfileUpgradeChannel = 'Unmanaged'
param autoUpgradeProfileUpgradeChannel = 'stable'
param customerManagedKey = {
keyName: '<keyName>'
keyVaultNetworkAccess: 'Public'
keyVaultResourceId: '<keyVaultResourceId>'
}
param diagnosticSettings = [
{
eventHubAuthorizationRuleResourceId: '<eventHubAuthorizationRuleResourceId>'
Expand Down Expand Up @@ -2758,7 +2741,6 @@ param tags = {
| [`azurePolicyVersion`](#parameter-azurepolicyversion) | string | Specifies the azure policy version to use. |
| [`backendPoolType`](#parameter-backendpooltype) | string | The type of the managed inbound Load Balancer BackendPool. |
| [`costAnalysisEnabled`](#parameter-costanalysisenabled) | bool | Specifies whether the cost analysis add-on is enabled or not. If Enabled `enableStorageProfileDiskCSIDriver` is set to true as it is needed. |
| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. |
| [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. |
| [`disableCustomMetrics`](#parameter-disablecustommetrics) | bool | Indicates whether custom metrics collection has to be disabled or not. If not specified the default is false. No custom metrics will be emitted if this field is false but the container insights enabled field is false. |
| [`disableLocalAccounts`](#parameter-disablelocalaccounts) | bool | If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. |
Expand Down Expand Up @@ -3905,62 +3887,6 @@ Specifies whether the cost analysis add-on is enabled or not. If Enabled `enable
- Type: bool
- Default: `False`

### Parameter: `customerManagedKey`

The customer managed key definition.

- Required: No
- Type: object

**Required parameters**

| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. |
| [`keyVaultNetworkAccess`](#parameter-customermanagedkeykeyvaultnetworkaccess) | string | Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public. |
| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. |

**Optional parameters**

| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. |

### Parameter: `customerManagedKey.keyName`

The name of the customer managed key to use for encryption.

- Required: Yes
- Type: string

### Parameter: `customerManagedKey.keyVaultNetworkAccess`

Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public.

- Required: Yes
- Type: string
- Allowed:
```Bicep
[
'Private'
'Public'
]
```

### Parameter: `customerManagedKey.keyVaultResourceId`

The resource ID of a key vault to reference a customer managed key for encryption from.

- Required: Yes
- Type: string

### Parameter: `customerManagedKey.keyVersion`

The version of the customer managed key to reference for encryption. If not provided, using 'latest'.

- Required: No
- Type: string

### Parameter: `diagnosticSettings`

The diagnostic settings of the service.
Expand Down
30 changes: 0 additions & 30 deletions avm/res/container-service/managed-cluster/main.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -367,9 +367,6 @@ param kedaAddon bool = false
@description('Optional. Whether to enable VPA add-on in cluster. Default value is false.')
param vpaAddon bool = false

@description('Optional. The customer managed key definition.')
param customerManagedKey customerManagedKeyType?

@description('Optional. Whether the metric state of the kubenetes cluster is enabled.')
param enableAzureMonitorProfileMetrics bool = false

Expand Down Expand Up @@ -529,18 +526,6 @@ resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableT
}
}

resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) {
name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/'))
scope: resourceGroup(
split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2],
split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4]
)

resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) {
name: customerManagedKey.?keyName ?? 'dummyKey'
}
}

// ============== //
// Main Resources //
// ============== //
Expand Down Expand Up @@ -1307,21 +1292,6 @@ type extensionType = {
configurations: array?
}

@export()
type customerManagedKeyType = {
@description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.')
keyVaultResourceId: string

@description('Required. The name of the customer managed key to use for encryption.')
keyName: string

@description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.')
keyVersion: string?

@description('Required. Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public.')
keyVaultNetworkAccess: ('Private' | 'Public')
}

@export()
type maintenanceConfigurationType = {
@description('Required. Name of maintenance window.')
Expand Down
64 changes: 1 addition & 63 deletions avm/res/container-service/managed-cluster/main.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"_generator": {
"name": "bicep",
"version": "0.32.4.45862",
"templateHash": "15234959045281729347"
"templateHash": "2262054677651831225"
},
"name": "Azure Kubernetes Service (AKS) Managed Clusters",
"description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.",
Expand Down Expand Up @@ -648,43 +648,6 @@
"__bicep_export!": true
}
},
"customerManagedKeyType": {
"type": "object",
"properties": {
"keyVaultResourceId": {
"type": "string",
"metadata": {
"description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from."
}
},
"keyName": {
"type": "string",
"metadata": {
"description": "Required. The name of the customer managed key to use for encryption."
}
},
"keyVersion": {
"type": "string",
"nullable": true,
"metadata": {
"description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'."
}
},
"keyVaultNetworkAccess": {
"type": "string",
"allowedValues": [
"Private",
"Public"
],
"metadata": {
"description": "Required. Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public."
}
}
},
"metadata": {
"__bicep_export!": true
}
},
"maintenanceConfigurationType": {
"type": "object",
"properties": {
Expand Down Expand Up @@ -1565,13 +1528,6 @@
"description": "Optional. Whether to enable VPA add-on in cluster. Default value is false."
}
},
"customerManagedKey": {
"$ref": "#/definitions/customerManagedKeyType",
"nullable": true,
"metadata": {
"description": "Optional. The customer managed key definition."
}
},
"enableAzureMonitorProfileMetrics": {
"type": "bool",
"defaultValue": false,
Expand Down Expand Up @@ -1689,15 +1645,6 @@
}
},
"resources": {
"cMKKeyVault::cMKKey": {
"condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]",
"existing": true,
"type": "Microsoft.KeyVault/vaults/keys",
"apiVersion": "2023-02-01",
"subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]",
"resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]",
"name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]"
},
"avmTelemetry": {
"condition": "[parameters('enableTelemetry')]",
"type": "Microsoft.Resources/deployments",
Expand All @@ -1718,15 +1665,6 @@
}
}
},
"cMKKeyVault": {
"condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]",
"existing": true,
"type": "Microsoft.KeyVault/vaults",
"apiVersion": "2023-02-01",
"subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]",
"resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]",
"name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]"
},
"managedCluster": {
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2024-03-02-preview",
Expand Down
13 changes: 0 additions & 13 deletions avm/res/container-service/managed-cluster/tests/e2e/azure/dependencies.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,13 +79,6 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-11-01' = {
kty: 'RSA'
}
}

resource kmskey 'keys@2022-07-01' = {
name: 'kmsEncryptionKey'
properties: {
kty: 'RSA'
}
}
}

resource keyPermissionsKeyVaultCryptoUser 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
Expand Down Expand Up @@ -171,12 +164,6 @@ output managedIdentityKubeletIdentityResourceId string = managedIdentityKubeletI
@description('The resource ID of the created Disk Encryption Set.')
output diskEncryptionSetResourceId string = diskEncryptionSet.id

@description('The resource ID of the created Key Vault.')
output keyVaultResourceId string = keyVault.id

@description('The name of the Key Vault Encryption Key.')
output keyVaultEncryptionKeyName string = keyVault::key.name

@description('The resource ID of the created Proximity Placement Group.')
output proximityPlacementGroupResourceId string = proximityPlacementGroup.id

Expand Down
5 changes: 0 additions & 5 deletions avm/res/container-service/managed-cluster/tests/e2e/azure/main.test.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -222,11 +222,6 @@ module testDeployment '../../../main.bicep' = [
enableKeyvaultSecretsProvider: true
enablePodSecurityPolicy: false
enableAzureMonitorProfileMetrics: true
customerManagedKey: {
keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName
keyVaultNetworkAccess: 'Public'
keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId
}
lock: {
kind: 'CanNotDelete'
name: 'myCustomLockName'
Expand Down

0 comments on commit f6527fa

Please sign in to comment.