diff --git a/avm/res/container-service/managed-cluster/README.md b/avm/res/container-service/managed-cluster/README.md index 11d2b40836..7d4770fd3b 100644 --- a/avm/res/container-service/managed-cluster/README.md +++ b/avm/res/container-service/managed-cluster/README.md @@ -384,11 +384,6 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:' - keyVaultNetworkAccess: 'Public' - keyVaultResourceId: '' - } diagnosticSettings: [ { eventHubAuthorizationRuleResourceId: '' @@ -653,13 +648,6 @@ module managedCluster 'br/public:avm/res/container-service/managed-cluster:", - "keyVaultNetworkAccess": "Public", - "keyVaultResourceId": "" - } - }, "diagnosticSettings": { "value": [ { @@ -962,11 +950,6 @@ param agentPools = [ ] param autoNodeOsUpgradeProfileUpgradeChannel = 'Unmanaged' param autoUpgradeProfileUpgradeChannel = 'stable' -param customerManagedKey = { - keyName: '' - keyVaultNetworkAccess: 'Public' - keyVaultResourceId: '' -} param diagnosticSettings = [ { eventHubAuthorizationRuleResourceId: '' @@ -2758,7 +2741,6 @@ param tags = { | [`azurePolicyVersion`](#parameter-azurepolicyversion) | string | Specifies the azure policy version to use. | | [`backendPoolType`](#parameter-backendpooltype) | string | The type of the managed inbound Load Balancer BackendPool. | | [`costAnalysisEnabled`](#parameter-costanalysisenabled) | bool | Specifies whether the cost analysis add-on is enabled or not. If Enabled `enableStorageProfileDiskCSIDriver` is set to true as it is needed. | -| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`disableCustomMetrics`](#parameter-disablecustommetrics) | bool | Indicates whether custom metrics collection has to be disabled or not. If not specified the default is false. No custom metrics will be emitted if this field is false but the container insights enabled field is false. | | [`disableLocalAccounts`](#parameter-disablelocalaccounts) | bool | If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. | @@ -3905,62 +3887,6 @@ Specifies whether the cost analysis add-on is enabled or not. If Enabled `enable - Type: bool - Default: `False` -### Parameter: `customerManagedKey` - -The customer managed key definition. - -- Required: No -- Type: object - -**Required parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | -| [`keyVaultNetworkAccess`](#parameter-customermanagedkeykeyvaultnetworkaccess) | string | Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public. | -| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | - -### Parameter: `customerManagedKey.keyName` - -The name of the customer managed key to use for encryption. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVaultNetworkAccess` - -Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public. - -- Required: Yes -- Type: string -- Allowed: - ```Bicep - [ - 'Private' - 'Public' - ] - ``` - -### Parameter: `customerManagedKey.keyVaultResourceId` - -The resource ID of a key vault to reference a customer managed key for encryption from. - -- Required: Yes -- Type: string - -### Parameter: `customerManagedKey.keyVersion` - -The version of the customer managed key to reference for encryption. If not provided, using 'latest'. - -- Required: No -- Type: string - ### Parameter: `diagnosticSettings` The diagnostic settings of the service. diff --git a/avm/res/container-service/managed-cluster/main.bicep b/avm/res/container-service/managed-cluster/main.bicep index 802fbcbd31..f934e27c38 100644 --- a/avm/res/container-service/managed-cluster/main.bicep +++ b/avm/res/container-service/managed-cluster/main.bicep @@ -367,9 +367,6 @@ param kedaAddon bool = false @description('Optional. Whether to enable VPA add-on in cluster. Default value is false.') param vpaAddon bool = false -@description('Optional. The customer managed key definition.') -param customerManagedKey customerManagedKeyType? - @description('Optional. Whether the metric state of the kubenetes cluster is enabled.') param enableAzureMonitorProfileMetrics bool = false @@ -529,18 +526,6 @@ resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableT } } -resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { - name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) - scope: resourceGroup( - split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], - split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4] - ) - - resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { - name: customerManagedKey.?keyName ?? 'dummyKey' - } -} - // ============== // // Main Resources // // ============== // @@ -1307,21 +1292,6 @@ type extensionType = { configurations: array? } -@export() -type customerManagedKeyType = { - @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') - keyVaultResourceId: string - - @description('Required. The name of the customer managed key to use for encryption.') - keyName: string - - @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') - keyVersion: string? - - @description('Required. Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public.') - keyVaultNetworkAccess: ('Private' | 'Public') -} - @export() type maintenanceConfigurationType = { @description('Required. Name of maintenance window.') diff --git a/avm/res/container-service/managed-cluster/main.json b/avm/res/container-service/managed-cluster/main.json index af2023e345..01365b70b1 100644 --- a/avm/res/container-service/managed-cluster/main.json +++ b/avm/res/container-service/managed-cluster/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "15234959045281729347" + "templateHash": "2262054677651831225" }, "name": "Azure Kubernetes Service (AKS) Managed Clusters", "description": "This module deploys an Azure Kubernetes Service (AKS) Managed Cluster.", @@ -648,43 +648,6 @@ "__bicep_export!": true } }, - "customerManagedKeyType": { - "type": "object", - "properties": { - "keyVaultResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." - } - }, - "keyName": { - "type": "string", - "metadata": { - "description": "Required. The name of the customer managed key to use for encryption." - } - }, - "keyVersion": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." - } - }, - "keyVaultNetworkAccess": { - "type": "string", - "allowedValues": [ - "Private", - "Public" - ], - "metadata": { - "description": "Required. Network access of key vault. The possible values are Public and Private. Public means the key vault allows public access from all networks. Private means the key vault disables public access and enables private link. The default value is Public." - } - } - }, - "metadata": { - "__bicep_export!": true - } - }, "maintenanceConfigurationType": { "type": "object", "properties": { @@ -1565,13 +1528,6 @@ "description": "Optional. Whether to enable VPA add-on in cluster. Default value is false." } }, - "customerManagedKey": { - "$ref": "#/definitions/customerManagedKeyType", - "nullable": true, - "metadata": { - "description": "Optional. The customer managed key definition." - } - }, "enableAzureMonitorProfileMetrics": { "type": "bool", "defaultValue": false, @@ -1689,15 +1645,6 @@ } }, "resources": { - "cMKKeyVault::cMKKey": { - "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults/keys", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]" - }, "avmTelemetry": { "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", @@ -1718,15 +1665,6 @@ } } }, - "cMKKeyVault": { - "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", - "existing": true, - "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2023-02-01", - "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", - "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" - }, "managedCluster": { "type": "Microsoft.ContainerService/managedClusters", "apiVersion": "2024-03-02-preview", diff --git a/avm/res/container-service/managed-cluster/tests/e2e/azure/dependencies.bicep b/avm/res/container-service/managed-cluster/tests/e2e/azure/dependencies.bicep index 3819c5f541..48d9944c0c 100644 --- a/avm/res/container-service/managed-cluster/tests/e2e/azure/dependencies.bicep +++ b/avm/res/container-service/managed-cluster/tests/e2e/azure/dependencies.bicep @@ -79,13 +79,6 @@ resource keyVault 'Microsoft.KeyVault/vaults@2022-11-01' = { kty: 'RSA' } } - - resource kmskey 'keys@2022-07-01' = { - name: 'kmsEncryptionKey' - properties: { - kty: 'RSA' - } - } } resource keyPermissionsKeyVaultCryptoUser 'Microsoft.Authorization/roleAssignments@2022-04-01' = { @@ -171,12 +164,6 @@ output managedIdentityKubeletIdentityResourceId string = managedIdentityKubeletI @description('The resource ID of the created Disk Encryption Set.') output diskEncryptionSetResourceId string = diskEncryptionSet.id -@description('The resource ID of the created Key Vault.') -output keyVaultResourceId string = keyVault.id - -@description('The name of the Key Vault Encryption Key.') -output keyVaultEncryptionKeyName string = keyVault::key.name - @description('The resource ID of the created Proximity Placement Group.') output proximityPlacementGroupResourceId string = proximityPlacementGroup.id diff --git a/avm/res/container-service/managed-cluster/tests/e2e/azure/main.test.bicep b/avm/res/container-service/managed-cluster/tests/e2e/azure/main.test.bicep index 884c033a7e..f5c6f24b45 100644 --- a/avm/res/container-service/managed-cluster/tests/e2e/azure/main.test.bicep +++ b/avm/res/container-service/managed-cluster/tests/e2e/azure/main.test.bicep @@ -222,11 +222,6 @@ module testDeployment '../../../main.bicep' = [ enableKeyvaultSecretsProvider: true enablePodSecurityPolicy: false enableAzureMonitorProfileMetrics: true - customerManagedKey: { - keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName - keyVaultNetworkAccess: 'Public' - keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId - } lock: { kind: 'CanNotDelete' name: 'myCustomLockName'