mspnp · ckittel · Feb 15, 2022 · Feb 14, 2022 · Feb 15, 2022 · Feb 15, 2022
diff --git a/05-bootstrap-prep.md b/05-bootstrap-prep.md
@@ -41,7 +41,7 @@ We'll be bootstrapping this cluster with the Flux GitOps agent as installed as a
 
    ```bash
    # [This takes about four minutes.]
-   az deployment group create -g rg-bu0001a0008 -f acr-stamp.json -p targetVnetResourceId=${RESOURCEID_VNET_CLUSTERSPOKE_AKS_BASELINE}
+   az deployment group create -g rg-bu0001a0008 -f acr-stamp.bicep -p targetVnetResourceId=${RESOURCEID_VNET_CLUSTERSPOKE_AKS_BASELINE}
    ```
 
 1. Import cluster management images to your container registry.

diff --git a/acr-stamp.bicep b/acr-stamp.bicep
@@ -0,0 +1,211 @@
+targetScope = 'resourceGroup'
+
+/*** PARAMETERS ***/
+
+@description('The regional network spoke VNet Resource ID that the cluster will be joined to.')
+@minLength(79)
+param targetVnetResourceId string
+
+@allowed([
+  'australiaeast'
+  'canadacentral'
+  'centralus'
+  'eastus'
+  'eastus2'
+  'westus2'
+  'francecentral'
+  'germanywestcentral'
+  'northeurope'
+  'southafricanorth'
+  'southcentralus'
+  'uksouth'
+  'westeurope'
+  'japaneast'
+  'southeastasia'
+])
+@description('AKS Service, Node Pool, and supporting services (KeyVault, App Gateway, etc) region. This needs to be the same region as the vnet provided in these parameters.')
+param location string = 'eastus2'
+
+@allowed([
+  'australiasoutheast'
+  'canadaeast'
+  'eastus2'
+  'westus'
+  'centralus'
+  'westcentralus'
+  'francesouth'
+  'germanynorth'
+  'westeurope'
+  'ukwest'
+  'northeurope'
+  'japanwest'
+  'southafricawest'
+  'northcentralus'
+  'eastasia'
+  'eastus'
+  'westus2'
+  'francecentral'
+  'uksouth'
+  'japaneast'
+  'southeastasia'
+])
+@description('For Azure resources that support native geo-redunancy, provide the location the redundant service will have its secondary. Should be different than the location parameter and ideally should be a paired region - https://docs.microsoft.com/azure/best-practices-availability-paired-regions. This region does not need to support availability zones.')
+param geoRedundancyLocation string = 'centralus'
+
+/*** VARIABLES ***/
+
+var subRgUniqueString = uniqueString('aks', subscription().subscriptionId, resourceGroup().id)
+
+/*** EXISTING RESOURCES ***/
+
+resource spokeResourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' existing = {
+  scope: subscription()
+  name: '${split(targetVnetResourceId,'/')[4]}'
+}
+
+resource spokeVirtualNetwork 'Microsoft.Network/virtualNetworks@2021-05-01' existing = {
+  scope: spokeResourceGroup
+  name: '${last(split(targetVnetResourceId,'/'))}'
+
+  resource snetClusterNodes 'subnets@2021-05-01' existing = {
+    name: 'snet-clusternodes'
+  }
+}
+
+/*** RESOURCES ***/
+
+// This Log Analytics workspace will be the log sink for all resources in the cluster resource group. This includes ACR, the AKS cluster, Key Vault, etc. It also is the Container Insights log sink for the AKS cluster.
+resource laAks 'Microsoft.OperationalInsights/workspaces@2021-06-01' = {
+  name: 'la-aks-${subRgUniqueString}'
+  location: location
+  properties: {
+    sku: {
+      name: 'PerGB2018'
+    }
+    retentionInDays: 30
+  }
+}
+
+// Azure Container Registry will be exposed via Private Link, set up the related Private DNS zone and virtual network link to the spoke.
+resource dnsPrivateZoneAcr 'Microsoft.Network/privateDnsZones@2020-06-01' = {
+  name: 'privatelink.azurecr.io'
+  location: 'global'
+  properties: {}
+
+  resource dnsVnetLinkAcrToSpoke 'virtualNetworkLinks@2020-06-01' = {
+    name: 'to_${spokeVirtualNetwork.name}'
+    location: 'global'
+    properties: {
+      virtualNetwork: {
+        id: targetVnetResourceId
+      }
+      registrationEnabled: false
+    }
+  }
+}
+
+// The Container Registry that the AKS cluster will be authorized to use to pull images.
+resource acrAks 'Microsoft.ContainerRegistry/registries@2021-09-01' = {
+  name: 'acraks${subRgUniqueString}'
+  location: location
+  sku: {
+    name: 'Premium'
+  }
+  properties: {
+    adminUserEnabled: false
+    networkRuleSet: {
+      defaultAction: 'Deny'
+      ipRules: []
+    }
+    policies: {
+      quarantinePolicy: {
+        status: 'disabled'
+      }
+      trustPolicy: {
+        type: 'Notary'
+        status: 'disabled'
+      }
+      retentionPolicy: {
+        days: 15
+        status: 'enabled'
+      }
+    }
+    publicNetworkAccess: 'Disabled'
+    encryption: {
+      status: 'disabled'
+    }
+    dataEndpointEnabled: true
+    networkRuleBypassOptions: 'AzureServices'
+    zoneRedundancy: 'Disabled' // This Preview feature only supports three regions at this time, and eastus2's paired region (centralus), does not support this. So disabling for now.
+  }
+
+  resource acrReplication 'replications@2021-09-01' = {
+    name: geoRedundancyLocation
+    location: geoRedundancyLocation
+    properties: {}
+  }
+}
+
+resource acrAks_diagnosticsSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
+  name: 'default'
+  scope: acrAks
+  properties: {
+    workspaceId: laAks.id
+    metrics: [
+      {
+        timeGrain: 'PT1M'
+        category: 'AllMetrics'
+        enabled: true
+      }
+    ]
+    logs: [
+      {
+        categoryGroup: 'allLogs'
+        enabled: true
+      }
+    ]
+  }
+}
+
+// Expose Azure Container Registry via Private Link, into the cluster nodes subnet.
+resource privateEndpointAcrToVnet 'Microsoft.Network/privateEndpoints@2021-05-01' = {
+  name: 'acr_to_${spokeVirtualNetwork.name}'
+  location: location
+  dependsOn: [
+    acrAks::acrReplication
+  ]
+  properties: {
+    subnet: {
+      id: spokeVirtualNetwork::snetClusterNodes.id
+    }
+    privateLinkServiceConnections: [
+      {
+        name: 'nodepools'
+        properties: {
+          privateLinkServiceId: acrAks.id
+          groupIds: [
+            'registry'
+          ]
+        }
+      }
+    ]
+  }
+
+  resource privateDnsZoneGroupAcr 'privateDnsZoneGroups@2021-05-01' = {
+    name: 'default'
+    properties: {
+      privateDnsZoneConfigs: [
+        {
+          name: 'privatelink-azurecr-io'
+          properties: {
+            privateDnsZoneId: dnsPrivateZoneAcr.id
+          }
+        }
+      ]
+    }
+  }
+}
+
+/*** OUTPUTS ***/
+
+output containerRegistryName string = acrAks.name