forked from mspnp/aks-fabrikam-dronedelivery
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nested_nestedACRDeployment.bicep
96 lines (85 loc) · 2.71 KB
/
nested_nestedACRDeployment.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
@description('Aks Cluster identity.')
param clusterIdentityObjectId string
@description('The name of the resource group that contains the virtual network for acr.')
param vNetResourceGroup string
@description('The resource id of the Log Analytics Workspace.')
param logAnalyticsWorkspaceId string
@description('The name of the Azure Container Registry (ACR) name.')
param acrName string
@description('The resource id of the subnet that the node pool will be deployed to.')
param vnetNodePoolSubnetResourceId string
@description('AKS Service, Node Pool, and supporting services (KeyVault, App Gateway, etc) region. The network team maintains this approved regional list which is a subset of zones with Availability Zone support.')
param location string = resourceGroup().location
var acrPullRole = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
resource acr 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' existing = {
name: acrName
}
resource acrMicrosoftAuthorizationAcrPullRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(concat(resourceGroup().id), '7f951dda-4ed3-4680-a7ca-43fe172d538d')
scope: acr
properties: {
roleDefinitionId: acrPullRole
principalId: clusterIdentityObjectId
principalType: 'ServicePrincipal'
}
dependsOn: []
}
resource nodepoolToAcrPrivateEndpoint 'Microsoft.Network/privateEndpoints@2020-04-01' = {
name: 'nodepool-to-acr'
location: location
properties: {
subnet: {
id: vnetNodePoolSubnetResourceId
}
privateLinkServiceConnections: [
{
name: 'nodepoolsubnet-to-registry'
properties: {
privateLinkServiceId: acr.id
groupIds: [
'registry'
]
}
}
]
}
dependsOn: []
}
resource nodepoolToAcrDefaultDNSGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-04-01' = {
parent: nodepoolToAcrPrivateEndpoint
name: 'default'
properties: {
privateDnsZoneConfigs: [
{
name: 'privatelink-azurecr-io'
properties: {
privateDnsZoneId: resourceId(vNetResourceGroup, 'Microsoft.Network/privateDnsZones', 'privatelink.azurecr.io')
}
}
]
}
}
resource acrMicrosoftInsightsDefault 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: 'default'
scope: acr
properties: {
workspaceId: logAnalyticsWorkspaceId
metrics: [
{
timeGrain: 'PT1M'
category: 'AllMetrics'
enabled: true
}
]
logs: [
{
category: 'ContainerRegistryRepositoryEvents'
enabled: true
}
{
category: 'ContainerRegistryLoginEvents'
enabled: true
}
]
}
}