refactor bicep to be cleaner and remove ssh public key generation for…

… AKS deployment - no longer needed
Azure-Samples · Jan 4, 2025 · 96dcd95 · 96dcd95
1 parent 3c96059
commit 96dcd95
Show file tree

Hide file tree

Showing 6 changed files with 29 additions and 70 deletions.
diff --git a/infra/core/acr/acr.bicep b/infra/core/acr/acr.bicep
@@ -30,7 +30,7 @@ resource registry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' =
 resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
   for role in roleAssignments: {
     name: guid('${role.principalId}-${role.principalType}-${role.roleDefinitionId}')
-    scope: registry
+    scope: resourceGroup()
     properties: role
   }
 ]

diff --git a/infra/core/ai-search/ai-search.bicep b/infra/core/ai-search/ai-search.bicep
@@ -31,7 +31,7 @@ resource aiSearch 'Microsoft.Search/searchServices@2024-03-01-preview' = {
 resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
   for role in roleAssignments: {
     name: guid('${role.principalId}-${role.principalType}-${role.roleDefinitionId}')
-    scope: aiSearch
+    scope: resourceGroup()
     properties: role
   }
 ]

diff --git a/infra/core/aks/aks.bicep b/infra/core/aks/aks.bicep
@@ -43,12 +43,6 @@ param graphragVMSize string = 'standard_d8s_v5' // 8 vcpu, 32 GB memory
 @description('The VM size of nodes running GraphRAG indexing jobs.')
 param graphragIndexingVMSize string = 'standard_e8s_v5' // 8 vcpus, 64 GB memory
 
-@description('User name for the Linux Virtual Machines.')
-param linuxAdminUsername string = 'azureuser'
-
-@description('Configure all linux machines with the SSH RSA public key string. Your key should include three parts, for example \'ssh-rsa AAAAB...snip...UcyupgH azureuser@linuxvm\'')
-param sshRSAPublicKey string
-
 @description('Enable encryption at host')
 param enableEncryptionAtHost bool = false
 
@@ -69,14 +63,15 @@ resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing
   name: privateDnsZoneName
 }
 
-resource aks 'Microsoft.ContainerService/managedClusters@2024-02-01' = {
+resource aks 'Microsoft.ContainerService/managedClusters@2024-09-02-preview' = {
   name: clusterName
   location: location
   identity: {
     type: 'SystemAssigned'
   }
   properties: {
     enableRBAC: true
+    disableLocalAccounts: true
     dnsPrefix: !empty(dnsPrefix) ? dnsPrefix : toLower(clusterName)
     aadProfile: {
       managed: true
@@ -121,16 +116,6 @@ resource aks 'Microsoft.ContainerService/managedClusters@2024-02-01' = {
         ]
       }
     }
-    linuxProfile: {
-      adminUsername: linuxAdminUsername
-      ssh: {
-        publicKeys: [
-          {
-            keyData: sshRSAPublicKey
-          }
-        ]
-      }
-    }
     networkProfile: {
       serviceCidr: '10.3.0.0/16'  // must not overlap with any subnet IP ranges
       dnsServiceIP: '10.3.0.10'   // must be within the range specified in serviceCidr
@@ -200,7 +185,7 @@ resource aks 'Microsoft.ContainerService/managedClusters@2024-02-01' = {
   }
 }
 
-resource aksManagedAutoUpgradeSchedule 'Microsoft.ContainerService/managedClusters/maintenanceConfigurations@2024-03-02-preview' = {
+resource aksManagedAutoUpgradeSchedule 'Microsoft.ContainerService/managedClusters/maintenanceConfigurations@2024-09-02-preview' = {
   parent: aks
   name: 'aksManagedAutoUpgradeSchedule'
   properties: {
@@ -218,7 +203,7 @@ resource aksManagedAutoUpgradeSchedule 'Microsoft.ContainerService/managedCluste
   }
 }
 
-resource aksManagedNodeOSUpgradeSchedule 'Microsoft.ContainerService/managedClusters/maintenanceConfigurations@2024-03-02-preview' = {
+resource aksManagedNodeOSUpgradeSchedule 'Microsoft.ContainerService/managedClusters/maintenanceConfigurations@2024-09-02-preview' = {
   parent: aks
   name: 'aksManagedNodeOSUpgradeSchedule'
   properties: {
@@ -240,7 +225,7 @@ resource aksManagedNodeOSUpgradeSchedule 'Microsoft.ContainerService/managedClus
 resource webAppRoutingPrivateDnsContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
   for role in ingressRoleAssignments: {
     name: guid('${role.roleDefinitionId}-${privateDnsZone.id}')
-    scope: privateDnsZone
+    scope: resourceGroup()
     properties: {
       principalId: aks.properties.ingressProfile.webAppRouting.identity.objectId
       principalType: role.principalType

diff --git a/infra/core/storage/storage.bicep b/infra/core/storage/storage.bicep
@@ -71,7 +71,7 @@ resource storage 'Microsoft.Storage/storageAccounts@2023-01-01' = {
 resource storageRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
   for role in roleAssignments: {
     name: guid('${role.principalId}-${role.principalType}-${role.roleDefinitionId}')
-    scope: storage
+    scope: resourceGroup()
     properties: role
   }
 ]

diff --git a/infra/deploy.sh b/infra/deploy.sh
@@ -275,22 +275,6 @@ createResourceGroupIfNotExists () {
     fi
 }
 
-createSshkeyIfNotExists () {
-    local rg=$1
-    local keyName="aks-publickey"
-    printf "Checking if sshkey exists... "
-    local keyDetails=$(az sshkey show -g $rg --name $keyName -o json 2> /dev/null)
-    if [ -z "$keyDetails" ]; then
-        printf "No.\n"
-        printf "Creating sshkey... "
-        local keyDetails=$(az sshkey create -g $rg --name $keyName -o json)
-        exitIfCommandFailed $? "Error creating sshkey."
-    else
-        printf "Yes.\n"
-    fi
-    SSHKEY_DETAILS=$keyDetails
-}
-
 getAksCredentials () {
     local rg=$1
     local aks=$2
@@ -334,8 +318,6 @@ checkForApimSoftDelete () {
 
 deployAzureResources () {
     echo "Deploying Azure resources..."
-    local SSH_PUBLICKEY=$(jq -r .publicKey <<< $SSHKEY_DETAILS)
-    exitIfValueEmpty "$SSH_PUBLICKEY" "Unable to read ssh publickey, exiting..."
     # get principal/object id of the signed in user
     local deployerPrincipalId=$(az ad signed-in-user show --output json | jq -r .id)
     exitIfValueEmpty $deployerPrincipalId "Principal ID of deployer not found"
@@ -352,7 +334,6 @@ deployAzureResources () {
         --parameters "apimTier=$APIM_TIER" \
         --parameters "apiPublisherName=$PUBLISHER_NAME" \
         --parameters "apiPublisherEmail=$PUBLISHER_EMAIL" \
-        --parameters "aksSshRsaPublicKey=$SSH_PUBLICKEY" \
         --parameters "enablePrivateEndpoints=$ENABLE_PRIVATE_ENDPOINTS" \
         --parameters "acrName=$CONTAINER_REGISTRY_NAME" \
         --parameters "deployerPrincipalId=$deployerPrincipalId" \
@@ -707,9 +688,6 @@ validateSKUs $LOCATION $VALIDATE_SKUS_FLAG
 # Create resource group
 createResourceGroupIfNotExists $LOCATION $RESOURCE_GROUP
 
-# Generate ssh key for AKS
-createSshkeyIfNotExists $RESOURCE_GROUP
-
 # Deploy Azure resources
 checkForApimSoftDelete
 deployAzureResources

diff --git a/infra/main.bicep b/infra/main.bicep
@@ -34,18 +34,15 @@ param deployerPrincipalId string
 
 @minLength(1)
 @description('Name of the publisher of the API Management instance.')
-param apiPublisherName string
+param apiPublisherName string = 'Microsoft'
 
 @minLength(1)
 @description('Email address of the publisher of the API Management instance.')
-param apiPublisherEmail string
+param apiPublisherEmail string = '[email protected]'
 
 @description('The AKS namespace to install GraphRAG in.')
 param aksNamespace string = 'graphrag'
 
-@description('Public key to allow access to AKS Linux nodes.')
-param aksSshRsaPublicKey string
-
 @description('Whether to enable private endpoints.')
 param enablePrivateEndpoints bool = true
 
@@ -108,7 +105,7 @@ var roles = {
 }
 
 module log 'core/log-analytics/log.bicep' = {
-  name: 'log-analytics'
+  name: 'log-analytics-deployment'
   params:{
     name: '${abbrs.operationalInsightsWorkspaces}${resourceBaseNameFinal}'
     location: location
@@ -117,15 +114,15 @@ module log 'core/log-analytics/log.bicep' = {
 }
 
 module nsg 'core/vnet/nsg.bicep' = {
-  name: 'nsg'
+  name: 'nsg-deployment'
   params: {
     nsgName: '${abbrs.networkNetworkSecurityGroups}${resourceBaseNameFinal}'
     location: location
   }
 }
 
 resource vnet 'Microsoft.Network/virtualNetworks@2024-01-01' = {
-  name: '${abbrs.networkVirtualNetworks}${resourceBaseNameFinal}'
+  name: '${abbrs.networkVirtualNetworks}${resourceBaseNameFinal}-deployment'
   location: location
   properties: {
     addressSpace: {
@@ -173,7 +170,7 @@ resource vnet 'Microsoft.Network/virtualNetworks@2024-01-01' = {
 }
 
 module acr 'core/acr/acr.bicep' = {
-  name: 'acr'
+  name: 'acr-deployment'
   params: {
     registryName: !empty(acrName) ? acrName : '${abbrs.containerRegistryRegistries}${resourceBaseNameFinal}'
     location: location
@@ -188,14 +185,13 @@ module acr 'core/acr/acr.bicep' = {
 }
 
 module aks 'core/aks/aks.bicep' = {
-  name: 'aks'
+  name: 'aks-deployment'
   params:{
     clusterName: '${abbrs.containerServiceManagedClusters}${resourceBaseNameFinal}'
     location: location
     graphragVMSize: 'standard_d8s_v5'           // 8 vcpu, 32 GB memory
     graphragIndexingVMSize: 'standard_e8s_v5'   // 8 vcpus, 64 GB memory
-    clusterAdmins: ['${deployerPrincipalId}']
-    sshRSAPublicKey: aksSshRsaPublicKey
+    clusterAdmins: !empty(deployerPrincipalId) ? ['${deployerPrincipalId}'] : null
     logAnalyticsWorkspaceId: log.outputs.id
     subnetId: vnet.properties.subnets[1].id // aks subnet
     privateDnsZoneName: privateDnsZone.outputs.name
@@ -215,7 +211,7 @@ module aks 'core/aks/aks.bicep' = {
 }
 
 module cosmosdb 'core/cosmosdb/cosmosdb.bicep' = {
-  name: 'cosmosdb'
+  name: 'cosmosdb-deployment'
   params: {
     cosmosDbName: !empty(cosmosDbName) ? cosmosDbName : '${abbrs.documentDBDatabaseAccounts}${resourceBaseNameFinal}'
     location: location
@@ -225,7 +221,7 @@ module cosmosdb 'core/cosmosdb/cosmosdb.bicep' = {
 }
 
 module aiSearch 'core/ai-search/ai-search.bicep' = {
-  name: 'aisearch'
+  name: 'aisearch-deployment'
   params: {
     name: !empty(aiSearchName) ? aiSearchName : '${abbrs.searchSearchServices}${resourceBaseNameFinal}'
     location: location
@@ -251,7 +247,7 @@ module aiSearch 'core/ai-search/ai-search.bicep' = {
 }
 
 module storage 'core/storage/storage.bicep' = {
-  name: 'storage'
+  name: 'storage-deployment'
   params: {
     name: !empty(storageAccountName) ? storageAccountName : '${abbrs.storageStorageAccounts}${replace(resourceBaseNameFinal, '-', '')}'
     location: location
@@ -273,7 +269,7 @@ module storage 'core/storage/storage.bicep' = {
 }
 
 module apim 'core/apim/apim.bicep' = {
-  name: 'apim'
+  name: 'apim-deployment'
   params: {
     apiManagementName: !empty(apimName) ? apimName : '${abbrs.apiManagementService}${resourceBaseNameFinal}'
     restoreAPIM: restoreAPIM
@@ -292,15 +288,15 @@ module apim 'core/apim/apim.bicep' = {
 }
 
 module graphragApi 'core/apim/apim.graphrag-documentation.bicep' = {
-  name: 'graphrag-api'
+  name: 'graphrag-api-deployment'
   params: {
     apimname: apim.outputs.name
     backendUrl: appUrl
   }
 }
 
 module workloadIdentity 'core/identity/identity.bicep' = {
-  name: 'workload-identity'
+  name: 'workload-identity-deployment'
   params: {
     name: workloadIdentityName
     location: location
@@ -315,7 +311,7 @@ module workloadIdentity 'core/identity/identity.bicep' = {
 }
 
 module privateDnsZone 'core/vnet/private-dns-zone.bicep' = {
-  name: 'private-dns-zone'
+  name: 'private-dns-zone-deployment'
   params: {
     name: dnsDomain
     vnetNames: [
@@ -325,7 +321,7 @@ module privateDnsZone 'core/vnet/private-dns-zone.bicep' = {
 }
 
 module privatelinkPrivateDns 'core/vnet/privatelink-private-dns-zones.bicep' = if (enablePrivateEndpoints) {
-  name: 'privatelink-private-dns-zones'
+  name: 'privatelink-private-dns-zones-deployment'
   params: {
     linkedVnetIds: [
       vnet.id
@@ -334,7 +330,7 @@ module privatelinkPrivateDns 'core/vnet/privatelink-private-dns-zones.bicep' = i
 }
 
 module azureMonitorPrivateLinkScope 'core/monitor/private-link-scope.bicep' = if (enablePrivateEndpoints) {
-  name: 'azure-monitor-privatelink-scope'
+  name: 'azure-monitor-privatelink-scope-deployment'
   params: {
     privateLinkScopeName: 'pls-${resourceBaseNameFinal}'
     privateLinkScopedResources: [
@@ -345,7 +341,7 @@ module azureMonitorPrivateLinkScope 'core/monitor/private-link-scope.bicep' = if
 }
 
 module cosmosDbPrivateEndpoint 'core/vnet/private-endpoint.bicep' = if (enablePrivateEndpoints) {
-  name: 'cosmosDb-private-endpoint'
+  name: 'cosmosDb-private-endpoint-deployment'
   params: {
     privateEndpointName: '${abbrs.privateEndpoint}cosmos-${cosmosdb.outputs.name}'
     location: location
@@ -357,7 +353,7 @@ module cosmosDbPrivateEndpoint 'core/vnet/private-endpoint.bicep' = if (enablePr
 }
 
 module blobStoragePrivateEndpoint 'core/vnet/private-endpoint.bicep' = if (enablePrivateEndpoints) {
-  name: 'blob-storage-private-endpoint'
+  name: 'blob-storage-private-endpoint-deployment'
   params: {
     privateEndpointName: '${abbrs.privateEndpoint}blob-${storage.outputs.name}'
     location: location
@@ -369,7 +365,7 @@ module blobStoragePrivateEndpoint 'core/vnet/private-endpoint.bicep' = if (enabl
 }
 
 module aiSearchPrivateEndpoint 'core/vnet/private-endpoint.bicep' = if (enablePrivateEndpoints) {
-  name: 'ai-search-private-endpoint'
+  name: 'ai-search-private-endpoint-deployment'
   params: {
     privateEndpointName: '${abbrs.privateEndpoint}search-${aiSearch.outputs.name}'
     location: location
@@ -381,7 +377,7 @@ module aiSearchPrivateEndpoint 'core/vnet/private-endpoint.bicep' = if (enablePr
 }
 
 module privateLinkScopePrivateEndpoint 'core/vnet/private-endpoint.bicep' = if (enablePrivateEndpoints) {
-  name: 'privatelink-scope-private-endpoint'
+  name: 'privatelink-scope-private-endpoint-deployment'
   params: {
     privateEndpointName: '${abbrs.privateEndpoint}pls-${resourceBaseNameFinal}'
     location: location