diff --git a/infra/core/acr/acr.bicep b/infra/core/acr/acr.bicep index 51e2821a..c5d9a504 100644 --- a/infra/core/acr/acr.bicep +++ b/infra/core/acr/acr.bicep @@ -30,7 +30,7 @@ resource registry 'Microsoft.ContainerRegistry/registries@2023-11-01-preview' = resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [ for role in roleAssignments: { name: guid('${role.principalId}-${role.principalType}-${role.roleDefinitionId}') - scope: registry + scope: resourceGroup() properties: role } ] diff --git a/infra/core/ai-search/ai-search.bicep b/infra/core/ai-search/ai-search.bicep index 020aed3c..a02dfe53 100644 --- a/infra/core/ai-search/ai-search.bicep +++ b/infra/core/ai-search/ai-search.bicep @@ -31,7 +31,7 @@ resource aiSearch 'Microsoft.Search/searchServices@2024-03-01-preview' = { resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [ for role in roleAssignments: { name: guid('${role.principalId}-${role.principalType}-${role.roleDefinitionId}') - scope: aiSearch + scope: resourceGroup() properties: role } ] diff --git a/infra/core/aks/aks.bicep b/infra/core/aks/aks.bicep index 5d817bbc..07d6e71c 100644 --- a/infra/core/aks/aks.bicep +++ b/infra/core/aks/aks.bicep @@ -43,12 +43,6 @@ param graphragVMSize string = 'standard_d8s_v5' // 8 vcpu, 32 GB memory @description('The VM size of nodes running GraphRAG indexing jobs.') param graphragIndexingVMSize string = 'standard_e8s_v5' // 8 vcpus, 64 GB memory -@description('User name for the Linux Virtual Machines.') -param linuxAdminUsername string = 'azureuser' - -@description('Configure all linux machines with the SSH RSA public key string. Your key should include three parts, for example \'ssh-rsa AAAAB...snip...UcyupgH azureuser@linuxvm\'') -param sshRSAPublicKey string - @description('Enable encryption at host') param enableEncryptionAtHost bool = false @@ -69,7 +63,7 @@ resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing name: privateDnsZoneName } -resource aks 'Microsoft.ContainerService/managedClusters@2024-02-01' = { +resource aks 'Microsoft.ContainerService/managedClusters@2024-09-02-preview' = { name: clusterName location: location identity: { @@ -77,6 +71,7 @@ resource aks 'Microsoft.ContainerService/managedClusters@2024-02-01' = { } properties: { enableRBAC: true + disableLocalAccounts: true dnsPrefix: !empty(dnsPrefix) ? dnsPrefix : toLower(clusterName) aadProfile: { managed: true @@ -121,16 +116,6 @@ resource aks 'Microsoft.ContainerService/managedClusters@2024-02-01' = { ] } } - linuxProfile: { - adminUsername: linuxAdminUsername - ssh: { - publicKeys: [ - { - keyData: sshRSAPublicKey - } - ] - } - } networkProfile: { serviceCidr: '10.3.0.0/16' // must not overlap with any subnet IP ranges dnsServiceIP: '10.3.0.10' // must be within the range specified in serviceCidr @@ -200,7 +185,7 @@ resource aks 'Microsoft.ContainerService/managedClusters@2024-02-01' = { } } -resource aksManagedAutoUpgradeSchedule 'Microsoft.ContainerService/managedClusters/maintenanceConfigurations@2024-03-02-preview' = { +resource aksManagedAutoUpgradeSchedule 'Microsoft.ContainerService/managedClusters/maintenanceConfigurations@2024-09-02-preview' = { parent: aks name: 'aksManagedAutoUpgradeSchedule' properties: { @@ -218,7 +203,7 @@ resource aksManagedAutoUpgradeSchedule 'Microsoft.ContainerService/managedCluste } } -resource aksManagedNodeOSUpgradeSchedule 'Microsoft.ContainerService/managedClusters/maintenanceConfigurations@2024-03-02-preview' = { +resource aksManagedNodeOSUpgradeSchedule 'Microsoft.ContainerService/managedClusters/maintenanceConfigurations@2024-09-02-preview' = { parent: aks name: 'aksManagedNodeOSUpgradeSchedule' properties: { @@ -240,7 +225,7 @@ resource aksManagedNodeOSUpgradeSchedule 'Microsoft.ContainerService/managedClus resource webAppRoutingPrivateDnsContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = [ for role in ingressRoleAssignments: { name: guid('${role.roleDefinitionId}-${privateDnsZone.id}') - scope: privateDnsZone + scope: resourceGroup() properties: { principalId: aks.properties.ingressProfile.webAppRouting.identity.objectId principalType: role.principalType diff --git a/infra/core/storage/storage.bicep b/infra/core/storage/storage.bicep index 21099044..8f6fa031 100644 --- a/infra/core/storage/storage.bicep +++ b/infra/core/storage/storage.bicep @@ -71,7 +71,7 @@ resource storage 'Microsoft.Storage/storageAccounts@2023-01-01' = { resource storageRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [ for role in roleAssignments: { name: guid('${role.principalId}-${role.principalType}-${role.roleDefinitionId}') - scope: storage + scope: resourceGroup() properties: role } ] diff --git a/infra/deploy.sh b/infra/deploy.sh index 92b2be1a..df324688 100755 --- a/infra/deploy.sh +++ b/infra/deploy.sh @@ -275,22 +275,6 @@ createResourceGroupIfNotExists () { fi } -createSshkeyIfNotExists () { - local rg=$1 - local keyName="aks-publickey" - printf "Checking if sshkey exists... " - local keyDetails=$(az sshkey show -g $rg --name $keyName -o json 2> /dev/null) - if [ -z "$keyDetails" ]; then - printf "No.\n" - printf "Creating sshkey... " - local keyDetails=$(az sshkey create -g $rg --name $keyName -o json) - exitIfCommandFailed $? "Error creating sshkey." - else - printf "Yes.\n" - fi - SSHKEY_DETAILS=$keyDetails -} - getAksCredentials () { local rg=$1 local aks=$2 @@ -334,8 +318,6 @@ checkForApimSoftDelete () { deployAzureResources () { echo "Deploying Azure resources..." - local SSH_PUBLICKEY=$(jq -r .publicKey <<< $SSHKEY_DETAILS) - exitIfValueEmpty "$SSH_PUBLICKEY" "Unable to read ssh publickey, exiting..." # get principal/object id of the signed in user local deployerPrincipalId=$(az ad signed-in-user show --output json | jq -r .id) exitIfValueEmpty $deployerPrincipalId "Principal ID of deployer not found" @@ -352,7 +334,6 @@ deployAzureResources () { --parameters "apimTier=$APIM_TIER" \ --parameters "apiPublisherName=$PUBLISHER_NAME" \ --parameters "apiPublisherEmail=$PUBLISHER_EMAIL" \ - --parameters "aksSshRsaPublicKey=$SSH_PUBLICKEY" \ --parameters "enablePrivateEndpoints=$ENABLE_PRIVATE_ENDPOINTS" \ --parameters "acrName=$CONTAINER_REGISTRY_NAME" \ --parameters "deployerPrincipalId=$deployerPrincipalId" \ @@ -707,9 +688,6 @@ validateSKUs $LOCATION $VALIDATE_SKUS_FLAG # Create resource group createResourceGroupIfNotExists $LOCATION $RESOURCE_GROUP -# Generate ssh key for AKS -createSshkeyIfNotExists $RESOURCE_GROUP - # Deploy Azure resources checkForApimSoftDelete deployAzureResources diff --git a/infra/main.bicep b/infra/main.bicep index 846a90cf..4d9c2ceb 100644 --- a/infra/main.bicep +++ b/infra/main.bicep @@ -34,18 +34,15 @@ param deployerPrincipalId string @minLength(1) @description('Name of the publisher of the API Management instance.') -param apiPublisherName string +param apiPublisherName string = 'Microsoft' @minLength(1) @description('Email address of the publisher of the API Management instance.') -param apiPublisherEmail string +param apiPublisherEmail string = 'publisher@microsoft.com' @description('The AKS namespace to install GraphRAG in.') param aksNamespace string = 'graphrag' -@description('Public key to allow access to AKS Linux nodes.') -param aksSshRsaPublicKey string - @description('Whether to enable private endpoints.') param enablePrivateEndpoints bool = true @@ -108,7 +105,7 @@ var roles = { } module log 'core/log-analytics/log.bicep' = { - name: 'log-analytics' + name: 'log-analytics-deployment' params:{ name: '${abbrs.operationalInsightsWorkspaces}${resourceBaseNameFinal}' location: location @@ -117,7 +114,7 @@ module log 'core/log-analytics/log.bicep' = { } module nsg 'core/vnet/nsg.bicep' = { - name: 'nsg' + name: 'nsg-deployment' params: { nsgName: '${abbrs.networkNetworkSecurityGroups}${resourceBaseNameFinal}' location: location @@ -125,7 +122,7 @@ module nsg 'core/vnet/nsg.bicep' = { } resource vnet 'Microsoft.Network/virtualNetworks@2024-01-01' = { - name: '${abbrs.networkVirtualNetworks}${resourceBaseNameFinal}' + name: '${abbrs.networkVirtualNetworks}${resourceBaseNameFinal}-deployment' location: location properties: { addressSpace: { @@ -173,7 +170,7 @@ resource vnet 'Microsoft.Network/virtualNetworks@2024-01-01' = { } module acr 'core/acr/acr.bicep' = { - name: 'acr' + name: 'acr-deployment' params: { registryName: !empty(acrName) ? acrName : '${abbrs.containerRegistryRegistries}${resourceBaseNameFinal}' location: location @@ -188,14 +185,13 @@ module acr 'core/acr/acr.bicep' = { } module aks 'core/aks/aks.bicep' = { - name: 'aks' + name: 'aks-deployment' params:{ clusterName: '${abbrs.containerServiceManagedClusters}${resourceBaseNameFinal}' location: location graphragVMSize: 'standard_d8s_v5' // 8 vcpu, 32 GB memory graphragIndexingVMSize: 'standard_e8s_v5' // 8 vcpus, 64 GB memory - clusterAdmins: ['${deployerPrincipalId}'] - sshRSAPublicKey: aksSshRsaPublicKey + clusterAdmins: !empty(deployerPrincipalId) ? ['${deployerPrincipalId}'] : null logAnalyticsWorkspaceId: log.outputs.id subnetId: vnet.properties.subnets[1].id // aks subnet privateDnsZoneName: privateDnsZone.outputs.name @@ -215,7 +211,7 @@ module aks 'core/aks/aks.bicep' = { } module cosmosdb 'core/cosmosdb/cosmosdb.bicep' = { - name: 'cosmosdb' + name: 'cosmosdb-deployment' params: { cosmosDbName: !empty(cosmosDbName) ? cosmosDbName : '${abbrs.documentDBDatabaseAccounts}${resourceBaseNameFinal}' location: location @@ -225,7 +221,7 @@ module cosmosdb 'core/cosmosdb/cosmosdb.bicep' = { } module aiSearch 'core/ai-search/ai-search.bicep' = { - name: 'aisearch' + name: 'aisearch-deployment' params: { name: !empty(aiSearchName) ? aiSearchName : '${abbrs.searchSearchServices}${resourceBaseNameFinal}' location: location @@ -251,7 +247,7 @@ module aiSearch 'core/ai-search/ai-search.bicep' = { } module storage 'core/storage/storage.bicep' = { - name: 'storage' + name: 'storage-deployment' params: { name: !empty(storageAccountName) ? storageAccountName : '${abbrs.storageStorageAccounts}${replace(resourceBaseNameFinal, '-', '')}' location: location @@ -273,7 +269,7 @@ module storage 'core/storage/storage.bicep' = { } module apim 'core/apim/apim.bicep' = { - name: 'apim' + name: 'apim-deployment' params: { apiManagementName: !empty(apimName) ? apimName : '${abbrs.apiManagementService}${resourceBaseNameFinal}' restoreAPIM: restoreAPIM @@ -292,7 +288,7 @@ module apim 'core/apim/apim.bicep' = { } module graphragApi 'core/apim/apim.graphrag-documentation.bicep' = { - name: 'graphrag-api' + name: 'graphrag-api-deployment' params: { apimname: apim.outputs.name backendUrl: appUrl @@ -300,7 +296,7 @@ module graphragApi 'core/apim/apim.graphrag-documentation.bicep' = { } module workloadIdentity 'core/identity/identity.bicep' = { - name: 'workload-identity' + name: 'workload-identity-deployment' params: { name: workloadIdentityName location: location @@ -315,7 +311,7 @@ module workloadIdentity 'core/identity/identity.bicep' = { } module privateDnsZone 'core/vnet/private-dns-zone.bicep' = { - name: 'private-dns-zone' + name: 'private-dns-zone-deployment' params: { name: dnsDomain vnetNames: [ @@ -325,7 +321,7 @@ module privateDnsZone 'core/vnet/private-dns-zone.bicep' = { } module privatelinkPrivateDns 'core/vnet/privatelink-private-dns-zones.bicep' = if (enablePrivateEndpoints) { - name: 'privatelink-private-dns-zones' + name: 'privatelink-private-dns-zones-deployment' params: { linkedVnetIds: [ vnet.id @@ -334,7 +330,7 @@ module privatelinkPrivateDns 'core/vnet/privatelink-private-dns-zones.bicep' = i } module azureMonitorPrivateLinkScope 'core/monitor/private-link-scope.bicep' = if (enablePrivateEndpoints) { - name: 'azure-monitor-privatelink-scope' + name: 'azure-monitor-privatelink-scope-deployment' params: { privateLinkScopeName: 'pls-${resourceBaseNameFinal}' privateLinkScopedResources: [ @@ -345,7 +341,7 @@ module azureMonitorPrivateLinkScope 'core/monitor/private-link-scope.bicep' = if } module cosmosDbPrivateEndpoint 'core/vnet/private-endpoint.bicep' = if (enablePrivateEndpoints) { - name: 'cosmosDb-private-endpoint' + name: 'cosmosDb-private-endpoint-deployment' params: { privateEndpointName: '${abbrs.privateEndpoint}cosmos-${cosmosdb.outputs.name}' location: location @@ -357,7 +353,7 @@ module cosmosDbPrivateEndpoint 'core/vnet/private-endpoint.bicep' = if (enablePr } module blobStoragePrivateEndpoint 'core/vnet/private-endpoint.bicep' = if (enablePrivateEndpoints) { - name: 'blob-storage-private-endpoint' + name: 'blob-storage-private-endpoint-deployment' params: { privateEndpointName: '${abbrs.privateEndpoint}blob-${storage.outputs.name}' location: location @@ -369,7 +365,7 @@ module blobStoragePrivateEndpoint 'core/vnet/private-endpoint.bicep' = if (enabl } module aiSearchPrivateEndpoint 'core/vnet/private-endpoint.bicep' = if (enablePrivateEndpoints) { - name: 'ai-search-private-endpoint' + name: 'ai-search-private-endpoint-deployment' params: { privateEndpointName: '${abbrs.privateEndpoint}search-${aiSearch.outputs.name}' location: location @@ -381,7 +377,7 @@ module aiSearchPrivateEndpoint 'core/vnet/private-endpoint.bicep' = if (enablePr } module privateLinkScopePrivateEndpoint 'core/vnet/private-endpoint.bicep' = if (enablePrivateEndpoints) { - name: 'privatelink-scope-private-endpoint' + name: 'privatelink-scope-private-endpoint-deployment' params: { privateEndpointName: '${abbrs.privateEndpoint}pls-${resourceBaseNameFinal}' location: location