1// Copyright (c) Microsoft Corporation.
  2// Licensed under the MIT License.
  3
  4@description('Kubernetes cluster admin user name.')
  5param adminUser string = 'azureuser'
  6
  7@minLength(6)
  8@maxLength(23)
  9@description('The base resource name.')
 10param baseName string = resourceGroup().name
 11
 12@description('Whether to deploy resources. When set to false, this file deploys nothing.')
 13param deployResources bool = false
 14
 15param sshPubKey string = ''
 16
 17@description('The location of the resource. By default, this is the same as the resource group.')
 18param location string = resourceGroup().location
 19
 20// https://learn.microsoft.com/azure/role-based-access-control/built-in-roles
 21var acrPull = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
 22var blobReader = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')
 23
 24resource sa 'Microsoft.Storage/storageAccounts@2021-08-01' = if (deployResources) {
 25  kind: 'StorageV2'
 26  location: location
 27  name: 'sa${uniqueString(baseName)}'
 28  properties: {
 29    accessTier: 'Hot'
 30  }
 31  sku: {
 32    name: 'Standard_LRS'
 33  }
 34}
 35
 36resource saUserAssigned 'Microsoft.Storage/storageAccounts@2021-08-01' = if (deployResources) {
 37  kind: 'StorageV2'
 38  location: location
 39  name: 'sa2${uniqueString(baseName)}'
 40  properties: {
 41    accessTier: 'Hot'
 42  }
 43  sku: {
 44    name: 'Standard_LRS'
 45  }
 46}
 47
 48resource usermgdid 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = if (deployResources) {
 49  location: location
 50  name: baseName
 51}
 52
 53resource acrPullContainerInstance 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (deployResources) {
 54  name: guid(resourceGroup().id, acrPull, 'containerInstance')
 55  properties: {
 56    principalId: deployResources ? usermgdid.properties.principalId : ''
 57    principalType: 'ServicePrincipal'
 58    roleDefinitionId: acrPull
 59  }
 60  scope: containerRegistry
 61}
 62
 63resource blobRoleUserAssigned 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (deployResources) {
 64  scope: saUserAssigned
 65  name: guid(resourceGroup().id, blobReader, usermgdid.id)
 66  properties: {
 67    principalId: deployResources ? usermgdid.properties.principalId : ''
 68    principalType: 'ServicePrincipal'
 69    roleDefinitionId: blobReader
 70  }
 71}
 72
 73resource blobRoleFunc 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (deployResources) {
 74  name: guid(resourceGroup().id, blobReader, 'azfunc')
 75  properties: {
 76    principalId: deployResources ? azfunc.identity.principalId : ''
 77    roleDefinitionId: blobReader
 78    principalType: 'ServicePrincipal'
 79  }
 80  scope: sa
 81}
 82
 83resource containerRegistry 'Microsoft.ContainerRegistry/registries@2023-01-01-preview' = if (deployResources) {
 84  location: location
 85  name: uniqueString(resourceGroup().id)
 86  properties: {
 87    adminUserEnabled: true
 88  }
 89  sku: {
 90    name: 'Basic'
 91  }
 92}
 93
 94resource farm 'Microsoft.Web/serverfarms@2021-03-01' = if (deployResources) {
 95  kind: 'app'
 96  location: location
 97  name: '${baseName}_asp'
 98  properties: {}
 99  sku: {
100    capacity: 1
101    family: 'B'
102    name: 'B1'
103    size: 'B1'
104    tier: 'Basic'
105  }
106}
107
108resource azfunc 'Microsoft.Web/sites@2021-03-01' = if (deployResources) {
109  identity: {
110    type: 'SystemAssigned, UserAssigned'
111    userAssignedIdentities: {
112      '${deployResources ? usermgdid.id : ''}': {}
113    }
114  }
115  kind: 'functionapp'
116  location: location
117  name: '${baseName}func'
118  properties: {
119    enabled: true
120    httpsOnly: true
121    keyVaultReferenceIdentity: 'SystemAssigned'
122    serverFarmId: farm.id
123    siteConfig: {
124      alwaysOn: true
125      appSettings: [
126        {
127          name: 'AZIDENTITY_STORAGE_NAME'
128          value: deployResources ? sa.name : null
129        }
130        {
131          name: 'AZIDENTITY_STORAGE_NAME_USER_ASSIGNED'
132          value: deployResources ? saUserAssigned.name : null
133        }
134        {
135          name: 'AZIDENTITY_USER_ASSIGNED_IDENTITY'
136          value: deployResources ? usermgdid.id : null
137        }
138        {
139          name: 'AzureWebJobsStorage'
140          value: 'DefaultEndpointsProtocol=https;AccountName=${deployResources ? sa.name : ''};EndpointSuffix=${deployResources ? environment().suffixes.storage : ''};AccountKey=${deployResources ? sa.listKeys().keys[0].value : ''}'
141        }
142        {
143          name: 'FUNCTIONS_EXTENSION_VERSION'
144          value: '~4'
145        }
146        {
147          name: 'FUNCTIONS_WORKER_RUNTIME'
148          value: 'custom'
149        }
150        {
151          name: 'WEBSITE_CONTENTAZUREFILECONNECTIONSTRING'
152          value: 'DefaultEndpointsProtocol=https;AccountName=${deployResources ? sa.name : ''};EndpointSuffix=${deployResources ? environment().suffixes.storage : ''};AccountKey=${deployResources ? sa.listKeys().keys[0].value : ''}'
153        }
154        {
155          name: 'WEBSITE_CONTENTSHARE'
156          value: toLower('${baseName}-func')
157        }
158      ]
159      http20Enabled: true
160      minTlsVersion: '1.2'
161    }
162  }
163}
164
165resource aks 'Microsoft.ContainerService/managedClusters@2023-06-01' = if (deployResources) {
166  name: baseName
167  location: location
168  identity: {
169    type: 'SystemAssigned'
170  }
171  properties: {
172    agentPoolProfiles: [
173      {
174        count: 1
175        enableAutoScaling: false
176        kubeletDiskType: 'OS'
177        mode: 'System'
178        name: 'agentpool'
179        osDiskSizeGB: 128
180        osDiskType: 'Managed'
181        osSKU: 'Ubuntu'
182        osType: 'Linux'
183        type: 'VirtualMachineScaleSets'
184        vmSize: 'Standard_D2s_v3'
185      }
186    ]
187    dnsPrefix: 'identitytest'
188    enableRBAC: true
189    linuxProfile: {
190      adminUsername: adminUser
191      ssh: {
192        publicKeys: [
193          {
194            keyData: sshPubKey
195          }
196        ]
197      }
198    }
199    oidcIssuerProfile: {
200      enabled: true
201    }
202    securityProfile: {
203      workloadIdentity: {
204        enabled: true
205      }
206    }
207  }
208}
209
210output AZIDENTITY_ACR_LOGIN_SERVER string = deployResources ? containerRegistry.properties.loginServer : ''
211output AZIDENTITY_ACR_NAME string = deployResources ? containerRegistry.name : ''
212output AZIDENTITY_AKS_NAME string = deployResources ? aks.name : ''
213output AZIDENTITY_FUNCTION_NAME string = deployResources ? azfunc.name : ''
214output AZIDENTITY_STORAGE_ID string = deployResources ? sa.id : ''
215output AZIDENTITY_STORAGE_NAME string = deployResources ? sa.name : ''
216output AZIDENTITY_STORAGE_NAME_USER_ASSIGNED string = deployResources ? saUserAssigned.name : ''
217output AZIDENTITY_USER_ASSIGNED_IDENTITY string = deployResources ? usermgdid.id : ''
218output AZIDENTITY_USER_ASSIGNED_IDENTITY_CLIENT_ID string = deployResources ? usermgdid.properties.clientId : ''
219output AZIDENTITY_USER_ASSIGNED_IDENTITY_NAME string = deployResources ? usermgdid.name : ''