Azure · AlexanderSehr · Jul 28, 2023 · Jul 27, 2023 · Jul 27, 2023 · Jul 27, 2023
@@ -75,7 +75,7 @@ module testDeployment '../../main.bicep' = {
     primaryAgentPoolProfile: [
       {
         availabilityZones: [
-          '1'
+          '3'
         ]
         count: 1
         enableAutoScaling: true
@@ -96,7 +96,7 @@ module testDeployment '../../main.bicep' = {
     agentPools: [
       {
         availabilityZones: [
-          '1'
+          '3'
         ]
         count: 2
         enableAutoScaling: true
@@ -122,7 +122,7 @@ module testDeployment '../../main.bicep' = {
       }
       {
         availabilityZones: [
-          '1'
+          '3'
         ]
         count: 2
         enableAutoScaling: true

@@ -67,7 +67,7 @@ module testDeployment '../../main.bicep' = {
     primaryAgentPoolProfile: [
       {
         availabilityZones: [
-          '1'
+          '3'
         ]
         count: 1
         enableAutoScaling: true
@@ -87,7 +87,7 @@ module testDeployment '../../main.bicep' = {
     agentPools: [
       {
         availabilityZones: [
-          '1'
+          '3'
         ]
         count: 2
         enableAutoScaling: true
@@ -111,7 +111,7 @@ module testDeployment '../../main.bicep' = {
       }
       {
         availabilityZones: [
-          '1'
+          '3'
         ]
         count: 2
         enableAutoScaling: true

@@ -29,3 +29,11 @@ module min 'min/main.test.bicep' = {
     namePrefix: namePrefix
   }
 }
+
+// TEST 4 - Private AKS Cluster
+module priv 'priv/main.test.bicep' = {
+  name: '${uniqueString(deployment().name)}-priv-test'
+  params: {
+    namePrefix: namePrefix
+  }
+}
@@ -0,0 +1,87 @@
+@description('Optional. The location to deploy resources to.')
+param location string = resourceGroup().location
+
+@description('Required. The name of the Managed Identity to create.')
+param managedIdentityName string
+
+@description('Required. The Private DNS Zone Name to create for Private AKS Cluster.')
+param privateDnsZoneName string
+
+@description('Required. The Name of the Virtual Network to create.')
+param virtualNetworkName string
+
+var addressPrefix = '10.0.0.0/16'
+
+resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = {
+    name: managedIdentityName
+    location: location
+}
+
+resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = {
+    name: privateDnsZoneName
+    location: 'global'
+}
+
+resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = {
+    name: virtualNetworkName
+    location: location
+    properties: {
+        addressSpace: {
+            addressPrefixes: [
+                addressPrefix
+            ]
+        }
+        subnets: [
+            {
+                name: 'defaultSubnet'
+                properties: {
+                    addressPrefix: addressPrefix
+                }
+            }
+        ]
+    }
+}
+
+resource privateDNSZoneVNetLink 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = {
+    name: 'pDnsLink-${virtualNetworkName}-${privateDnsZoneName}'
+    location: 'global'
+    parent: privateDnsZone
+    properties: {
+        registrationEnabled: true
+        virtualNetwork: {
+            id: virtualNetwork.id
+        }
+    }
+}
+
+resource msiVnetRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+    name: guid(resourceGroup().id, 'NetworkContributor', managedIdentity.id)
+    scope: virtualNetwork
+    properties: {
+        principalId: managedIdentity.properties.principalId
+        roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') // Network Contributor
+        principalType: 'ServicePrincipal'
+    }
+}
+
+resource msiPrivDnsZoneRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+    name: guid(resourceGroup().id, 'PrivateDNSZoneContributor', managedIdentity.id)
+    scope: privateDnsZone
+    properties: {
+        principalId: managedIdentity.properties.principalId
+        roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f') // Private DNS Zone Contributor
+        principalType: 'ServicePrincipal'
+    }
+}
+
+@description('The principal ID of the created Managed Identity.')
+output managedIdentityPrincipalId string = managedIdentity.properties.principalId
+
+@description('The resource ID of the created Managed Identity.')
+output managedIdentityResourceId string = managedIdentity.id
+
+@description('The resource ID of the private DNS Zone created.')
+output privateDnsZoneResourceId string = privateDnsZone.id
+
+@description('The resource ID of the VirtualNetwork created.')
+output vNetResourceId string = virtualNetwork.id
@@ -0,0 +1,159 @@
+targetScope = 'subscription'
+
+// ========== //
+// Parameters //
+// ========== //
+
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(90)
+param resourceGroupName string = 'ms.containerservice.managedclusters-${serviceShort}-rg'
+
+@description('Optional. The location to deploy resources to.')
+param location string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'csmpriv'
+
+@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).')
+param enableDefaultTelemetry bool = true
+
+@description('Optional. A token to inject into the name of each resource.')
+param namePrefix string = '[[namePrefix]]'
+
+// ============ //
+// Dependencies //
+// ============ //
+
+// General resources
+// =================
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = {
+  name: resourceGroupName
+  location: location
+}
+
+module nestedDependencies 'dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, location)}-nestedDependencies'
+  params: {
+    managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}'
+    privateDnsZoneName: 'privatelink.${location}.azmk8s.io'
+    virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}'
+  }
+}
+
+// Diagnostics
+// ===========
+module diagnosticDependencies '../../../../.shared/.templates/diagnostic.dependencies.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, location)}-diagnosticDependencies'
+  params: {
+    storageAccountName: 'dep${namePrefix}diasa${serviceShort}01'
+    logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}'
+    eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}'
+    eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}'
+    location: location
+  }
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+
+module testDeployment '../../main.bicep' = {
+  scope: resourceGroup
+  name: '${uniqueString(deployment().name, location)}-test-${serviceShort}'
+  params: {
+    enableDefaultTelemetry: enableDefaultTelemetry
+    name: '${namePrefix}${serviceShort}001'
+    enablePrivateCluster: true
+    primaryAgentPoolProfile: [
+      {
+        availabilityZones: [
+          '3'
+        ]
+        count: 1
+        enableAutoScaling: true
+        maxCount: 3
+        maxPods: 30
+        minCount: 1
+        mode: 'System'
+        name: 'systempool'
+        osDiskSizeGB: 0
+        osType: 'Linux'
+        serviceCidr: ''
+        storageProfile: 'ManagedDisks'
+        type: 'VirtualMachineScaleSets'
+        vmSize: 'Standard_DS2_v2'
+        vnetSubnetID: '${nestedDependencies.outputs.vNetResourceId}/subnets/defaultSubnet'
+      }
+    ]
+    agentPools: [
+      {
+        availabilityZones: [
+          '3'
+        ]
+        count: 2
+        enableAutoScaling: true
+        maxCount: 3
+        maxPods: 30
+        minCount: 1
+        minPods: 2
+        mode: 'User'
+        name: 'userpool1'
+        nodeLabels: {}
+        nodeTaints: [
+          'CriticalAddonsOnly=true:NoSchedule'
+        ]
+        osDiskSizeGB: 128
+        osType: 'Linux'
+        scaleSetEvictionPolicy: 'Delete'
+        scaleSetPriority: 'Regular'
+        storageProfile: 'ManagedDisks'
+        type: 'VirtualMachineScaleSets'
+        vmSize: 'Standard_DS2_v2'
+        vnetSubnetID: '${nestedDependencies.outputs.vNetResourceId}/subnets/defaultSubnet'
+      }
+      {
+        availabilityZones: [
+          '3'
+        ]
+        count: 2
+        enableAutoScaling: true
+        maxCount: 3
+        maxPods: 30
+        minCount: 1
+        minPods: 2
+        mode: 'User'
+        name: 'userpool2'
+        nodeLabels: {}
+        nodeTaints: [
+          'CriticalAddonsOnly=true:NoSchedule'
+        ]
+        osDiskSizeGB: 128
+        osType: 'Linux'
+        scaleSetEvictionPolicy: 'Delete'
+        scaleSetPriority: 'Regular'
+        storageProfile: 'ManagedDisks'
+        type: 'VirtualMachineScaleSets'
+        vmSize: 'Standard_DS2_v2'
+      }
+    ]
+    aksClusterNetworkPlugin: 'azure'
+    aksClusterSkuTier: 'Standard'
+    aksClusterDnsServiceIP: '10.10.200.10'
+    aksClusterServiceCidr: '10.10.200.0/24'
+    diagnosticLogsRetentionInDays: 7
+    diagnosticStorageAccountId: diagnosticDependencies.outputs.storageAccountResourceId
+    diagnosticWorkspaceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId
+    diagnosticEventHubAuthorizationRuleId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId
+    diagnosticEventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName
+    privateDNSZone: nestedDependencies.outputs.privateDnsZoneResourceId
+    userAssignedIdentities: {
+      '${nestedDependencies.outputs.managedIdentityResourceId}': {}
+    }
+    tags: {
+      Environment: 'Non-Prod'
+      Role: 'DeploymentValidation'
+    }
+  }
+}