• Switch to new RBAC model
• Change any existing access policies defined in Bicep
• Change any existing access policies defined in CI/CD

Describe the bug
An error is occurring when the Java app smoke test step runs in the scheduled CI/CD

time="2022-01-10T10:32:43Z" level=info msg="Using managed identity extension to retrieve access token for Azure API."
time="2022-01-10T10:32:43Z" level=info msg="Resolving to user assigned identity, client id is ***REDACTED***."
time="2022-01-10T10:32:48Z" level=error msg="azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscript
ions/***REDACTED***/resourceGroups/***REDACTED***/providers/Microsoft.Network/dnsZones?api-version=2018-05-01: StatusCode=0 -- Original Error: the MSI
endpoint is not available. Failed HTTP request to MSI endpoint: Get \"http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01\": dial tcp 169.254.1
69.254:80: i/o timeout"

To Reproduce
Re-Run the action : https://github.com/Azure/Aks-Construction/runs/4760776084?check_suite_focus=true

Plan

1. Strap up the External DNS Verification step to throw an error
   

Hello,

When tried to create cluster with auto-upgrade feature it didn't work resulting in:
{"error":{"code":"InvalidTemplateDeployment","message":"The template deployment 'main' is not valid according to the validation procedure. The tracking id is '704c144a-8d29-4a66-9cea-f58a8df88f96'. See inner errors for details.","details":[{"code":"BadRequest","message":"Provisioning of resource(s) for container service aks-az-k8s-7qkc in resource group az-k8s-7qkc-rg failed. Message: {\n \"code\": \"BadRequest\",\n \"message\": \"Feature Microsoft.ContainerService/AutoUpgradePreview is not enabled. Please see https://aka.ms/aks/previews for how to enable features.\"\n }. Details: "}]}}

It's worth to add note "Ensure you register for this preview feature here"

Is your feature request related to a problem? Please describe.
Deploying to Ent Scale context where landing zone subs are restricted to UK South/West causes an error since ACR agent pools are not in UK yet while the feature is in preview.

Describe the solution you'd like
A parameter to disable ACR agent pool deployment

Describe alternatives you've considered
Deploying to sandbox mgmt group however they want to deploy for prod use.

Describe the bug
The AZ Login and AZ CLI GitHub actions have started failing due to a problem with the latest AZ CLI Version

Reference Issues
Azure/login#162
Azure/cli#56

Suggestion
Move away from the azcliversion: latest to specifically pinning to a specific (working) azcliversion.

Additional context
https://mcr.microsoft.com/v2/azure-cli/tags/list

I have the latest version of the az preview installed in my command window. When I try to deploy a cluster using this tool, here is the full error:

{"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations forusage details.","details":[{"code":"BadRequest","message":"{\r\n "code": "AzureKeyvaultSecretsProviderAddonFeatureFlagNotEnabled",\r\n "message": "AzureKeyvaultSecretsProvider addon is not allowed since feature 'Microsoft.ContainerService/AKS-AzureKeyVaultSecretsProvider' is not enabled. Please see https://aka.ms/aks/previews for how to enable features."\r\n}"}]}}

My key vault provider is enabled in my subscription. Is there anything else I need to enable?

Larry

Describe the bug
When selecting "Add current IP to KeyVault firewall", the deployment script returns a error:

Bad JSON content found in the request. Error converting value \"xxx.xxx.xx.xx/32\" to type 'Microsoft.KeyVault.ResourceProvider.ApiModel.IPRule'. Path 'properties.networkAcls.ipRules[0]

To Reproduce
Steps to reproduce the behavior:

1. Go to helper
2. Click on "I prefer control & community open source solutions", & "Private cluster with isolating networking controls"
3. Copy the script and run in WSL
4. See error above

Reporting error on behalf of KH.

Only other issue I ran into was a 20 character limit on the resource name.

Describe the bug
GitHub secrets cannot be used in workflows which were triggered from a fork.

This means our various action workflows that check for quality by logging into Azure won't work.

To Reproduce

1. Fork the repo
2. Make a change
3. PR
4. Watch for error

Desired behaviour
Forked repo PR's to undergo a level of build validation

Test case

1. Run the template to create the resources in Azure.
2. Manually delete the AKS resource
3. See that the AKS Kubelet / AppGW role assignments are still left on resources such as the RG and ACR
4. Run the template again. Observe the error.

Need to accomodate this circumstance by naming the roleassignment from the prinicipal id, and not by resource names.

Describe the solution you'd like
For some preset configurations, we should have AZ's as being the default.
There are some warnings we need to make in the UI around this.

• VM SKU restrictions
• Interpod affinity and anti-affinity
• Managed disk considerations

• Add deny all policies to a manifest reference folder in this repo
• Add checkbox to the Helper UI, and generate the kubectl apply bash script
• Implement east-west deny all by default in the PrivateCluster sample GitHub action workflows
• Write a test (Playwright?) to make sure pod to pod communication happens.
• Make sure the smoke test sample apps still work

Add parameter to enable ACR Content Trust capability

Describe the bug
Error:

"Resource /subscriptions//resourceGroups/az-k8s-25pp-rg/providers/Microsoft.Network/publicIPAddresses/pip-bas-az-k8s-25pp has 3 zones specified. Only one zone can be specified for this resource."

To Reproduce
I created an AKS cluster, using this construction set, in West Europe.
Chose multi-AZ deployment.
Got the above error even though West Europe has 3 AZs and a Standard PIP can be multi-AZ.

Expected behavior
Should create a multi-AZ std lb with no error

Setting up custom Networking does not reflect changes for generated CLI commands.

Describe the bug
When choosing a simple cluster with no additional access limitations in the Wizard, the full options around Application Gateway are hidden.

To Reproduce
Steps to reproduce the behavior:

1. Go to https://azure.github.io/Aks-Construction/
2. Choose simple cluster with no additional access limitations
3. click Addon Details
4. Click on AppGw with WAF option for Ingress

Expected behavior

Is your feature request related to a problem? Please describe.
Enable Defender profile on most secure cluster, covering AKS, ACR and AKV

Describe the solution you'd like
Add following option in AKS resource template , and a UI checkbox, defaulted to true on most secure cluster

    "securityProfile": {
                      "azureDefender": {
                        "enabled": true,
                        "logAnalyticsWorkspaceResourceId": "[parameters('workspaceResourceId')]"
                      }
                    }

ref: https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-enable?tabs=aks-deploy-arm%2Ck8s-deploy-asc%2Ck8s-verify-asc%2Ck8s-remove-arc%2Caks-removeprofile-api&pivots=defender-for-container-aks#deploy-the-defender-profile

Some customers will leverage AKS Construction, not needing an Azure Container Registry.
We could take the ResourceId for the ACR, and apply the correct RoleAssignment to save that being done separately.

Is your feature request related to a problem? Please describe.
Because of the parameterised nature of the bicep template - there's an ever increasing set of possible parameter options. We need to have better visibility of where there could be a regression problem, without the burden of creating a new GitHub action workflow for each.

Describe the solution you'd like
A single workflow action that processes multiple parameter files in a specific directory.

In line with Well Architected Framework, the Key Vault should be able to have soft delete and purge protection enabled.

Is your feature request related to a problem? Please describe.
Feature

Describe the solution you'd like
In a GitHub workflow, demonstrate an automated example of end to end TLS with DNS.

Provide a list of AZ commands to enable the preview features in the Wizard config.
eg az feature register --namespace "Microsoft.ContainerService" --name "AKS-AzureKeyVaultSecretsProvider"

As per the AKS Secure Baseline, Key Vault should log diagnostic settings for AllMetrics

Moving to the IAM KeyVault model has introduced a problem in the CICD pipeline where we give the Pipeline service principal an access policy on the KeyVault in order to add certificates.

ERROR: Cannot set policies to a vault with '--enable-rbac-authorization' specified

Expected behaviour
A clear and concise description of what you expected to happen.

Screenshots

Additional context
error.

Is your feature request related to a problem? Please describe.
The current bicep code keeps the configuration of the system pools in a variable (not parameter).

Describe the solution you'd like
For some environments, to be able to deviate from a recommended system pool preset and to use one of custom specification.

Currently the Azure Firewall Rules are using setup on the AzFw resource as classic rules

Describe the solution you'd like
To leverage the Firewall policy and ruleCollectionGroups resources, which abstract the rules out of the AzFw and into new sub RP's.
This provides a better initial experience for customers who want to build on the default config, rather than starting with classic rules that then get migrated to the newer experience.

Additional context

A RuleCollectionGroup is a new top-level grouping for rule collections for future extensibility. Using the above defaults is recommended and is done automatically from the Portal.

I think we need to allow the user to specify if they'd like to open up inbound internet access to their cluster/ingress point.

Describe the bug
Starting to see, more and more this problem of the connection to the K8S endpoint being refused.
Think we need to add some retry logic, as well as some more debugging.

Run kubectl create namespace $NAMESP --dry-run=client -o yaml | kubectl apply -f -
The connection to the server byo-dns-78594b60.hcp.westeurope.azmk8s.io:443 was refused - did you specify the right host or port?
Error: Process completed with exit code 1.

Additional context
Error

Describe the bug
I created a cluster using the bicep files with the following parameters

agentCount=2
JustUseSystemPool=true
agentVMSize=Standard_DS3_v2

The resulting cluster had one system nodepool called npsystem, with just 1 node

Expected behavior
I would expect 2 nodes

We need additional guidance for forkers.
The bicep compile operation needs to happen in their fork, and the main.json needs to be included as part of their PR.

We need code or just normal guidance to make this clear/happen.

As a day1 user of the project, it's overwhelming to start working with a large pipeline as a "basic example".

Naming currently is prefixed with 'vnet'

Describe the solution you'd like
Align with CAF naming recommendations

• Add a user pool

"I prefer control & commuity opensource soltuions" -> solutions

Fixed in #73

Is your feature request related to a problem? Please describe.
New feature

Describe the solution you'd like
A sample GitHub action pipeline that runs from the application perspective.
To demonstrate updating application (through helm) and updating/cycling certificates (kv/appgw).

As a new user I want to be able to perform the configuration in the wizard over several sessions involving different stakeholders. To do this i need to persist the configuration state.

As a veteran user, i want to be able to update my existing configuration with new features.

Describe the solution you'd like
CodeQL provides out of the box vulnerability scanning

Additional context
https://codeql.github.com/

• Site: https://51.124.150.164
  New Alerts

  • HTTP Only Site [10106] total: 1:
    • http://51.124.150.164/

• Site: http://51.124.150.164
  New Alerts

  • Server Leaks Version Information via "Server" HTTP Response Header Field [10036] total: 6:
    • http://51.124.150.164/sitemap.xml
    • http://51.124.150.164/robots.txt
    • http://51.124.150.164/static/default.css
    • http://51.124.150.164/
    • http://51.124.150.164/
    • ..
  • Absence of Anti-CSRF Tokens [10202] total: 2:
    • http://51.124.150.164
    • http://51.124.150.164/
  • User Agent Fuzzer [10104] total: 7:
    • http://51.124.150.164/static
    • http://51.124.150.164/static
    • http://51.124.150.164/static
    • http://51.124.150.164/static
    • http://51.124.150.164/static
    • ..
  • Content Security Policy (CSP) Header Not Set [10038] total: 5:
    • http://51.124.150.164/robots.txt
    • http://51.124.150.164
    • http://51.124.150.164/sitemap.xml
    • http://51.124.150.164/
    • http://51.124.150.164/
  • Anti-CSRF Tokens Check [20012] total: 2:
    • http://51.124.150.164
    • http://51.124.150.164/
  • X-Frame-Options Header Not Set [10020] total: 2:
    • http://51.124.150.164/
    • http://51.124.150.164
  • X-Content-Type-Options Header Missing [10021] total: 3:
    • http://51.124.150.164
    • http://51.124.150.164/
    • http://51.124.150.164/static/default.css
  • Apache Range Header DoS (CVE-2011-3192) [10053] total: 1:
    • http://51.124.150.164/static/default.css
  • Modern Web Application [10109] total: 2:
    • http://51.124.150.164
    • http://51.124.150.164/

View the following link to download the report.
RunnerID:1237490406

Add new parameter to createLA MetricAlerts #securebaseline
Default parameter to false

Add new parameter for Metric Frequency, extend default

Is your feature request related to a problem? Please describe.
A recent PR that was raised #133 shows wanting to be more deliberate in the resource naming.

Describe the solution you'd like
A better demonstration of how the AKS Construction adhers to the Cloud Adoption Framework naming convention, and showing how to better name the created resources.

Is your feature request related to a problem? Please describe.
The existing CICD Sample sleeps for an arbitrary about of time, often longer than is needed.

Describe the solution you'd like
Within a loop, check the endpoint status more frequently.

(v1.1)
"sslPolicy": {
"policyType": "Predefined",
"policyName": "AppGwSslPolicy20170401"
}

(v1.2)
"sslPolicy": {
"policyType": "Predefined",
"policyName": "AppGwSslPolicy20170401S"
}

The automation around the stale-bot needs to be investigated/tweaked/tested.
Might be worth throwing the action away and writing our own one. chatops

Current behaviour
The stale bot is ignoring updates to issues and just closing them down 7 days after a label is added.

Expected behaviour
An update to an issue will prevent the stale bot from closing

Additional context
ref

Need some documentation/guidance for users to start following when it comes to GitHub Actions Workflow onboarding.

• Site: https://52.157.223.200
  New Alerts

  • HTTP Only Site [10106] total: 1:
    • http://52.157.223.200/

• Site: http://52.157.223.200
  New Alerts

  • Content Security Policy (CSP) Header Not Set [10038] total: 5:
    • http://52.157.223.200/sitemap.xml
    • http://52.157.223.200/
    • http://52.157.223.200
    • http://52.157.223.200/robots.txt
    • http://52.157.223.200/
  • X-Content-Type-Options Header Missing [10021] total: 3:
    • http://52.157.223.200/
    • http://52.157.223.200
    • http://52.157.223.200/static/default.css
  • User Agent Fuzzer [10104] total: 7:
    • http://52.157.223.200/static
    • http://52.157.223.200/static
    • http://52.157.223.200/static
    • http://52.157.223.200/static
    • http://52.157.223.200/static
    • ..
  • X-Frame-Options Header Not Set [10020] total: 2:
    • http://52.157.223.200
    • http://52.157.223.200/
  • Modern Web Application [10109] total: 2:
    • http://52.157.223.200/
    • http://52.157.223.200
  • Server Leaks Version Information via "Server" HTTP Response Header Field [10036] total: 6:
    • http://52.157.223.200/sitemap.xml
    • http://52.157.223.200/
    • http://52.157.223.200/robots.txt
    • http://52.157.223.200/
    • http://52.157.223.200/static/default.css
    • ..
  • Anti-CSRF Tokens Check [20012] total: 2:
    • http://52.157.223.200
    • http://52.157.223.200/
  • Absence of Anti-CSRF Tokens [10202] total: 2:
    • http://52.157.223.200
    • http://52.157.223.200/
  • Apache Range Header DoS (CVE-2011-3192) [10053] total: 1:
    • http://52.157.223.200/static/default.css

View the following link to download the report.
RunnerID:1241363096

There are several typos throughout the project. Cleaning these up would, in one case, resolve a bug; and in other instances, enhance readability.

• Site: https://20.93.227.28
  New Alerts

  • HTTP Only Site [10106] total: 1:
    • http://20.93.227.28/

• Site: http://20.93.227.28
  New Alerts

  • Server Leaks Version Information via "Server" HTTP Response Header Field [10036] total: 6:
    • http://20.93.227.28/sitemap.xml
    • http://20.93.227.28/static/default.css
    • http://20.93.227.28/robots.txt
    • http://20.93.227.28/
    • http://20.93.227.28/
    • ..
  • Absence of Anti-CSRF Tokens [10202] total: 2:
    • http://20.93.227.28
    • http://20.93.227.28/
  • Modern Web Application [10109] total: 2:
    • http://20.93.227.28
    • http://20.93.227.28/
  • Content Security Policy (CSP) Header Not Set [10038] total: 5:
    • http://20.93.227.28
    • http://20.93.227.28/
    • http://20.93.227.28/sitemap.xml
    • http://20.93.227.28/robots.txt
    • http://20.93.227.28/
  • Anti-CSRF Tokens Check [20012] total: 2:
    • http://20.93.227.28
    • http://20.93.227.28/
  • User Agent Fuzzer [10104] total: 7:
    • http://20.93.227.28/static
    • http://20.93.227.28/static
    • http://20.93.227.28/static
    • http://20.93.227.28/static
    • http://20.93.227.28/static
    • ..
  • X-Content-Type-Options Header Missing [10021] total: 3:
    • http://20.93.227.28
    • http://20.93.227.28/
    • http://20.93.227.28/static/default.css
  • X-Frame-Options Header Not Set [10020] total: 2:
    • http://20.93.227.28/
    • http://20.93.227.28

View the following link to download the report.
RunnerID:1245766643

Is your feature request related to a problem? Please describe.
Need to reduce some of the duplicate code deploying the sample apps.
GitHub Reusable Workflows whilst in beta, provide a nice route to doing this.

Describe the solution you'd like
GitHub reusable workflows to be leveraged where appropriate.