cleanup deployment code (#5)

Author: jgbradley1

infra/abbreviations.json

@@ -104,6 +104,7 @@
   "operationalInsightsWorkspaces": "log-",
   "portalDashboards": "dash-",
   "powerBIDedicatedCapacities": "pbi-",
+  "privateEndpoint": "pep-",
   "purviewAccounts": "pview-",
   "recoveryServicesVaults": "rsv-",
   "resourcesResourceGroups": "rg-",
@@ -133,4 +134,4 @@
   "webSitesAppServiceEnvironment": "ase-",
   "webSitesFunctions": "func-",
   "webStaticSites": "stapp-"
-***REMOVED***
+***REMOVED***

infra/core/ai-search/ai-search.bicep

@@ -17,14 +17,10 @@ resource aiSearch 'Microsoft.Search/searchServices@2024-03-01-preview' = {
     name: 'standard'
   ***REMOVED***
   properties: {
-    authOptions: {
-      aadOrApiKey: {
-        aadAuthFailureMode: 'http401WithBearerChallenge'
-      ***REMOVED***
-    ***REMOVED***
+    disableLocalAuth: true
     replicaCount: 1
     partitionCount: 1
-    publicNetworkAccess: 'Enabled'
+    publicNetworkAccess: 'disabled'
     semanticSearch: 'disabled'
   ***REMOVED***
 ***REMOVED***
@@ -37,4 +33,5 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
   ***REMOVED***
 ]
 
+output id string = aiSearch.id
 output name string = aiSearch.name

infra/core/aks/aks.bicep

@@ -13,7 +13,7 @@ param logAnalyticsWorkspaceId string
 @description('The auto-upgrade profile.')
 param autoUpgradeProfile object = {
   nodeOsUpgradeChannel: 'NodeImage'
-  upgradeChannel: 'patch'
+  upgradeChannel: 'node-image'
 ***REMOVED***
 
 @description('Optional DNS prefix to use with hosted Kubernetes API server FQDN.')
@@ -27,7 +27,7 @@ param systemOsDiskSizeGB int = 128
 @description('The number of nodes for the system node pool.')
 @minValue(1)
 @maxValue(50)
-param systemNodeCount int = 3
+param systemNodeCount int = 1
 
 @description('The size of the system Virtual Machine.')
 param systemVMSize string = 'standard_d4s_v5'
@@ -73,34 +73,25 @@ resource aks 'Microsoft.ContainerService/managedClusters@2023-10-01' = {
     agentPoolProfiles: [
       {
         name: 'agentpool'
-        osDiskSizeGB: systemOsDiskSizeGB
-        count: systemNodeCount
-        vmSize: systemVMSize
-        osType: 'Linux'
-        mode: 'System'
-        enableEncryptionAtHost: enableEncryptionAtHost
-        vnetSubnetID: vnetSubnetIdVar
-      ***REMOVED***
-      {
-        name: 'graphrag'
         enableAutoScaling: true
+        upgradeSettings: {
+          maxSurge: '50%'
+        ***REMOVED***
         minCount: 1
         maxCount: 10
         osDiskSizeGB: systemOsDiskSizeGB
-        count: graphragNodeCount
-        vmSize: graphragVMSize
+        count: systemNodeCount
+        vmSize: systemVMSize
         osType: 'Linux'
-        mode: 'User'
+        mode: 'System'
         enableEncryptionAtHost: enableEncryptionAtHost
         vnetSubnetID: vnetSubnetIdVar
-        nodeLabels: {
-          workload: 'graphrag'
-        ***REMOVED***
-        tags: {
-          workload: 'graphrag'
-        ***REMOVED***
+        type: 'VirtualMachineScaleSets'
       ***REMOVED***
     ]
+    autoScalerProfile: {
+      expander: 'least-waste'
+    ***REMOVED***
     linuxProfile: {
       adminUsername: linuxAdminUsername
       ssh: {
@@ -125,6 +116,68 @@ resource aks 'Microsoft.ContainerService/managedClusters@2023-10-01' = {
       ***REMOVED***
     ***REMOVED***
   ***REMOVED***
+
+  resource graphragNodePool 'agentPools@2024-02-01' = {
+    name: 'graphrag'
+    properties: {
+      enableAutoScaling: true
+      upgradeSettings: {
+        maxSurge: '50%'
+      ***REMOVED***
+      minCount: 1
+      maxCount: 10
+      osDiskSizeGB: systemOsDiskSizeGB
+      count: graphragNodeCount
+      vmSize: graphragVMSize
+      osType: 'Linux'
+      mode: 'User'
+      enableEncryptionAtHost: enableEncryptionAtHost
+      vnetSubnetID: vnetSubnetIdVar
+      nodeLabels: {
+        workload: 'graphrag'
+      ***REMOVED***
+      tags: {
+        workload: 'graphrag'
+      ***REMOVED***
+      type: 'VirtualMachineScaleSets'
+    ***REMOVED***
+  ***REMOVED***
+***REMOVED***
+
+resource aksManagedAutoUpgradeSchedule 'Microsoft.ContainerService/managedClusters/maintenanceConfigurations@2024-03-02-preview' = {
+  parent: aks
+  name: 'aksManagedAutoUpgradeSchedule'
+  properties: {
+    maintenanceWindow: {
+      schedule: {
+        weekly: {
+          intervalWeeks: 1
+          dayOfWeek: 'Sunday'
+        ***REMOVED***
+      ***REMOVED***
+      durationHours: 4
+      startDate: '2024-06-11'
+      startTime: '12:00'
+    ***REMOVED***
+  ***REMOVED***
+***REMOVED***
+
+resource aksManagedNodeOSUpgradeSchedule 'Microsoft.ContainerService/managedClusters/maintenanceConfigurations@2024-03-02-preview' = {
+  parent: aks
+  name: 'aksManagedNodeOSUpgradeSchedule'
+  properties: {
+    maintenanceWindow: {
+      schedule: {
+        weekly: {
+          intervalWeeks: 1
+          dayOfWeek: 'Saturday'
+        ***REMOVED***
+      ***REMOVED***
+      durationHours: 4
+      startDate: '2024-06-11'
+      startTime: '12:00'
+    ***REMOVED***
+  ***REMOVED***
 ***REMOVED***
 
 output name string = aks.name

infra/core/apim/apim.bicep

@@ -440,15 +440,19 @@ resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
   location: location
   kind: 'web'
   properties: {
-    Application_Type:'web'
+    Application_Type: 'web'
     WorkspaceResourceId: logAnalyticsWorkspaceId
+    publicNetworkAccessForIngestion: 'Disabled'
+    publicNetworkAccessForQuery: 'Enabled'
   ***REMOVED***
 ***REMOVED***
 
 output apimIPs array = apiManagementService.properties.publicIPAddresses
 output apimGatewayUrl string = apiManagementService.properties.gatewayUrl
 output appInsightsName string = appInsights.name
+output appInsightsId string = appInsights.id
 output name string = apiManagementService.name
 output vnetName string = virtualNetwork.name
 output vnetId string = virtualNetwork.id
+output defaultSubnetId string = virtualNetwork.properties.subnets[0].id
 output hostnameConfigs array = apiManagementService.properties.hostnameConfigurations

infra/core/apim/apim.docs-servicedef.bicep infra/core/apim/apim.graphrag-documentation.bicep

@@ -8,7 +8,7 @@ param apimname string
 resource api 'Microsoft.ApiManagement/service/apis@2023-03-01-preview' = {
   name: '${apimname***REMOVED***/${name***REMOVED***'
   properties: {
-    displayName: 'Graph RAG'
+    displayName: 'GraphRAG'
     apiRevision: '1'
     subscriptionRequired: true
     serviceUrl: backendUrl

infra/core/apim/apim.graphrag-servicedef.bicep

@@ -69,5 +69,6 @@ resource roleAssignmentResources 'Microsoft.Authorization/roleAssignments@2022-0
   ***REMOVED***
 ]
 
+output id string = storage.id
 output name string = storage.name
 output primaryEndpoints object = storage.properties.primaryEndpoints

infra/core/blob/storage.bicep

@@ -25,7 +25,7 @@ resource cosmosDb 'Microsoft.DocumentDB/databaseAccounts@2022-11-15' = {
     type: 'SystemAssigned'
   ***REMOVED***
   properties: {
-    publicNetworkAccess: 'Enabled'
+    publicNetworkAccess: 'Disabled'
     enableAutomaticFailover: false
     enableMultipleWriteLocations: false
     isVirtualNetworkFilterEnabled: false
@@ -206,8 +206,6 @@ resource cosmosDbIdentityAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRo
   ***REMOVED***
 ***REMOVED***
 
-
-output cosmosDbResourceId string = cosmosDb.id
-output cosmosDbResourceName string = cosmosDb.name
-output serviceName string = cosmosDb.name
+output id string = cosmosDb.id
+output name string = cosmosDb.name
 output endpoint string = cosmosDb.properties.documentEndpoint

infra/core/cosmosdb/cosmosdb.bicep

@@ -12,6 +12,8 @@ resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10
   location: location
   properties: {
     retentionInDays: 30
+    publicNetworkAccessForIngestion: 'Disabled'
+    publicNetworkAccessForQuery: 'Enabled'
     features: {
       immediatePurgeDataOn30Days: true
     ***REMOVED***

infra/core/log-analytics/log.bicep

@@ -0,0 +1,28 @@
+param privateLinkScopeName string
+param privateLinkScopedResources array = []
+
+param queryAccessMode string = 'Open'
+param ingestionAccessMode string = 'PrivateOnly'
+
+resource privateLinkScope 'microsoft.insights/privateLinkScopes@2021-07-01-preview' = {
+  name: privateLinkScopeName
+  location: 'global'
+  properties: {
+    accessModeSettings: {
+      queryAccessMode: queryAccessMode
+      ingestionAccessMode: ingestionAccessMode
+    ***REMOVED***
+  ***REMOVED***
+***REMOVED***
+
+resource scopedResources 'microsoft.insights/privateLinkScopes/scopedResources@2021-07-01-preview' = [
+  for id in privateLinkScopedResources: {
+    name: uniqueString(id)
+    parent: privateLinkScope
+    properties: {
+      linkedResourceId: id
+    ***REMOVED***
+  ***REMOVED***
+]
+
+output privateLinkScopeId string = privateLinkScope.id

infra/core/monitor/private-link-scope.bicep

@@ -0,0 +1,14 @@
+@description('The name of the private DNS zone.')
+param privateDnsZoneNames array
+
+param vnetResourceIds array
+
+module privateDnsVnetLinks 'private-dns-vnet-link.bicep' = [
+  for (privateDnsZoneName, i) in privateDnsZoneNames: {
+    name: '${privateDnsZoneName***REMOVED***-vnet-link-${i***REMOVED***'
+    params: {
+      privateDnsZoneName: privateDnsZoneName
+      vnetResourceIds: vnetResourceIds
+    ***REMOVED***
+  ***REMOVED***
+]

infra/core/vnet/batch-private-dns-vnet-link.bicep

@@ -0,0 +1,23 @@
+param privateDnsZoneName string
+
+param vnetResourceIds array
+
+resource dnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' = {
+  name: privateDnsZoneName
+  location: 'global'
+  properties: {***REMOVED***
+***REMOVED***
+
+resource dnsZoneLinks 'Microsoft.Network/privateDnsZones/virtualNetworkLinks@2020-06-01' = [
+  for vnetId in vnetResourceIds: {
+    name: uniqueString(vnetId)
+    location: 'global'
+    parent: dnsZone
+    properties: {
+      registrationEnabled: false
+      virtualNetwork: {
+        id: vnetId
+      ***REMOVED***
+    ***REMOVED***
+  ***REMOVED***
+]

infra/core/vnet/private-dns-vnet-link.bicep

@@ -0,0 +1,18 @@
+{
+  "azureCloud": {
+    "azureMonitor": [
+    "privatelink.monitor.azure.com",
+    "privatelink.oms.opinsights.azure.com",
+    "privatelink.agentsvc.azure-automation.net",
+    "privatelink.ods.opinsights.azure.com"
+    ]
+  ***REMOVED***,
+  "azureusgovernment": {
+    "azureMonitor": [
+    "privatelink.monitor.azure.us",
+    "privatelink.oms.opinsights.azure.us",
+    "privatelink.agentsvc.azure-automation.us",
+    "privatelink.ods.opinsights.azure.us"
+    ]
+  ***REMOVED***
+***REMOVED***

infra/core/vnet/private-dns-zone-groups.json

@@ -0,0 +1,41 @@
+@description('Resource ID of service the private endpoint is for')
+param privateLinkServiceId string
+
+param privateEndpointName string
+
+@description('The resource ID of the subnet to deploy the private endpoint to')
+param subnetId string
+
+param groupId string
+
+param location string = resourceGroup().location
+
+@description('map of group id to array of private dns zone configs to associate with the private endpoint')
+param privateDnsZoneConfigs array
+
+resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = {
+  name: privateEndpointName
+  location: location
+  properties: {
+    privateLinkServiceConnections: [
+      {
+        name: privateEndpointName
+        properties: {
+          privateLinkServiceId: privateLinkServiceId
+          groupIds: [groupId]
+        ***REMOVED***
+      ***REMOVED***
+    ]
+    subnet: {
+      id: subnetId
+    ***REMOVED***
+  ***REMOVED***
+***REMOVED***
+
+resource privateDnsZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2021-05-01' = {
+  name: groupId
+  parent: privateEndpoint
+  properties: {
+    privateDnsZoneConfigs: privateDnsZoneConfigs
+  ***REMOVED***
+***REMOVED***