[Modules] AKS: Updated secure defaults (#1593)

* Added disk encr Set

* Update to latest

* Update to latest

* Update to latest

* Updated case handling

* Updated dependencies wiki

.azuredevops/platformPipelines/platform.dependencies.yml

@@ -553,6 +553,7 @@ stages:
             - path: $(dependencyPath)/$(resourceType)/parameters/bas.additional.parameters.json
               templateFilePath: $(templateFilePath)
               displayName: Bastion Additional Public IP
+
   - stage: deploy_appi
     displayName: Deploy application insight
     dependsOn:
@@ -881,6 +882,21 @@ stages:
                   azurePowerShellVersion: 'LatestVersion'
                   pwsh: true
 
+  - stage: deploy_des
+    displayName: Deploy Disk Encryption Set
+    dependsOn:
+      - deploy_kv
+    variables:
+      resourceType: 'Microsoft.Compute/diskEncryptionSets'
+      templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep
+    jobs:
+      - template: /.azuredevops/pipelineTemplates/jobs.validateModuleDeployment.yml
+        parameters:
+          deploymentBlocks:
+            - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json
+              templateFilePath: $(templateFilePath)
+              displayName: Default Application Group
+
   - stage: deploy_avdag
     displayName: Deploy AVD application group
     dependsOn:

.github/workflows/platform.dependencies.yml

@@ -1231,6 +1231,34 @@ jobs:
             }
           azPSVersion: 'latest'
 
+  job_deploy_des:
+    runs-on: ubuntu-20.04
+    name: 'Deploy Disk Encryption Set'
+    env:
+      namespace: 'Microsoft.Compute/diskEncryptionSets'
+    needs:
+      - job_deploy_kv_secrets
+    strategy:
+      fail-fast: false
+      matrix:
+        parameterFilePaths: ['parameters.json']
+    steps:
+      - name: 'Checkout'
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: 'Deploy module'
+        uses: ./.github/actions/templates/validateModuleDeployment
+        with:
+          templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep'
+          parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}'
+          location: '${{ env.location }}'
+          resourceGroupName: '${{ env.defaultResourceGroupName }}'
+          subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}'
+          managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}'
+          removeDeployment: '${{ env.removeDeployment }}'
+
   job_deploy_avdag:
     runs-on: ubuntu-20.04
     name: 'Deploy AVD application group'

docs/wiki/The CI environment - Pipeline design.md

@@ -186,8 +186,8 @@ This group of resources has a dependency on one or more resources in the group a
       - '_adp-\<<namePrefix\>>-az-nsg-x-apgw_': NSG with required network security rules to be leveraged by the \[application gateway] subnet.
       - '_adp-\<<namePrefix\>>-az-nsg-x-ase_': NSG with required network security rules to be leveraged by the \[app service environment] subnet.
       - '_adp-\<<namePrefix\>>-az-nsg-x-bastion_': NSG with required network security rules to be leveraged by the \[bastion host] subnet.
-      - '_adp-\<<namePrefix\>>-az-nsg-x-sqlmi_': NSG with required network security rules to be leveraged by the \[sql managed instance] subnet.
-        >**Note**: This resource is deployed and configured only if SQL-MI dependency resources are enabled.
+      - '_adp-\<<namePrefix\>>-az-nsg-x-sqlmi_': NSG with required network security rules to be leveraged by the \[SQL managed instance] subnet.
+        >**Note**: This resource is deployed and configured only if sqlmi dependency resources are enabled.
       - '_adp-\<<namePrefix\>>-az-nsg-x-001_': default NSG leveraged by all other subnets.
   1. Application insight: This resource supports monitoring, hence it has a dependency on the \[storage account], \[log analytics workspace] and \[event hub] deployed in the group above. This resource is leveraged by the \[machine learning service] resource.
   1. Automation account: This resource supports monitoring, hence it has a dependency on the \[storage account], \[log analytics workspace] and \[event hub] deployed in the group above. This resource is leveraged by the \[log analytics workspace] resource.
@@ -216,11 +216,12 @@ This group of resources has a dependency on one or more resources in the groups
       - '_adp-\<<namePrefix\>>-az-vnet-x-peer02_': Leveraged by the \[virtual network peering] resource.
       - '_adp-\<<namePrefix\>>-az-vnet-x-azfw_': Leveraged by the \[azure firewall] resource.
       - '_adp-\<<namePrefix\>>-az-vnet-x-aks_': Leveraged by the \[azure kubernetes service] resource.
-      - '_adp-\<<namePrefix\>>-az-vnet-x-sqlmi_': Leveraged by the \[sql managed instance] resource.
+      - '_adp-\<<namePrefix\>>-az-vnet-x-sqlmi_': Leveraged by the \[SQL managed instance] resource.
         >**Note**: This resource is deployed and configured only if sqlmi dependency resources are enabled.
       - '_adp-\<<namePrefix\>>-az-vnet-x-001_': Hosting multiple subnets to be leveraged by \[virtual machine], \[virtual machine scale set], \[service bus], \[azure NetApp files], \[azure bastion], \[private endpoints], \[app service environment] and \[application gateway] resources.
   1. Azure Image Builder template: This resource triggers the build and distribution of a VHD in a storage account. The VHD file is copied to a known storage account blob container and leveraged by \[compute disks] and \[compute images] resources.
     >**Note**: This resource is deployed and configured only if the 'Enable deployment of a VHD stored in a blob container' option is selected.
+  1. Disk Encryption Set: This resource is leveraged by the \[Managed Cluster] resource.
 
 #### **5th level resources**
 

modules/Microsoft.ContainerService/managedClusters/.parameters/azure.parameters.json

@@ -8,6 +8,9 @@
         "lock": {
             "value": "CanNotDelete"
         },
+        "diskEncryptionSetID": {
+            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Compute/diskEncryptionSets/adp-<<namePrefix>>-az-des-x-001"
+        },
         "primaryAgentPoolProfile": {
             "value": [
                 {

modules/Microsoft.ContainerService/managedClusters/agentPools/deploy.bicep

@@ -23,7 +23,7 @@ param sourceResourceId string = ''
 ])
 param enableAutoScaling bool = false
 
-@description('Optional. This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption	.')
+@description('Optional. This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption. For security reasons, this setting should be enabled.')
 @allowed([
   true
   false

modules/Microsoft.ContainerService/managedClusters/agentPools/readme.md

@@ -33,7 +33,7 @@ This module deploys an Agent Pool for a Container Service Managed Cluster
 | `count` | int | `1` |  | Desired Number of agents (VMs) specified to host docker containers. Allowed values must be in the range of 0 to 1000 (inclusive) for user pools and in the range of 1 to 1000 (inclusive) for system pools. The default value is 1. |
 | `enableAutoScaling` | bool | `False` | `[True, False]` | Whether to enable auto-scaler. |
 | `enableDefaultTelemetry` | bool | `True` |  | Enable telemetry via the Customer Usage Attribution ID (GUID). |
-| `enableEncryptionAtHost` | bool | `False` | `[True, False]` | This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption	. |
+| `enableEncryptionAtHost` | bool | `False` | `[True, False]` | This is only supported on certain VM sizes and in certain Azure regions. For more information, see: /azure/aks/enable-host-encryption. For security reasons, this setting should be enabled. |
 | `enableFIPS` | bool | `False` | `[True, False]` | See Add a FIPS-enabled node pool (https://docs.microsoft.com/en-us/azure/aks/use-multiple-node-pools#add-a-fips-enabled-node-pool-preview) for more details. |
 | `enableNodePublicIP` | bool | `False` | `[True, False]` | Some scenarios may require nodes in a node pool to receive their own dedicated public IP addresses. A common scenario is for gaming workloads, where a console needs to make a direct connection to a cloud virtual machine to minimize hops. For more information see assigning a public IP per node (https://docs.microsoft.com/en-us/azure/aks/use-multiple-node-pools#assign-a-public-ip-per-node-for-your-node-pools). The default is false. |
 | `enableUltraSSD` | bool | `False` | `[True, False]` | Whether to enable UltraSSD. |

modules/Microsoft.ContainerService/managedClusters/deploy.bicep

@@ -137,7 +137,7 @@ param appGatewayResourceId string = ''
 @description('Optional. Specifies whether the aciConnectorLinux add-on is enabled or not.')
 param aciConnectorLinuxEnabled bool = false
 
-@description('Optional. Specifies whether the azurepolicy add-on is enabled or not.')
+@description('Optional. Specifies whether the azurepolicy add-on is enabled or not. For security reasons, this setting should be enabled.')
 param azurePolicyEnabled bool = true
 
 @description('Optional. Specifies the azure policy version to use.')
@@ -286,6 +286,9 @@ param lock string = ''
 @description('Optional. Tags of the resource.')
 param tags object = {}
 
+@description('Optional. The resource ID of the disc encryption set to apply to the clsuter. For security reasons, this value should be provided.')
+param diskEncryptionSetID string = ''
+
 @description('Optional. The name of logs that will be streamed.')
 @allowed([
   'kube-apiserver'
@@ -381,6 +384,7 @@ resource managedCluster 'Microsoft.ContainerService/managedClusters@2022-03-02-p
     tier: aksClusterSkuTier
   }
   properties: {
+    diskEncryptionSetID: !empty(diskEncryptionSetID) ? diskEncryptionSetID : null
     kubernetesVersion: (empty(aksClusterKubernetesVersion) ? null : aksClusterKubernetesVersion)
     dnsPrefix: aksClusterDnsPrefix
     agentPoolProfiles: primaryAgentPoolProfile

modules/Microsoft.ContainerService/managedClusters/readme.md

@@ -76,7 +76,7 @@ This module deploys Azure Kubernetes Cluster (AKS).
 | `autoScalerProfileSkipNodesWithLocalStorage` | string | `'true'` | `[false, true]` | Specifies if nodes with local storage should be skipped for the auto-scaler of the AKS cluster. |
 | `autoScalerProfileSkipNodesWithSystemPods` | string | `'true'` | `[false, true]` | Specifies if nodes with system pods should be skipped for the auto-scaler of the AKS cluster. |
 | `autoScalerProfileUtilizationThreshold` | string | `'0.5'` |  | Specifies the utilization threshold of the auto-scaler of the AKS cluster. |
-| `azurePolicyEnabled` | bool | `True` |  | Specifies whether the azurepolicy add-on is enabled or not. |
+| `azurePolicyEnabled` | bool | `True` |  | Specifies whether the azurepolicy add-on is enabled or not. For security reasons, this setting should be enabled. |
 | `azurePolicyVersion` | string | `'v2'` |  | Specifies the azure policy version to use. |
 | `diagnosticEventHubAuthorizationRuleId` | string | `''` |  | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. |
 | `diagnosticEventHubName` | string | `''` |  | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. |
@@ -88,6 +88,7 @@ This module deploys Azure Kubernetes Cluster (AKS).
 | `diagnosticWorkspaceId` | string | `''` |  | Resource ID of the diagnostic log analytics workspace. |
 | `disableLocalAccounts` | bool | `False` |  | If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled. |
 | `disableRunCommand` | bool | `False` |  | Whether to disable run command for the cluster or not. |
+| `diskEncryptionSetID` | string | `''` |  | The resource ID of the disc encryption set to apply to the clsuter. For security reasons, this value should be provided. |
 | `enableAzureDefender` | bool | `False` |  | Whether to enable Azure Defender. |
 | `enableDefaultTelemetry` | bool | `True` |  | Enable telemetry via the Customer Usage Attribution ID (GUID). |
 | `enableKeyvaultSecretsProvider` | bool | `False` |  | Specifies whether the KeyvaultSecretsProvider add-on is enabled or not. |
@@ -375,6 +376,9 @@ userAssignedIdentities: {
         "lock": {
             "value": "CanNotDelete"
         },
+        "diskEncryptionSetID": {
+            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Compute/diskEncryptionSets/adp-<<namePrefix>>-az-des-x-001"
+        },
         "primaryAgentPoolProfile": {
             "value": [
                 {
@@ -499,6 +503,7 @@ module managedClusters './Microsoft.ContainerService/managedClusters/deploy.bice
   params: {
     name: '<<namePrefix>>-az-aks-azure-001'
     lock: 'CanNotDelete'
+    diskEncryptionSetID: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Compute/diskEncryptionSets/adp-<<namePrefix>>-az-des-x-001'
     primaryAgentPoolProfile: [
       {
         name: 'systempool'

utilities/pipelines/dependencies/Microsoft.Compute/diskEncryptionSets/parameters/parameters.json

@@ -0,0 +1,15 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "name": {
+            "value": "adp-<<namePrefix>>-az-des-x-001"
+        },
+        "keyVaultId": {
+            "value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
+        },
+        "keyUrl": {
+            "value": "https://adp-<<namePrefix>>-az-kv-x-001.vault.azure.net/keys/keyEncryptionKey/bc3bb46d95c64367975d722f473eeae5" // ID must be updated for new keys
+        }
+    }
+}