Add new properties to AKS

arm/Microsoft.ContainerService/managedClusters/.bicep/nested_rbac.bicep

@@ -6,6 +6,7 @@ var builtInRoleNames = {
   'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
   'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
   'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
+  'AcrPull': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7f951dda-4ed3-4680-a7ca-43fe172d538d')
   'Azure Kubernetes Service Cluster Admin Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')
   'Azure Kubernetes Service Cluster User Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')
   'Azure Kubernetes Service Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')
@@ -19,6 +20,7 @@ var builtInRoleNames = {
   'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
   'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
   'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
+  'Managed Identity Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')
   'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
   'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
   'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')

arm/Microsoft.ContainerService/managedClusters/deploy.bicep

@@ -98,11 +98,26 @@ param aadProfileManaged bool = true
 @description('Optional. Specifies whether to enable Azure RBAC for Kubernetes authorization.')
 param aadProfileEnableAzureRBAC bool = true
 
+@description('Optional. If set to true, getting static credentials will be disabled for this cluster. This must only be used on Managed Clusters that are AAD enabled.')
+param disableLocalAccounts bool = false
+
 @description('Optional. Name of the resource group containing agent pool nodes.')
 param nodeResourceGroup string = '${resourceGroup().name}_aks_${name}_nodes'
 
+@description('Optional. IP ranges are specified in CIDR format, e.g. 137.117.106.88/29. This feature is not compatible with clusters that use Public IP Per Node, or clusters that are using a Basic Load Balancer.')
+param authorizedIPRanges array = []
+
+@description('Optional. Whether to disable run command for the cluster or not.')
+param disableRunCommand bool = false
+
 @description('Optional. Specifies whether to create the cluster as a private cluster or not.')
-param aksClusterEnablePrivateCluster bool = false
+param enablePrivateCluster bool = false
+
+@description('Optional. Whether to create additional public FQDN for private cluster or not.')
+param enablePrivateClusterPublicFQDN bool = false
+
+@description('Optional. If AKS will create a Private DNS Zone in the Node Resource Group.')
+param usePrivateDNSZone bool = false
 
 @description('Required. Properties of the primary agent pool.')
 param primaryAgentPoolProfile array
@@ -125,6 +140,16 @@ param azurePolicyVersion string = 'v2'
 @description('Optional. Specifies whether the kubeDashboard add-on is enabled or not.')
 param kubeDashboardEnabled bool = false
 
+@description('Optional. Specifies whether the KeyvaultSecretsProvider add-on is enabled or not.')
+param enableKeyvaultSecretsProvider bool = false
+
+@allowed([
+  'false'
+  'true'
+])
+@description('Optional. Specifies whether the KeyvaultSecretsProvider add-on uses secret rotation.')
+param enableSecretRotation string = 'false'
+
 @description('Optional. Specifies the scan interval of the auto-scaler of the AKS cluster.')
 param autoScalerProfileScanInterval string = '10s'
 
@@ -149,6 +174,63 @@ param autoScalerProfileUtilizationThreshold string = '0.5'
 @description('Optional. Specifies the max graceful termination time interval in seconds for the auto-scaler of the AKS cluster.')
 param autoScalerProfileMaxGracefulTerminationSec string = '600'
 
+@allowed([
+  'false'
+  'true'
+])
+@description('Optional. Specifies the balance of similar node groups for the auto-scaler of the AKS cluster.')
+param autoScalerProfileBalanceSimilarNodeGroups string = 'false'
+
+@allowed([
+  'least-waste'
+  'most-pods'
+  'priority'
+  'random'
+])
+@description('Optional. Specifies the expand strategy for the auto-scaler of the AKS cluster.')
+param autoScalerProfileExpander string = 'random'
+
+@description('Optional. Specifies the maximum empty bulk delete for the auto-scaler of the AKS cluster.')
+param autoScalerProfileMaxEmptyBulkDelete string = '10'
+
+@description('Optional. Specifies the maximum node provisioning time for the auto-scaler of the AKS cluster. Values must be an integer followed by an "m". No unit of time other than minutes (m) is supported.')
+param autoScalerProfileMaxNodeProvisionTime string = '15m'
+
+@description('Optional. Specifies the mximum total unready percentage for the auto-scaler of the AKS cluster. The maximum is 100 and the minimum is 0.')
+param autoScalerProfileMaxTotalUnreadyPercentage string = '45'
+
+@description('Optional. For scenarios like burst/batch scale where you do not want CA to act before the kubernetes scheduler could schedule all the pods, you can tell CA to ignore unscheduled pods before they are a certain age. Values must be an integer followed by a unit ("s" for seconds, "m" for minutes, "h" for hours, etc).')
+param autoScalerProfileNewPodScaleUpDelay string = '0s'
+
+@description('Optional. Specifies the ok total unready count for the auto-scaler of the AKS cluster.')
+param autoScalerProfileOkTotalUnreadyCount string = '3'
+
+@allowed([
+  'false'
+  'true'
+])
+@description('Optional. Specifies if nodes with local storage should be skipped for the auto-scaler of the AKS cluster.')
+param autoScalerProfileSkipNodesWithLocalStorage string = 'true'
+
+@allowed([
+  'false'
+  'true'
+])
+@description('Optional. Specifies if nodes with system pods should be skipped for the auto-scaler of the AKS cluster.')
+param autoScalerProfileSkipNodesWithSystemPods string = 'true'
+
+@description('Optional. Running in Kubenet is disabled by default due to the security related nature of AAD Pod Identity and the risks of IP spoofing.')
+param podIdentityProfileAllowNetworkPluginKubenet bool = false
+
+@description('Optional. Whether the pod identity addon is enabled.')
+param podIdentityProfileEnable bool = false
+
+@description('Optional. The pod identities to use in the cluster.')
+param podIdentityProfileUserAssignedIdentities array = []
+
+@description('Optional. The pod identity exceptions to allow.')
+param podIdentityProfileUserAssignedIdentityExceptions array = []
+
 @description('Optional. Resource ID of the diagnostic storage account.')
 param diagnosticStorageAccountId string = ''
 
@@ -299,8 +381,15 @@ resource managedCluster 'Microsoft.ContainerService/managedClusters@2021-10-01'
       kubeDashboard: {
         enabled: kubeDashboardEnabled
       }
+      azureKeyvaultSecretsProvider: {
+        enabled: enableKeyvaultSecretsProvider
+        config: {
+          enableSecretRotation: enableSecretRotation
+        }
+      }
     }
     enableRBAC: aadProfileEnableAzureRBAC
+    disableLocalAccounts: disableLocalAccounts
     nodeResourceGroup: nodeResourceGroup
     networkProfile: {
       networkPlugin: !empty(aksClusterNetworkPlugin) ? any(aksClusterNetworkPlugin) : null
@@ -323,17 +412,36 @@ resource managedCluster 'Microsoft.ContainerService/managedClusters@2021-10-01'
       tenantID: aadProfileTenantId
     }
     autoScalerProfile: {
-      'scan-interval': autoScalerProfileScanInterval
+      'balance-similar-node-groups': autoScalerProfileBalanceSimilarNodeGroups
+      'expander': autoScalerProfileExpander
+      'max-empty-bulk-delete': autoScalerProfileMaxEmptyBulkDelete
+      'max-graceful-termination-sec': autoScalerProfileMaxGracefulTerminationSec
+      'max-node-provision-time': autoScalerProfileMaxNodeProvisionTime
+      'max-total-unready-percentage': autoScalerProfileMaxTotalUnreadyPercentage
+      'new-pod-scale-up-delay': autoScalerProfileNewPodScaleUpDelay
+      'ok-total-unready-count': autoScalerProfileOkTotalUnreadyCount
       'scale-down-delay-after-add': autoScalerProfileScaleDownDelayAfterAdd
       'scale-down-delay-after-delete': autoScalerProfileScaleDownDelayAfterDelete
       'scale-down-delay-after-failure': autoScalerProfileScaleDownDelayAfterFailure
       'scale-down-unneeded-time': autoScalerProfileScaleDownUnneededTime
       'scale-down-unready-time': autoScalerProfileScaleDownUnreadyTime
       'scale-down-utilization-threshold': autoScalerProfileUtilizationThreshold
-      'max-graceful-termination-sec': autoScalerProfileMaxGracefulTerminationSec
+      'scan-interval': autoScalerProfileScanInterval
+      'skip-nodes-with-local-storage': autoScalerProfileSkipNodesWithLocalStorage
+      'skip-nodes-with-system-pods': autoScalerProfileSkipNodesWithSystemPods
     }
     apiServerAccessProfile: {
-      enablePrivateCluster: aksClusterEnablePrivateCluster
+      authorizedIPRanges: authorizedIPRanges
+      disableRunCommand: disableRunCommand
+      enablePrivateCluster: enablePrivateCluster
+      enablePrivateClusterPublicFQDN: enablePrivateClusterPublicFQDN
+      privateDNSZone: usePrivateDNSZone ? 'system' : ''
+    }
+    podIdentityProfile: {
+      allowNetworkPluginKubenet: podIdentityProfileAllowNetworkPluginKubenet
+      enabled: podIdentityProfileEnable
+      userAssignedIdentities: podIdentityProfileUserAssignedIdentities
+      userAssignedIdentityExceptions: podIdentityProfileUserAssignedIdentityExceptions
     }
   }
 }
@@ -421,7 +529,13 @@ output resourceGroupName string = resourceGroup().name
 output name string = managedCluster.name
 
 @description('The control plane FQDN of the managed cluster')
-output controlPlaneFQDN string = (aksClusterEnablePrivateCluster ? managedCluster.properties.privateFQDN : managedCluster.properties.fqdn)
+output controlPlaneFQDN string = enablePrivateCluster ? managedCluster.properties.privateFQDN : managedCluster.properties.fqdn
 
 @description('The principal ID of the system assigned identity.')
 output systemAssignedPrincipalId string = systemAssignedIdentity && contains(managedCluster.identity, 'principalId') ? managedCluster.identity.principalId : ''
+
+@description('The Object ID of the AKS identity.')
+output kubeletidentityObjectId string = contains(managedCluster.properties, 'identityProfile') ? contains(managedCluster.properties.identityProfile, 'kubeletidentity') ? managedCluster.properties.identityProfile.kubeletidentity.objectId : '' : ''
+
+@description('The Object ID of the OMS agent identity.')
+output omsagentIdentityObjectId string = contains(managedCluster.properties, 'addonProfiles') ? contains(managedCluster.properties.addonProfiles, 'omsagent') ? contains(managedCluster.properties.addonProfiles.omsagent, 'identity') ? managedCluster.properties.addonProfiles.omsagent.identity.objectId : '' : '' : ''