@drunk-pulumi/azure-components 0.0.6

package/PulumiPlugin.yaml

@@ -0,0 +1 @@
+runtime: nodejs

package/README.md

@@ -0,0 +1 @@
+# drunk-pulumi-azure-components

package/ResourceBuilder.d.ts

@@ -0,0 +1,54 @@
+import * as pulumi from '@pulumi/pulumi';
+import { GroupRoleOutput } from './azAd';
+import { BaseComponent } from './base/BaseComponent';
+import { RsGroupArgs } from './common';
+import { LogsArgs } from './logs';
+import * as types from './types';
+import { KeyVaultArgs } from './vault';
+import { DiskEncryptionSetArgs } from './vm';
+type GroupRoleOutputTypes = {
+    admin: pulumi.Output<GroupRoleOutput>;
+    contributor: pulumi.Output<GroupRoleOutput>;
+    readOnly: pulumi.Output<GroupRoleOutput>;
+};
+type CommonProps = 'rsGroup' | 'groupRoles' | 'vaultInfo' | 'resourceGroupName';
+export interface ResourceBuilderArgs extends Omit<RsGroupArgs, CommonProps> {
+    groupRoles?: {
+        createWithName?: string;
+    } | GroupRoleOutputTypes;
+    vault?: Omit<KeyVaultArgs, CommonProps>;
+    logs?: Omit<LogsArgs, CommonProps>;
+    diskEncryption?: Omit<DiskEncryptionSetArgs, CommonProps>;
+    enableDefaultUAssignId?: boolean;
+}
+export declare class ResourceBuilder extends BaseComponent<ResourceBuilderArgs> {
+    readonly rsGroup: types.ResourceGroupOutputs;
+    readonly vaultInfo?: types.ResourceOutputs;
+    readonly groupRoles?: GroupRoleOutputTypes;
+    readonly defaultUAssignedId?: types.UserAssignedIdentityOutputs;
+    readonly logs?: types.LogsOutputs;
+    readonly diskEncryptionSet?: types.ResourceOutputs;
+    constructor(name: string, args: ResourceBuilderArgs, opts?: pulumi.ComponentResourceOptions);
+    getOutputs(): {
+        groupRoles: GroupRoleOutputTypes | undefined;
+        rsGroup: {
+            resourceGroupName: pulumi.Output<string>;
+            location?: pulumi.Output<string> | undefined;
+        };
+        vaultInfo: {
+            resourceName: pulumi.Output<string>;
+            id: pulumi.Output<string>;
+        } | undefined;
+        defaultUAssignedId: {
+            id: pulumi.Output<string>;
+            clientId: pulumi.Output<string>;
+            principalId: pulumi.Output<string>;
+        } | undefined;
+        logs: types.LogsOutputs | undefined;
+        diskEncryptionSet: {
+            resourceName: pulumi.Output<string>;
+            id: pulumi.Output<string>;
+        } | undefined;
+    };
+}
+export {};

package/ResourceBuilder.js

@@ -0,0 +1,71 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ResourceBuilder = void 0;
+const azAd_1 = require("./azAd");
+const BaseComponent_1 = require("./base/BaseComponent");
+const helpers_1 = require("./base/helpers");
+const common_1 = require("./common");
+const logs_1 = require("./logs");
+const vault_1 = require("./vault");
+const vm_1 = require("./vm");
+class ResourceBuilder extends BaseComponent_1.BaseComponent {
+    rsGroup;
+    vaultInfo;
+    groupRoles;
+    defaultUAssignedId;
+    logs;
+    diskEncryptionSet;
+    constructor(name, args, opts) {
+        super((0, helpers_1.getComponentResourceType)('ResourceBuilder'), name, args, opts);
+        const { groupRoles, vault, enableDefaultUAssignId, logs, diskEncryption, ...props } = args;
+        if (groupRoles) {
+            if ('createWithName' in groupRoles) {
+                this.groupRoles = new azAd_1.GroupRole(groupRoles.createWithName, {}, { dependsOn: opts?.dependsOn, parent: this }).getOutputs();
+            }
+            else
+                this.groupRoles = groupRoles;
+        }
+        const group = new common_1.RsGroup(name, { ...props, groupRoles: this.groupRoles }, { dependsOn: opts?.dependsOn, parent: this });
+        this.rsGroup = group.getOutputs();
+        if (vault) {
+            this.vaultInfo = new vault_1.KeyVault(name, { ...vault, rsGroup: this.rsGroup, groupRoles: this.groupRoles }, { dependsOn: group, parent: this }).getOutputs();
+        }
+        if (enableDefaultUAssignId) {
+            this.defaultUAssignedId = new azAd_1.UserAssignedIdentity(name, {
+                rsGroup: this.rsGroup,
+                vaultInfo: this.vaultInfo,
+                memberof: this.groupRoles ? [this.groupRoles.readOnly] : undefined,
+            }, { dependsOn: group, parent: this }).getOutputs();
+        }
+        if (logs) {
+            this.logs = new logs_1.Logs(name, {
+                ...logs,
+                rsGroup: this.rsGroup,
+                vaultInfo: this.vaultInfo,
+                groupRoles: this.groupRoles,
+            }, { dependsOn: group, parent: this }).getOutputs();
+        }
+        if (diskEncryption) {
+            this.diskEncryptionSet = new vm_1.DiskEncryptionSet(name, {
+                ...diskEncryption,
+                rsGroup: this.rsGroup,
+                encryptionType: 'EncryptionAtRestWithPlatformAndCustomerKeys',
+                defaultUAssignedId: this.defaultUAssignedId,
+                vaultInfo: this.vaultInfo,
+                groupRoles: this.groupRoles,
+            }, { dependsOn: group, parent: this }).getOutputs();
+        }
+    }
+    getOutputs() {
+        return {
+            groupRoles: this.groupRoles,
+            rsGroup: this.rsGroup,
+            vaultInfo: this.vaultInfo,
+            defaultUAssignedId: this.defaultUAssignedId,
+            logs: this.logs,
+            diskEncryptionSet: this.diskEncryptionSet,
+        };
+    }
+}
+exports.ResourceBuilder = ResourceBuilder;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiUmVzb3VyY2VCdWlsZGVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vc3JjL1Jlc291cmNlQnVpbGRlci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7QUFDQSxpQ0FBMEU7QUFDMUUsd0RBQXFEO0FBQ3JELDRDQUEwRDtBQUMxRCxxQ0FBZ0Q7QUFDaEQsaUNBQXdDO0FBRXhDLG1DQUFpRDtBQUNqRCw2QkFBZ0U7QUFrQmhFLE1BQWEsZUFBZ0IsU0FBUSw2QkFBa0M7SUFDckQsT0FBTyxDQUE2QjtJQUNwQyxTQUFTLENBQXlCO0lBQ2xDLFVBQVUsQ0FBd0I7SUFDbEMsa0JBQWtCLENBQXFDO0lBQ3ZELElBQUksQ0FBcUI7SUFDekIsaUJBQWlCLENBQXlCO0lBRTFELFlBQVksSUFBWSxFQUFFLElBQXlCLEVBQUUsSUFBc0M7UUFDekYsS0FBSyxDQUFDLElBQUEsa0NBQXdCLEVBQUMsaUJBQWlCLENBQUMsRUFBRSxJQUFJLEVBQUUsSUFBSSxFQUFFLElBQUksQ0FBQyxDQUFDO1FBQ3JFLE1BQU0sRUFBRSxVQUFVLEVBQUUsS0FBSyxFQUFFLHNCQUFzQixFQUFFLElBQUksRUFBRSxjQUFjLEVBQUUsR0FBRyxLQUFLLEVBQUUsR0FBRyxJQUFJLENBQUM7UUFFM0YsSUFBSSxVQUFVLEVBQUUsQ0FBQztZQUNmLElBQUksZ0JBQWdCLElBQUksVUFBVSxFQUFFLENBQUM7Z0JBQ25DLElBQUksQ0FBQyxVQUFVLEdBQUcsSUFBSSxnQkFBUyxDQUM3QixVQUFVLENBQUMsY0FBYyxFQUN6QixFQUFFLEVBQ0YsRUFBRSxTQUFTLEVBQUUsSUFBSSxFQUFFLFNBQVMsRUFBRSxNQUFNLEVBQUUsSUFBSSxFQUFFLENBQzdDLENBQUMsVUFBVSxFQUFFLENBQUM7WUFDakIsQ0FBQzs7Z0JBQU0sSUFBSSxDQUFDLFVBQVUsR0FBRyxVQUFrQyxDQUFDO1FBQzlELENBQUM7UUFFRCxNQUFNLEtBQUssR0FBRyxJQUFJLGdCQUFPLENBQ3ZCLElBQUksRUFDSixFQUFFLEdBQUcsS0FBSyxFQUFFLFVBQVUsRUFBRSxJQUFJLENBQUMsVUFBVSxFQUFFLEVBQ3pDLEVBQUUsU0FBUyxFQUFFLElBQUksRUFBRSxTQUFTLEVBQUUsTUFBTSxFQUFFLElBQUksRUFBRSxDQUM3QyxDQUFDO1FBQ0YsSUFBSSxDQUFDLE9BQU8sR0FBRyxLQUFLLENBQUMsVUFBVSxFQUFFLENBQUM7UUFFbEMsSUFBSSxLQUFLLEVBQUUsQ0FBQztZQUNWLElBQUksQ0FBQyxTQUFTLEdBQUcsSUFBSSxnQkFBUSxDQUMzQixJQUFJLEVBQ0osRUFBRSxHQUFHLEtBQUssRUFBRSxPQUFPLEVBQUUsSUFBSSxDQUFDLE9BQU8sRUFBRSxVQUFVLEVBQUUsSUFBSSxDQUFDLFVBQVUsRUFBRSxFQUNoRSxFQUFFLFNBQVMsRUFBRSxLQUFLLEVBQUUsTUFBTSxFQUFFLElBQUksRUFBRSxDQUNuQyxDQUFDLFVBQVUsRUFBRSxDQUFDO1FBQ2pCLENBQUM7UUFFRCxJQUFJLHNCQUFzQixFQUFFLENBQUM7WUFDM0IsSUFBSSxDQUFDLGtCQUFrQixHQUFHLElBQUksMkJBQW9CLENBQ2hELElBQUksRUFDSjtnQkFDRSxPQUFPLEVBQUUsSUFBSSxDQUFDLE9BQU87Z0JBQ3JCLFNBQVMsRUFBRSxJQUFJLENBQUMsU0FBUztnQkFDekIsUUFBUSxFQUFFLElBQUksQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxRQUFRLENBQUMsQ0FBQyxDQUFDLENBQUMsU0FBUzthQUNuRSxFQUNELEVBQUUsU0FBUyxFQUFFLEtBQUssRUFBRSxNQUFNLEVBQUUsSUFBSSxFQUFFLENBQ25DLENBQUMsVUFBVSxFQUFFLENBQUM7UUFDakIsQ0FBQztRQUVELElBQUksSUFBSSxFQUFFLENBQUM7WUFDVCxJQUFJLENBQUMsSUFBSSxHQUFHLElBQUksV0FBSSxDQUNsQixJQUFJLEVBQ0o7Z0JBQ0UsR0FBRyxJQUFJO2dCQUNQLE9BQU8sRUFBRSxJQUFJLENBQUMsT0FBTztnQkFDckIsU0FBUyxFQUFFLElBQUksQ0FBQyxTQUFTO2dCQUN6QixVQUFVLEVBQUUsSUFBSSxDQUFDLFVBQVU7YUFDNUIsRUFDRCxFQUFFLFNBQVMsRUFBRSxLQUFLLEVBQUUsTUFBTSxFQUFFLElBQUksRUFBRSxDQUNuQyxDQUFDLFVBQVUsRUFBRSxDQUFDO1FBQ2pCLENBQUM7UUFFRCxJQUFJLGNBQWMsRUFBRSxDQUFDO1lBQ25CLElBQUksQ0FBQyxpQkFBaUIsR0FBRyxJQUFJLHNCQUFpQixDQUM1QyxJQUFJLEVBQ0o7Z0JBQ0UsR0FBRyxjQUFjO2dCQUNqQixPQUFPLEVBQUUsSUFBSSxDQUFDLE9BQU87Z0JBQ3JCLGNBQWMsRUFBRSw2Q0FBNkM7Z0JBQzdELGtCQUFrQixFQUFFLElBQUksQ0FBQyxrQkFBa0I7Z0JBQzNDLFNBQVMsRUFBRSxJQUFJLENBQUMsU0FBUztnQkFDekIsVUFBVSxFQUFFLElBQUksQ0FBQyxVQUFVO2FBQzVCLEVBQ0QsRUFBRSxTQUFTLEVBQUUsS0FBSyxFQUFFLE1BQU0sRUFBRSxJQUFJLEVBQUUsQ0FDbkMsQ0FBQyxVQUFVLEVBQUUsQ0FBQztRQUNqQixDQUFDO0lBQ0gsQ0FBQztJQUVNLFVBQVU7UUFDZixPQUFPO1lBQ0wsVUFBVSxFQUFFLElBQUksQ0FBQyxVQUFVO1lBQzNCLE9BQU8sRUFBRSxJQUFJLENBQUMsT0FBTztZQUNyQixTQUFTLEVBQUUsSUFBSSxDQUFDLFNBQVM7WUFDekIsa0JBQWtCLEVBQUUsSUFBSSxDQUFDLGtCQUFrQjtZQUMzQyxJQUFJLEVBQUUsSUFBSSxDQUFDLElBQUk7WUFDZixpQkFBaUIsRUFBRSxJQUFJLENBQUMsaUJBQWlCO1NBQzFDLENBQUM7SUFDSixDQUFDO0NBQ0Y7QUF4RkQsMENBd0ZDIn0=

package/aks/AzKubernetes.d.ts

@@ -0,0 +1,55 @@
+import * as ccs from '@pulumi/azure-native/containerservice';
+import * as inputs from '@pulumi/azure-native/types/input';
+import * as pulumi from '@pulumi/pulumi';
+import { BaseResourceComponent, CommonBaseArgs } from '../base';
+import * as types from '../types';
+export interface AzKubernetesArgs extends CommonBaseArgs, types.WithEncryptionEnabler, types.WithGroupRolesArgs, types.WithUserAssignedIdentity, Pick<ccs.ManagedClusterArgs, 'dnsPrefix' | 'supportPlan' | 'autoScalerProfile' | 'autoUpgradeProfile' | 'disableLocalAccounts' | 'storageProfile'> {
+    sku: ccs.ManagedClusterSKUTier;
+    agentPoolProfiles: pulumi.Input<inputs.containerservice.ManagedClusterAgentPoolProfileArgs & {
+        vmSize: pulumi.Input<string>;
+        vnetSubnetID: pulumi.Input<string>;
+    }>[];
+    attachToAcr?: types.ResourceInputs;
+    features: {
+        enablePrivateCluster: boolean;
+        enablePrivateClusterPublicFQDN?: boolean;
+        enableVerticalPodAutoscaler?: boolean;
+        /** KEDA (Kubernetes Event-driven Autoscaling) settings for the workload auto-scaler profile. */
+        enableKeda?: boolean;
+        enableWorkloadIdentity?: boolean;
+        enablePodIdentity?: boolean;
+    };
+    addonProfiles?: {
+        enableAzureKeyVault?: boolean;
+    };
+    network?: Omit<inputs.containerservice.ContainerServiceNetworkProfileArgs, 'networkMode' | 'networkPolicy' | 'networkPlugin' | 'loadBalancerSku' | 'loadBalancerProfile'> & {
+        outboundType?: ccs.OutboundType;
+        loadBalancerProfile?: inputs.containerservice.ManagedClusterLoadBalancerProfileArgs & {
+            backendPoolType?: ccs.BackendPoolType;
+        };
+        /** Link the private DNS of AKS to these VNets */
+        extraPrivateDnsVnets?: types.ResourceInputs[];
+        authorizedIPRanges?: pulumi.Input<string>[];
+        virtualHostSubnetName?: pulumi.Input<string>;
+    };
+    maintenance?: Pick<ccs.MaintenanceConfigurationArgs, 'timeInWeek' | 'notAllowedTime'>;
+    logWorkspace?: types.ResourceInputs & {
+        defenderEnabled?: boolean;
+    };
+}
+export declare class AzKubernetes extends BaseResourceComponent<AzKubernetesArgs> {
+    readonly id: pulumi.Output<string>;
+    readonly resourceName: pulumi.Output<string>;
+    constructor(name: string, args: AzKubernetesArgs, opts?: pulumi.ComponentResourceOptions);
+    getOutputs(): {
+        id: pulumi.Output<string>;
+        resourceName: pulumi.Output<string>;
+    };
+    private createIdentity;
+    private createUserNameAndSshKeys;
+    private createDiskEncryptionSet;
+    private createCluster;
+    private createMaintenance;
+    private assignPermission;
+    private addAksCredentialToVault;
+}

package/aks/AzKubernetes.js

@@ -0,0 +1,288 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AzKubernetes = void 0;
+const ccs = __importStar(require("@pulumi/azure-native/containerservice"));
+const pulumi = __importStar(require("@pulumi/pulumi"));
+const azAd_1 = require("../azAd");
+const base_1 = require("../base");
+const common_1 = require("../common");
+const helpers_1 = require("../helpers");
+const vault_1 = require("../vault");
+const DiskEncryptionSet_1 = require("../vm/DiskEncryptionSet");
+const aksHelpers = __importStar(require("./helpers"));
+class AzKubernetes extends base_1.BaseResourceComponent {
+    id;
+    resourceName;
+    constructor(name, args, opts) {
+        super('AzKubernetes', name, args, opts);
+        const app = this.createIdentity();
+        const cluster = this.createCluster(app);
+        this.createMaintenance(cluster);
+        this.assignPermission(cluster);
+        this.addAksCredentialToVault(cluster);
+        this.id = cluster.id;
+        this.resourceName = cluster.name;
+        this.registerOutputs();
+    }
+    getOutputs() {
+        return {
+            id: this.id,
+            resourceName: this.resourceName,
+        };
+    }
+    createIdentity() {
+        const { rsGroup, vaultInfo, groupRoles } = this.args;
+        return new azAd_1.AppRegistration(`${this.name}-identity`, {
+            enableClientSecret: true,
+            servicePrincipal: { enabled: true },
+            vaultInfo,
+            memberof: groupRoles ? [groupRoles.readOnly] : undefined,
+            roleAssignments: [
+                {
+                    scope: helpers_1.rsHelpers.getRsGroupIdFrom(rsGroup),
+                    roleName: 'Reader',
+                    description: 'Allows AKS have read access to the resource group',
+                },
+            ],
+        }, { dependsOn: this.opts?.dependsOn, parent: this });
+    }
+    createUserNameAndSshKeys() {
+        const { vaultInfo } = this.args;
+        const userName = this.createRandomString({ type: 'string', length: 8, vaultInfo }).value.apply((v) => `${this.name}-admin-${v}`.substring(0, 32));
+        const password = this.createPassword({ length: 50 }).value;
+        const ssh = new common_1.SshGenerator(`${this.name}-ssh`, {
+            vaultInfo,
+            password,
+        }, { dependsOn: this.opts?.dependsOn, parent: this });
+        return { userName, sshPublicKey: ssh.publicKey };
+    }
+    createDiskEncryptionSet() {
+        const { rsGroup, enableEncryption, defaultUAssignedId, vaultInfo } = this.args;
+        if (!enableEncryption)
+            return undefined;
+        return new DiskEncryptionSet_1.DiskEncryptionSet(`${this.name}-disk-encryption-set`, {
+            rsGroup,
+            vaultInfo,
+            defaultUAssignedId,
+            encryptionType: 'EncryptionAtRestWithPlatformAndCustomerKeys',
+        }, { dependsOn: this.opts?.dependsOn, parent: this });
+    }
+    createCluster(app) {
+        const { rsGroup, vaultInfo, groupRoles, defaultUAssignedId, enableEncryption, features, addonProfiles, network, logWorkspace, sku, ...props } = this.args;
+        const nodeResourceGroup = pulumi.interpolate `${rsGroup.resourceGroupName}-nodes`;
+        const login = this.createUserNameAndSshKeys();
+        const diskEncryptionSet = this.createDiskEncryptionSet();
+        return new ccs.ManagedCluster(this.name, {
+            ...props,
+            ...rsGroup,
+            nodeResourceGroup,
+            dnsPrefix: props.dnsPrefix ?? `${helpers_1.azureEnv.currentEnv}-${this.name}`,
+            enableRBAC: true,
+            aadProfile: groupRoles
+                ? {
+                    enableAzureRBAC: true,
+                    managed: true,
+                    adminGroupObjectIDs: [groupRoles.admin.objectId],
+                    tenantID: helpers_1.azureEnv.tenantId,
+                }
+                : undefined,
+            apiServerAccessProfile: {
+                authorizedIPRanges: features?.enablePrivateCluster ? undefined : network?.authorizedIPRanges ?? [],
+                disableRunCommand: true,
+                enablePrivateCluster: features?.enablePrivateCluster,
+                //TODO: to make the life simple we enable this to allows IP DNS query from public internet.
+                enablePrivateClusterPublicFQDN: features?.enablePrivateClusterPublicFQDN ?? true,
+                privateDNSZone: features?.enablePrivateCluster ? 'system' : undefined,
+                //privateDNSZone: privateDnsZone?.id,
+            },
+            addonProfiles: {
+                azureKeyvaultSecretsProvider: {
+                    config: addonProfiles?.enableAzureKeyVault
+                        ? {
+                            enableSecretRotation: 'true',
+                        }
+                        : undefined,
+                    enabled: Boolean(addonProfiles?.enableAzureKeyVault),
+                },
+                azurePolicy: { enabled: true },
+                kubeDashboard: { enabled: false },
+                httpApplicationRouting: { enabled: false },
+                aciConnectorLinux: {
+                    enabled: Boolean(network?.virtualHostSubnetName),
+                    config: network?.virtualHostSubnetName ? { SubnetName: network.virtualHostSubnetName } : undefined,
+                },
+                // ingressApplicationGateway: {
+                //   enabled: Boolean(addon.applicationGateway),
+                //   config: addon.applicationGateway
+                //     ? {
+                //         gatewayName: `${name}-gateway`,
+                //         subnetId: addon.applicationGateway.gatewaySubnetId,
+                //       }
+                //     : undefined,
+                // },
+                omsAgent: {
+                    enabled: Boolean(logWorkspace?.id),
+                    config: logWorkspace?.id
+                        ? {
+                            logAnalyticsWorkspaceResourceID: logWorkspace.id,
+                        }
+                        : undefined,
+                },
+            },
+            sku: {
+                name: ccs.ManagedClusterSKUName.Base,
+                tier: sku,
+            },
+            linuxProfile: {
+                adminUsername: login.userName,
+                ssh: { publicKeys: [{ keyData: login.sshPublicKey }] },
+            },
+            windowsProfile: undefined,
+            workloadAutoScalerProfile: {
+                verticalPodAutoscaler: {
+                    enabled: features?.enableVerticalPodAutoscaler || false,
+                },
+                keda: { enabled: features?.enableKeda || false },
+            },
+            //azureMonitorProfile: { metrics: { enabled } },
+            //Refer here for details https://learn.microsoft.com/en-us/azure/aks/use-managed-identity
+            //enablePodSecurityPolicy: true,
+            diskEncryptionSetID: diskEncryptionSet?.id,
+            servicePrincipalProfile: {
+                clientId: app.clientId,
+                secret: app.clientSecret,
+            },
+            oidcIssuerProfile: { enabled: Boolean(features?.enableWorkloadIdentity) },
+            securityProfile: {
+                defender: logWorkspace?.defenderEnabled
+                    ? {
+                        logAnalyticsWorkspaceResourceId: logWorkspace.id,
+                        securityMonitoring: { enabled: true },
+                    }
+                    : undefined,
+                imageCleaner: { enabled: true, intervalHours: 24 },
+                workloadIdentity: {
+                    enabled: Boolean(features?.enableWorkloadIdentity),
+                },
+            },
+            podIdentityProfile: features?.enablePodIdentity
+                ? {
+                    enabled: features.enablePodIdentity,
+                    //Not allow pod to use kublet command
+                    allowNetworkPluginKubenet: false,
+                }
+                : undefined,
+            identity: {
+                type: defaultUAssignedId ? ccs.ResourceIdentityType.UserAssigned : ccs.ResourceIdentityType.SystemAssigned,
+                userAssignedIdentities: defaultUAssignedId ? [defaultUAssignedId.id] : undefined,
+            },
+            networkProfile: {
+                ...network,
+                networkMode: ccs.NetworkMode.Transparent,
+                networkPolicy: ccs.NetworkPolicy.Azure,
+                networkPlugin: ccs.NetworkPlugin.Azure,
+                loadBalancerSku: 'Standard',
+                outboundType: network?.outboundType ?? ccs.OutboundType.UserDefinedRouting,
+            },
+        }, {
+            ...this.opts,
+            dependsOn: app,
+            parent: this,
+        });
+    }
+    createMaintenance(aks) {
+        const { rsGroup, maintenance } = this.args;
+        if (!maintenance)
+            return undefined;
+        return new ccs.MaintenanceConfiguration(`${this.name}-MaintenanceConfiguration`, {
+            ...rsGroup,
+            ...maintenance,
+            configName: 'default',
+            resourceName: aks.name,
+            timeInWeek: maintenance.timeInWeek ?? [
+                {
+                    day: ccs.WeekDay.Sunday,
+                    hourSlots: [0, 23],
+                },
+            ],
+        }, { dependsOn: aks, deleteBeforeReplace: true });
+    }
+    assignPermission(aks) {
+        const { rsGroup, attachToAcr } = this.args;
+        pulumi.all([aks.identity, aks.identityProfile]).apply(([identity, identityProfile]) => {
+            if (identityProfile?.kubeletIdentity) {
+                this.addIdentityToRole('contributor', { principalId: identityProfile.kubeletIdentity.objectId });
+                if (attachToAcr) {
+                    new azAd_1.RoleAssignment(`${this.name}-aks-acr`, {
+                        principalId: identityProfile.kubeletIdentity.objectId,
+                        principalType: 'ServicePrincipal',
+                        roleName: 'acr-pull',
+                        scope: attachToAcr.id,
+                    }, { dependsOn: aks, parent: this });
+                }
+            }
+            if (identity) {
+                new azAd_1.RoleAssignment(`${this.name}-aks-identity`, {
+                    principalId: identity.principalId,
+                    principalType: 'ServicePrincipal',
+                    roleName: 'Contributor',
+                    scope: helpers_1.rsHelpers.getRsGroupIdFrom(rsGroup),
+                }, { dependsOn: aks, parent: this });
+            }
+        });
+    }
+    addAksCredentialToVault(aks) {
+        const { rsGroup, disableLocalAccounts, vaultInfo } = this.args;
+        if (!vaultInfo)
+            return undefined;
+        return pulumi.all([aks.name, rsGroup.resourceGroupName, disableLocalAccounts]).apply(([name, rgName, disabled]) => {
+            if (!name)
+                return;
+            const credential = aksHelpers.getAksConfig({
+                resourceName: name,
+                resourceGroupName: rgName,
+                disableLocalAccounts: disabled,
+            });
+            return new vault_1.VaultSecret(`${this.name}-credential`, {
+                vaultInfo,
+                value: credential,
+                contentType: `AzKubernetes ${this.name} aks config`,
+            }, { dependsOn: aks, parent: this, retainOnDelete: true });
+        });
+    }
+}
+exports.AzKubernetes = AzKubernetes;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiQXpLdWJlcm5ldGVzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL2Frcy9Bekt1YmVybmV0ZXMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O0FBQUEsMkVBQTZEO0FBRTdELHVEQUF5QztBQUN6QyxrQ0FBMEQ7QUFDMUQsa0NBQWdFO0FBQ2hFLHNDQUF5QztBQUN6Qyx3Q0FBaUQ7QUFFakQsb0NBQXVDO0FBQ3ZDLCtEQUE0RDtBQUM1RCxzREFBd0M7QUFxRHhDLE1BQWEsWUFBYSxTQUFRLDRCQUF1QztJQUN2RCxFQUFFLENBQXdCO0lBQzFCLFlBQVksQ0FBd0I7SUFFcEQsWUFBWSxJQUFZLEVBQUUsSUFBc0IsRUFBRSxJQUFzQztRQUN0RixLQUFLLENBQUMsY0FBYyxFQUFFLElBQUksRUFBRSxJQUFJLEVBQUUsSUFBSSxDQUFDLENBQUM7UUFFeEMsTUFBTSxHQUFHLEdBQUcsSUFBSSxDQUFDLGNBQWMsRUFBRSxDQUFDO1FBQ2xDLE1BQU0sT0FBTyxHQUFHLElBQUksQ0FBQyxhQUFhLENBQUMsR0FBRyxDQUFDLENBQUM7UUFFeEMsSUFBSSxDQUFDLGlCQUFpQixDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBQ2hDLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUMvQixJQUFJLENBQUMsdUJBQXVCLENBQUMsT0FBTyxDQUFDLENBQUM7UUFFdEMsSUFBSSxDQUFDLEVBQUUsR0FBRyxPQUFPLENBQUMsRUFBRSxDQUFDO1FBQ3JCLElBQUksQ0FBQyxZQUFZLEdBQUcsT0FBTyxDQUFDLElBQUksQ0FBQztRQUVqQyxJQUFJLENBQUMsZUFBZSxFQUFFLENBQUM7SUFDekIsQ0FBQztJQUVNLFVBQVU7UUFDZixPQUFPO1lBQ0wsRUFBRSxFQUFFLElBQUksQ0FBQyxFQUFFO1lBQ1gsWUFBWSxFQUFFLElBQUksQ0FBQyxZQUFZO1NBQ2hDLENBQUM7SUFDSixDQUFDO0lBRU8sY0FBYztRQUNwQixNQUFNLEVBQUUsT0FBTyxFQUFFLFNBQVMsRUFBRSxVQUFVLEVBQUUsR0FBRyxJQUFJLENBQUMsSUFBSSxDQUFDO1FBRXJELE9BQU8sSUFBSSxzQkFBZSxDQUN4QixHQUFHLElBQUksQ0FBQyxJQUFJLFdBQVcsRUFDdkI7WUFDRSxrQkFBa0IsRUFBRSxJQUFJO1lBQ3hCLGdCQUFnQixFQUFFLEVBQUUsT0FBTyxFQUFFLElBQUksRUFBRTtZQUNuQyxTQUFTO1lBQ1QsUUFBUSxFQUFFLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxVQUFVLENBQUMsUUFBUSxDQUFDLENBQUMsQ0FBQyxDQUFDLFNBQVM7WUFDeEQsZUFBZSxFQUFFO2dCQUNmO29CQUNFLEtBQUssRUFBRSxtQkFBUyxDQUFDLGdCQUFnQixDQUFDLE9BQU8sQ0FBQztvQkFDMUMsUUFBUSxFQUFFLFFBQVE7b0JBQ2xCLFdBQVcsRUFBRSxtREFBbUQ7aUJBQ2pFO2FBQ0Y7U0FDRixFQUNELEVBQUUsU0FBUyxFQUFFLElBQUksQ0FBQyxJQUFJLEVBQUUsU0FBUyxFQUFFLE1BQU0sRUFBRSxJQUFJLEVBQUUsQ0FDbEQsQ0FBQztJQUNKLENBQUM7SUFFTyx3QkFBd0I7UUFDOUIsTUFBTSxFQUFFLFNBQVMsRUFBRSxHQUFHLElBQUksQ0FBQyxJQUFJLENBQUM7UUFDaEMsTUFBTSxRQUFRLEdBQUcsSUFBSSxDQUFDLGtCQUFrQixDQUFDLEVBQUUsSUFBSSxFQUFFLFFBQVEsRUFBRSxNQUFNLEVBQUUsQ0FBQyxFQUFFLFNBQVMsRUFBRSxDQUFDLENBQUMsS0FBSyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQ25HLEdBQUcsSUFBSSxDQUFDLElBQUksVUFBVSxDQUFDLEVBQUUsQ0FBQyxTQUFTLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUMzQyxDQUFDO1FBQ0YsTUFBTSxRQUFRLEdBQUcsSUFBSSxDQUFDLGNBQWMsQ0FBQyxFQUFFLE1BQU0sRUFBRSxFQUFFLEVBQUUsQ0FBQyxDQUFDLEtBQUssQ0FBQztRQUUzRCxNQUFNLEdBQUcsR0FBRyxJQUFJLHFCQUFZLENBQzFCLEdBQUcsSUFBSSxDQUFDLElBQUksTUFBTSxFQUNsQjtZQUNFLFNBQVM7WUFDVCxRQUFRO1NBQ1QsRUFDRCxFQUFFLFNBQVMsRUFBRSxJQUFJLENBQUMsSUFBSSxFQUFFLFNBQVMsRUFBRSxNQUFNLEVBQUUsSUFBSSxFQUFFLENBQ2xELENBQUM7UUFFRixPQUFPLEVBQUUsUUFBUSxFQUFFLFlBQVksRUFBRSxHQUFHLENBQUMsU0FBUyxFQUFFLENBQUM7SUFDbkQsQ0FBQztJQUVPLHVCQUF1QjtRQUM3QixNQUFNLEVBQUUsT0FBTyxFQUFFLGdCQUFnQixFQUFFLGtCQUFrQixFQUFFLFNBQVMsRUFBRSxHQUFHLElBQUksQ0FBQyxJQUFJLENBQUM7UUFDL0UsSUFBSSxDQUFDLGdCQUFnQjtZQUFFLE9BQU8sU0FBUyxDQUFDO1FBQ3hDLE9BQU8sSUFBSSxxQ0FBaUIsQ0FDMUIsR0FBRyxJQUFJLENBQUMsSUFBSSxzQkFBc0IsRUFDbEM7WUFDRSxPQUFPO1lBQ1AsU0FBUztZQUNULGtCQUFrQjtZQUNsQixjQUFjLEVBQUUsNkNBQTZDO1NBQzlELEVBQ0QsRUFBRSxTQUFTLEVBQUUsSUFBSSxDQUFDLElBQUksRUFBRSxTQUFTLEVBQUUsTUFBTSxFQUFFLElBQUksRUFBRSxDQUNsRCxDQUFDO0lBQ0osQ0FBQztJQUVPLGFBQWEsQ0FBQyxHQUFvQjtRQUN4QyxNQUFNLEVBQ0osT0FBTyxFQUNQLFNBQVMsRUFDVCxVQUFVLEVBQ1Ysa0JBQWtCLEVBRWxCLGdCQUFnQixFQUNoQixRQUFRLEVBQ1IsYUFBYSxFQUNiLE9BQU8sRUFDUCxZQUFZLEVBQ1osR0FBRyxFQUNILEdBQUcsS0FBSyxFQUNULEdBQUcsSUFBSSxDQUFDLElBQUksQ0FBQztRQUNkLE1BQU0saUJBQWlCLEdBQUcsTUFBTSxDQUFDLFdBQVcsQ0FBQSxHQUFHLE9BQU8sQ0FBQyxpQkFBaUIsUUFBUSxDQUFDO1FBQ2pGLE1BQU0sS0FBSyxHQUFHLElBQUksQ0FBQyx3QkFBd0IsRUFBRSxDQUFDO1FBQzlDLE1BQU0saUJBQWlCLEdBQUcsSUFBSSxDQUFDLHVCQUF1QixFQUFFLENBQUM7UUFFekQsT0FBTyxJQUFJLEdBQUcsQ0FBQyxjQUFjLENBQzNCLElBQUksQ0FBQyxJQUFJLEVBQ1Q7WUFDRSxHQUFHLEtBQUs7WUFDUixHQUFHLE9BQU87WUFDVixpQkFBaUI7WUFDakIsU0FBUyxFQUFFLEtBQUssQ0FBQyxTQUFTLElBQUksR0FBRyxrQkFBUSxDQUFDLFVBQVUsSUFBSSxJQUFJLENBQUMsSUFBSSxFQUFFO1lBRW5FLFVBQVUsRUFBRSxJQUFJO1lBQ2hCLFVBQVUsRUFBRSxVQUFVO2dCQUNwQixDQUFDLENBQUM7b0JBQ0UsZUFBZSxFQUFFLElBQUk7b0JBQ3JCLE9BQU8sRUFBRSxJQUFJO29CQUNiLG1CQUFtQixFQUFFLENBQUMsVUFBVSxDQUFDLEtBQUssQ0FBQyxRQUFRLENBQUM7b0JBQ2hELFFBQVEsRUFBRSxrQkFBUSxDQUFDLFFBQVE7aUJBQzVCO2dCQUNILENBQUMsQ0FBQyxTQUFTO1lBRWIsc0JBQXNCLEVBQUU7Z0JBQ3RCLGtCQUFrQixFQUFFLFFBQVEsRUFBRSxvQkFBb0IsQ0FBQyxDQUFDLENBQUMsU0FBUyxDQUFDLENBQUMsQ0FBQyxPQUFPLEVBQUUsa0JBQWtCLElBQUksRUFBRTtnQkFDbEcsaUJBQWlCLEVBQUUsSUFBSTtnQkFDdkIsb0JBQW9CLEVBQUUsUUFBUSxFQUFFLG9CQUFvQjtnQkFDcEQsMkZBQTJGO2dCQUMzRiw4QkFBOEIsRUFBRSxRQUFRLEVBQUUsOEJBQThCLElBQUksSUFBSTtnQkFDaEYsY0FBYyxFQUFFLFFBQVEsRUFBRSxvQkFBb0IsQ0FBQyxDQUFDLENBQUMsUUFBUSxDQUFDLENBQUMsQ0FBQyxTQUFTO2dCQUNyRSxxQ0FBcUM7YUFDdEM7WUFFRCxhQUFhLEVBQUU7Z0JBQ2IsNEJBQTRCLEVBQUU7b0JBQzVCLE1BQU0sRUFBRSxhQUFhLEVBQUUsbUJBQW1CO3dCQUN4QyxDQUFDLENBQUM7NEJBQ0Usb0JBQW9CLEVBQUUsTUFBTTt5QkFDN0I7d0JBQ0gsQ0FBQyxDQUFDLFNBQVM7b0JBQ2IsT0FBTyxFQUFFLE9BQU8sQ0FBQyxhQUFhLEVBQUUsbUJBQW1CLENBQUM7aUJBQ3JEO2dCQUVELFdBQVcsRUFBRSxFQUFFLE9BQU8sRUFBRSxJQUFJLEVBQUU7Z0JBQzlCLGFBQWEsRUFBRSxFQUFFLE9BQU8sRUFBRSxLQUFLLEVBQUU7Z0JBQ2pDLHNCQUFzQixFQUFFLEVBQUUsT0FBTyxFQUFFLEtBQUssRUFBRTtnQkFDMUMsaUJBQWlCLEVBQUU7b0JBQ2pCLE9BQU8sRUFBRSxPQUFPLENBQUMsT0FBTyxFQUFFLHFCQUFxQixDQUFDO29CQUNoRCxNQUFNLEVBQUUsT0FBTyxFQUFFLHFCQUFxQixDQUFDLENBQUMsQ0FBQyxFQUFFLFVBQVUsRUFBRSxPQUFPLENBQUMscUJBQXFCLEVBQUUsQ0FBQyxDQUFDLENBQUMsU0FBUztpQkFDbkc7Z0JBQ0QsK0JBQStCO2dCQUMvQixnREFBZ0Q7Z0JBQ2hELHFDQUFxQztnQkFDckMsVUFBVTtnQkFDViwwQ0FBMEM7Z0JBQzFDLDhEQUE4RDtnQkFDOUQsVUFBVTtnQkFDVixtQkFBbUI7Z0JBQ25CLEtBQUs7Z0JBQ0wsUUFBUSxFQUFFO29CQUNSLE9BQU8sRUFBRSxPQUFPLENBQUMsWUFBWSxFQUFFLEVBQUUsQ0FBQztvQkFDbEMsTUFBTSxFQUFFLFlBQVksRUFBRSxFQUFFO3dCQUN0QixDQUFDLENBQUM7NEJBQ0UsK0JBQStCLEVBQUUsWUFBWSxDQUFDLEVBQUU7eUJBQ2pEO3dCQUNILENBQUMsQ0FBQyxTQUFTO2lCQUNkO2FBQ0Y7WUFFRCxHQUFHLEVBQUU7Z0JBQ0gsSUFBSSxFQUFFLEdBQUcsQ0FBQyxxQkFBcUIsQ0FBQyxJQUFJO2dCQUNwQyxJQUFJLEVBQUUsR0FBRzthQUNWO1lBRUQsWUFBWSxFQUFFO2dCQUNaLGFBQWEsRUFBRSxLQUFLLENBQUMsUUFBUTtnQkFDN0IsR0FBRyxFQUFFLEVBQUUsVUFBVSxFQUFFLENBQUMsRUFBRSxPQUFPLEVBQUUsS0FBSyxDQUFDLFlBQVksRUFBRSxDQUFDLEVBQUU7YUFDdkQ7WUFDRCxjQUFjLEVBQUUsU0FBUztZQUV6Qix5QkFBeUIsRUFBRTtnQkFDekIscUJBQXFCLEVBQUU7b0JBQ3JCLE9BQU8sRUFBRSxRQUFRLEVBQUUsMkJBQTJCLElBQUksS0FBSztpQkFDeEQ7Z0JBQ0QsSUFBSSxFQUFFLEVBQUUsT0FBTyxFQUFFLFFBQVEsRUFBRSxVQUFVLElBQUksS0FBSyxFQUFFO2FBQ2pEO1lBRUQsZ0RBQWdEO1lBQ2hELHlGQUF5RjtZQUN6RixnQ0FBZ0M7WUFDaEMsbUJBQW1CLEVBQUUsaUJBQWlCLEVBQUUsRUFBRTtZQUUxQyx1QkFBdUIsRUFBRTtnQkFDdkIsUUFBUSxFQUFFLEdBQUcsQ0FBQyxRQUFRO2dCQUN0QixNQUFNLEVBQUUsR0FBRyxDQUFDLFlBQVk7YUFDekI7WUFDRCxpQkFBaUIsRUFBRSxFQUFFLE9BQU8sRUFBRSxPQUFPLENBQUMsUUFBUSxFQUFFLHNCQUFzQixDQUFDLEVBQUU7WUFFekUsZUFBZSxFQUFFO2dCQUNmLFFBQVEsRUFBRSxZQUFZLEVBQUUsZUFBZTtvQkFDckMsQ0FBQyxDQUFDO3dCQUNFLCtCQUErQixFQUFFLFlBQVksQ0FBQyxFQUFFO3dCQUNoRCxrQkFBa0IsRUFBRSxFQUFFLE9BQU8sRUFBRSxJQUFJLEVBQUU7cUJBQ3RDO29CQUNILENBQUMsQ0FBQyxTQUFTO2dCQUNiLFlBQVksRUFBRSxFQUFFLE9BQU8sRUFBRSxJQUFJLEVBQUUsYUFBYSxFQUFFLEVBQUUsRUFBRTtnQkFDbEQsZ0JBQWdCLEVBQUU7b0JBQ2hCLE9BQU8sRUFBRSxPQUFPLENBQUMsUUFBUSxFQUFFLHNCQUFzQixDQUFDO2lCQUNuRDthQUNGO1lBRUQsa0JBQWtCLEVBQUUsUUFBUSxFQUFFLGlCQUFpQjtnQkFDN0MsQ0FBQyxDQUFDO29CQUNFLE9BQU8sRUFBRSxRQUFRLENBQUMsaUJBQWlCO29CQUNuQyxxQ0FBcUM7b0JBQ3JDLHlCQUF5QixFQUFFLEtBQUs7aUJBQ2pDO2dCQUNILENBQUMsQ0FBQyxTQUFTO1lBRWIsUUFBUSxFQUFFO2dCQUNSLElBQUksRUFBRSxrQkFBa0IsQ0FBQyxDQUFDLENBQUMsR0FBRyxDQUFDLG9CQUFvQixDQUFDLFlBQVksQ0FBQyxDQUFDLENBQUMsR0FBRyxDQUFDLG9CQUFvQixDQUFDLGNBQWM7Z0JBQzFHLHNCQUFzQixFQUFFLGtCQUFrQixDQUFDLENBQUMsQ0FBQyxDQUFDLGtCQUFrQixDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsQ0FBQyxTQUFTO2FBQ2pGO1lBRUQsY0FBYyxFQUFFO2dCQUNkLEdBQUcsT0FBTztnQkFDVixXQUFXLEVBQUUsR0FBRyxDQUFDLFdBQVcsQ0FBQyxXQUFXO2dCQUN4QyxhQUFhLEVBQUUsR0FBRyxDQUFDLGFBQWEsQ0FBQyxLQUFLO2dCQUN0QyxhQUFhLEVBQUUsR0FBRyxDQUFDLGFBQWEsQ0FBQyxLQUFLO2dCQUV0QyxlQUFlLEVBQUUsVUFBVTtnQkFDM0IsWUFBWSxFQUFFLE9BQU8sRUFBRSxZQUFZLElBQUksR0FBRyxDQUFDLFlBQVksQ0FBQyxrQkFBa0I7YUFDM0U7U0FDRixFQUNEO1lBQ0UsR0FBRyxJQUFJLENBQUMsSUFBSTtZQUNaLFNBQVMsRUFBRSxHQUFHO1lBQ2QsTUFBTSxFQUFFLElBQUk7U0FDYixDQUNGLENBQUM7SUFDSixDQUFDO0lBRU8saUJBQWlCLENBQUMsR0FBdUI7UUFDL0MsTUFBTSxFQUFFLE9BQU8sRUFBRSxXQUFXLEVBQUUsR0FBRyxJQUFJLENBQUMsSUFBSSxDQUFDO1FBQzNDLElBQUksQ0FBQyxXQUFXO1lBQUUsT0FBTyxTQUFTLENBQUM7UUFFbkMsT0FBTyxJQUFJLEdBQUcsQ0FBQyx3QkFBd0IsQ0FDckMsR0FBRyxJQUFJLENBQUMsSUFBSSwyQkFBMkIsRUFDdkM7WUFDRSxHQUFHLE9BQU87WUFDVixHQUFHLFdBQVc7WUFDZCxVQUFVLEVBQUUsU0FBUztZQUNyQixZQUFZLEVBQUUsR0FBRyxDQUFDLElBQUk7WUFDdEIsVUFBVSxFQUFFLFdBQVcsQ0FBQyxVQUFVLElBQUk7Z0JBQ3BDO29CQUNFLEdBQUcsRUFBRSxHQUFHLENBQUMsT0FBTyxDQUFDLE1BQU07b0JBQ3ZCLFNBQVMsRUFBRSxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUM7aUJBQ25CO2FBQ0Y7U0FDRixFQUNELEVBQUUsU0FBUyxFQUFFLEdBQUcsRUFBRSxtQkFBbUIsRUFBRSxJQUFJLEVBQUUsQ0FDOUMsQ0FBQztJQUNKLENBQUM7SUFFTyxnQkFBZ0IsQ0FBQyxHQUF1QjtRQUM5QyxNQUFNLEVBQUUsT0FBTyxFQUFFLFdBQVcsRUFBRSxHQUFHLElBQUksQ0FBQyxJQUFJLENBQUM7UUFDM0MsTUFBTSxDQUFDLEdBQUcsQ0FBQyxDQUFDLEdBQUcsQ0FBQyxRQUFRLEVBQUUsR0FBRyxDQUFDLGVBQWUsQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxRQUFRLEVBQUUsZUFBZSxDQUFDLEVBQUUsRUFBRTtZQUNwRixJQUFJLGVBQWUsRUFBRSxlQUFlLEVBQUUsQ0FBQztnQkFDckMsSUFBSSxDQUFDLGlCQUFpQixDQUFDLGFBQWEsRUFBRSxFQUFFLFdBQVcsRUFBRSxlQUFlLENBQUMsZUFBZ0IsQ0FBQyxRQUFTLEVBQUUsQ0FBQyxDQUFDO2dCQUVuRyxJQUFJLFdBQVcsRUFBRSxDQUFDO29CQUNoQixJQUFJLHFCQUFjLENBQ2hCLEdBQUcsSUFBSSxDQUFDLElBQUksVUFBVSxFQUN0Qjt3QkFDRSxXQUFXLEVBQUUsZUFBZSxDQUFDLGVBQWdCLENBQUMsUUFBUzt3QkFDdkQsYUFBYSxFQUFFLGtCQUFrQjt3QkFDakMsUUFBUSxFQUFFLFVBQVU7d0JBQ3BCLEtBQUssRUFBRSxXQUFXLENBQUMsRUFBRTtxQkFDdEIsRUFDRCxFQUFFLFNBQVMsRUFBRSxHQUFHLEVBQUUsTUFBTSxFQUFFLElBQUksRUFBRSxDQUNqQyxDQUFDO2dCQUNKLENBQUM7WUFDSCxDQUFDO1lBQ0QsSUFBSSxRQUFRLEVBQUUsQ0FBQztnQkFDYixJQUFJLHFCQUFjLENBQ2hCLEdBQUcsSUFBSSxDQUFDLElBQUksZUFBZSxFQUMzQjtvQkFDRSxXQUFXLEVBQUUsUUFBUSxDQUFDLFdBQVk7b0JBQ2xDLGFBQWEsRUFBRSxrQkFBa0I7b0JBQ2pDLFFBQVEsRUFBRSxhQUFhO29CQUN2QixLQUFLLEVBQUUsbUJBQVMsQ0FBQyxnQkFBZ0IsQ0FBQyxPQUFPLENBQUM7aUJBQzNDLEVBQ0QsRUFBRSxTQUFTLEVBQUUsR0FBRyxFQUFFLE1BQU0sRUFBRSxJQUFJLEVBQUUsQ0FDakMsQ0FBQztZQUNKLENBQUM7UUFDSCxDQUFDLENBQUMsQ0FBQztJQUNMLENBQUM7SUFFTyx1QkFBdUIsQ0FBQyxHQUF1QjtRQUNyRCxNQUFNLEVBQUUsT0FBTyxFQUFFLG9CQUFvQixFQUFFLFNBQVMsRUFBRSxHQUFHLElBQUksQ0FBQyxJQUFJLENBQUM7UUFDL0QsSUFBSSxDQUFDLFNBQVM7WUFBRSxPQUFPLFNBQVMsQ0FBQztRQUNqQyxPQUFPLE1BQU0sQ0FBQyxHQUFHLENBQUMsQ0FBQyxHQUFHLENBQUMsSUFBSSxFQUFFLE9BQU8sQ0FBQyxpQkFBaUIsRUFBRSxvQkFBb0IsQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxJQUFJLEVBQUUsTUFBTSxFQUFFLFFBQVEsQ0FBQyxFQUFFLEVBQUU7WUFDaEgsSUFBSSxDQUFDLElBQUk7Z0JBQUUsT0FBTztZQUVsQixNQUFNLFVBQVUsR0FBRyxVQUFVLENBQUMsWUFBWSxDQUFDO2dCQUN6QyxZQUFZLEVBQUUsSUFBSTtnQkFDbEIsaUJBQWlCLEVBQUUsTUFBTTtnQkFDekIsb0JBQW9CLEVBQUUsUUFBUTthQUMvQixDQUFDLENBQUM7WUFFSCxPQUFPLElBQUksbUJBQVcsQ0FDcEIsR0FBRyxJQUFJLENBQUMsSUFBSSxhQUFhLEVBQ3pCO2dCQUNFLFNBQVM7Z0JBQ1QsS0FBSyxFQUFFLFVBQVU7Z0JBQ2pCLFdBQVcsRUFBRSxnQkFBZ0IsSUFBSSxDQUFDLElBQUksYUFBYTthQUNwRCxFQUNELEVBQUUsU0FBUyxFQUFFLEdBQUcsRUFBRSxNQUFNLEVBQUUsSUFBSSxFQUFFLGNBQWMsRUFBRSxJQUFJLEVBQUUsQ0FDdkQsQ0FBQztRQUNKLENBQUMsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztDQUNGO0FBOVRELG9DQThUQyJ9

package/aks/ContainerRegistry.d.ts

@@ -0,0 +1,19 @@
+import * as registry from '@pulumi/azure-native/containerregistry';
+import * as pulumi from '@pulumi/pulumi';
+import { BaseResourceComponent, CommonBaseArgs } from '../base';
+import * as types from '../types';
+export interface ContainerRegistryArgs extends CommonBaseArgs, types.WithEncryptionEnabler, types.WithGroupRolesArgs, types.WithUserAssignedIdentity, Pick<registry.RegistryArgs, 'dataEndpointEnabled' | 'zoneRedundancy'> {
+    sku: registry.SkuName;
+    retentionDaysPolicy?: number;
+    network?: Omit<types.NetworkArgs, 'vnetRules'>;
+}
+export declare class ContainerRegistry extends BaseResourceComponent<ContainerRegistryArgs> {
+    readonly id: pulumi.Output<string>;
+    readonly resourceName: pulumi.Output<string>;
+    constructor(name: string, args: ContainerRegistryArgs, opts?: pulumi.ComponentResourceOptions);
+    getOutputs(): {
+        id: pulumi.Output<string>;
+        resourceName: pulumi.Output<string>;
+    };
+    private createPrivateLink;
+}

package/aks/ContainerRegistry.js

@@ -0,0 +1,119 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ContainerRegistry = void 0;
+const registry = __importStar(require("@pulumi/azure-native/containerregistry"));
+const pulumi = __importStar(require("@pulumi/pulumi"));
+const base_1 = require("../base");
+const PrivateEndpoint_1 = require("../vnet/PrivateEndpoint");
+class ContainerRegistry extends base_1.BaseResourceComponent {
+    id;
+    resourceName;
+    constructor(name, args, opts) {
+        super('ContainerRegistry', name, args, opts);
+        const { rsGroup, enableEncryption, groupRoles, defaultUAssignedId, retentionDaysPolicy, sku, network, ...props } = args;
+        const encryptionKey = enableEncryption ? this.getEncryptionKey() : undefined;
+        const acr = new registry.Registry(name, {
+            ...props,
+            ...rsGroup,
+            sku: { name: sku },
+            adminUserEnabled: false,
+            anonymousPullEnabled: false,
+            //This is for encryption
+            identity: {
+                type: defaultUAssignedId
+                    ? registry.ResourceIdentityType.SystemAssigned_UserAssigned
+                    : registry.ResourceIdentityType.SystemAssigned,
+                userAssignedIdentities: defaultUAssignedId
+                    ? pulumi.output(defaultUAssignedId.id).apply((id) => ({ [id]: defaultUAssignedId }))
+                    : undefined,
+            },
+            encryption: sku === 'Premium' && encryptionKey && defaultUAssignedId
+                ? {
+                    keyVaultProperties: {
+                        identity: defaultUAssignedId.clientId,
+                        keyIdentifier: encryptionKey.urlWithoutVersion,
+                    },
+                }
+                : undefined,
+            policies: sku === 'Premium'
+                ? {
+                    exportPolicy: {
+                        status: registry.ExportPolicyStatus.Disabled,
+                    },
+                    quarantinePolicy: { status: registry.PolicyStatus.Enabled },
+                    retentionPolicy: {
+                        days: retentionDaysPolicy ?? 90,
+                        status: registry.PolicyStatus.Enabled,
+                    },
+                    trustPolicy: {
+                        status: registry.PolicyStatus.Enabled,
+                        type: registry.TrustPolicyType.Notary,
+                    },
+                }
+                : undefined,
+            publicNetworkAccess: network?.publicNetworkAccess ? 'Enabled' : network?.privateLink ? 'Disabled' : 'Enabled',
+            networkRuleBypassOptions: network?.bypass,
+            networkRuleSet: sku === 'Premium' && network
+                ? {
+                    defaultAction: network.defaultAction ?? registry.DefaultAction.Allow,
+                    ipRules: network.ipRules
+                        ? pulumi.output(network.ipRules).apply((ips) => ips.map((ip) => ({
+                            iPAddressOrRange: ip,
+                        })))
+                        : undefined,
+                }
+                : undefined,
+        }, { ...opts, parent: this });
+        this.createPrivateLink(acr);
+        this.id = acr.id;
+        this.resourceName = acr.name;
+        this.registerOutputs();
+    }
+    getOutputs() {
+        return {
+            id: this.id,
+            resourceName: this.resourceName,
+        };
+    }
+    createPrivateLink(acr) {
+        const { rsGroup, network } = this.args;
+        if (!network?.privateLink)
+            return;
+        return new PrivateEndpoint_1.PrivateEndpoint(this.name, { ...network.privateLink, resourceInfo: acr, rsGroup, type: 'azurecr' }, { dependsOn: acr, parent: this });
+    }
+}
+exports.ContainerRegistry = ContainerRegistry;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiQ29udGFpbmVyUmVnaXN0cnkuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvYWtzL0NvbnRhaW5lclJlZ2lzdHJ5LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLGlGQUFtRTtBQUNuRSx1REFBeUM7QUFDekMsa0NBQWdFO0FBRWhFLDZEQUEwRDtBQWExRCxNQUFhLGlCQUFrQixTQUFRLDRCQUE0QztJQUNqRSxFQUFFLENBQXdCO0lBQzFCLFlBQVksQ0FBd0I7SUFFcEQsWUFBWSxJQUFZLEVBQUUsSUFBMkIsRUFBRSxJQUFzQztRQUMzRixLQUFLLENBQUMsbUJBQW1CLEVBQUUsSUFBSSxFQUFFLElBQUksRUFBRSxJQUFJLENBQUMsQ0FBQztRQUU3QyxNQUFNLEVBQUUsT0FBTyxFQUFFLGdCQUFnQixFQUFFLFVBQVUsRUFBRSxrQkFBa0IsRUFBRSxtQkFBbUIsRUFBRSxHQUFHLEVBQUUsT0FBTyxFQUFFLEdBQUcsS0FBSyxFQUFFLEdBQzlHLElBQUksQ0FBQztRQUNQLE1BQU0sYUFBYSxHQUFHLGdCQUFnQixDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQyxDQUFDLENBQUMsU0FBUyxDQUFDO1FBRTdFLE1BQU0sR0FBRyxHQUFHLElBQUksUUFBUSxDQUFDLFFBQVEsQ0FDL0IsSUFBSSxFQUNKO1lBQ0UsR0FBRyxLQUFLO1lBQ1IsR0FBRyxPQUFPO1lBRVYsR0FBRyxFQUFFLEVBQUUsSUFBSSxFQUFFLEdBQUcsRUFBRTtZQUNsQixnQkFBZ0IsRUFBRSxLQUFLO1lBQ3ZCLG9CQUFvQixFQUFFLEtBQUs7WUFFM0Isd0JBQXdCO1lBQ3hCLFFBQVEsRUFBRTtnQkFDUixJQUFJLEVBQUUsa0JBQWtCO29CQUN0QixDQUFDLENBQUMsUUFBUSxDQUFDLG9CQUFvQixDQUFDLDJCQUEyQjtvQkFDM0QsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxvQkFBb0IsQ0FBQyxjQUFjO2dCQUVoRCxzQkFBc0IsRUFBRSxrQkFBa0I7b0JBQ3hDLENBQUMsQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLGtCQUFrQixDQUFDLEVBQUUsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDLEVBQUUsRUFBRSxFQUFFLENBQUMsQ0FBQyxFQUFFLENBQUMsRUFBRSxDQUFDLEVBQUUsa0JBQWtCLEVBQUUsQ0FBQyxDQUFDO29CQUNwRixDQUFDLENBQUMsU0FBUzthQUNkO1lBRUQsVUFBVSxFQUNSLEdBQUcsS0FBSyxTQUFTLElBQUksYUFBYSxJQUFJLGtCQUFrQjtnQkFDdEQsQ0FBQyxDQUFDO29CQUNFLGtCQUFrQixFQUFFO3dCQUNsQixRQUFRLEVBQUUsa0JBQWtCLENBQUMsUUFBUTt3QkFDckMsYUFBYSxFQUFFLGFBQWEsQ0FBQyxpQkFBaUI7cUJBQy9DO2lCQUNGO2dCQUNILENBQUMsQ0FBQyxTQUFTO1lBRWYsUUFBUSxFQUNOLEdBQUcsS0FBSyxTQUFTO2dCQUNmLENBQUMsQ0FBQztvQkFDRSxZQUFZLEVBQUU7d0JBQ1osTUFBTSxFQUFFLFFBQVEsQ0FBQyxrQkFBa0IsQ0FBQyxRQUFRO3FCQUM3QztvQkFDRCxnQkFBZ0IsRUFBRSxFQUFFLE1BQU0sRUFBRSxRQUFRLENBQUMsWUFBWSxDQUFDLE9BQU8sRUFBRTtvQkFDM0QsZUFBZSxFQUFFO3dCQUNmLElBQUksRUFBRSxtQkFBbUIsSUFBSSxFQUFFO3dCQUMvQixNQUFNLEVBQUUsUUFBUSxDQUFDLFlBQVksQ0FBQyxPQUFPO3FCQUN0QztvQkFDRCxXQUFXLEVBQUU7d0JBQ1gsTUFBTSxFQUFFLFFBQVEsQ0FBQyxZQUFZLENBQUMsT0FBTzt3QkFDckMsSUFBSSxFQUFFLFFBQVEsQ0FBQyxlQUFlLENBQUMsTUFBTTtxQkFDdEM7aUJBQ0Y7Z0JBQ0gsQ0FBQyxDQUFDLFNBQVM7WUFFZixtQkFBbUIsRUFBRSxPQUFPLEVBQUUsbUJBQW1CLENBQUMsQ0FBQyxDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUMsT0FBTyxFQUFFLFdBQVcsQ0FBQyxDQUFDLENBQUMsVUFBVSxDQUFDLENBQUMsQ0FBQyxTQUFTO1lBQzdHLHdCQUF3QixFQUFFLE9BQU8sRUFBRSxNQUFNO1lBRXpDLGNBQWMsRUFDWixHQUFHLEtBQUssU0FBUyxJQUFJLE9BQU87Z0JBQzFCLENBQUMsQ0FBQztvQkFDRSxhQUFhLEVBQUUsT0FBTyxDQUFDLGFBQWEsSUFBSSxRQUFRLENBQUMsYUFBYSxDQUFDLEtBQUs7b0JBQ3BFLE9BQU8sRUFBRSxPQUFPLENBQUMsT0FBTzt3QkFDdEIsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxNQUFNLENBQUMsT0FBTyxDQUFDLE9BQU8sQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDLEdBQUcsRUFBRSxFQUFFLENBQzNDLEdBQUcsQ0FBQyxHQUFHLENBQUMsQ0FBQyxFQUFFLEVBQUUsRUFBRSxDQUFDLENBQUM7NEJBQ2YsZ0JBQWdCLEVBQUUsRUFBRTt5QkFDckIsQ0FBQyxDQUFDLENBQ0o7d0JBQ0gsQ0FBQyxDQUFDLFNBQVM7aUJBQ2Q7Z0JBQ0gsQ0FBQyxDQUFDLFNBQVM7U0FDaEIsRUFDRCxFQUFFLEdBQUcsSUFBSSxFQUFFLE1BQU0sRUFBRSxJQUFJLEVBQUUsQ0FDMUIsQ0FBQztRQUVGLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUU1QixJQUFJLENBQUMsRUFBRSxHQUFHLEdBQUcsQ0FBQyxFQUFFLENBQUM7UUFDakIsSUFBSSxDQUFDLFlBQVksR0FBRyxHQUFHLENBQUMsSUFBSSxDQUFDO1FBRTdCLElBQUksQ0FBQyxlQUFlLEVBQUUsQ0FBQztJQUN6QixDQUFDO0lBRU0sVUFBVTtRQUNmLE9BQU87WUFDTCxFQUFFLEVBQUUsSUFBSSxDQUFDLEVBQUU7WUFDWCxZQUFZLEVBQUUsSUFBSSxDQUFDLFlBQVk7U0FDaEMsQ0FBQztJQUNKLENBQUM7SUFFTyxpQkFBaUIsQ0FBQyxHQUFzQjtRQUM5QyxNQUFNLEVBQUUsT0FBTyxFQUFFLE9BQU8sRUFBRSxHQUFHLElBQUksQ0FBQyxJQUFJLENBQUM7UUFDdkMsSUFBSSxDQUFDLE9BQU8sRUFBRSxXQUFXO1lBQUUsT0FBTztRQUVsQyxPQUFPLElBQUksaUNBQWUsQ0FDeEIsSUFBSSxDQUFDLElBQUksRUFDVCxFQUFFLEdBQUcsT0FBTyxDQUFDLFdBQVcsRUFBRSxZQUFZLEVBQUUsR0FBRyxFQUFFLE9BQU8sRUFBRSxJQUFJLEVBQUUsU0FBUyxFQUFFLEVBQ3ZFLEVBQUUsU0FBUyxFQUFFLEdBQUcsRUFBRSxNQUFNLEVBQUUsSUFBSSxFQUFFLENBQ2pDLENBQUM7SUFDSixDQUFDO0NBQ0Y7QUF6R0QsOENBeUdDIn0=

package/aks/helpers.d.ts

@@ -0,0 +1,6 @@
+export declare const aksRequiredOutboundPorts: string[];
+export declare const getAksConfig: ({ resourceName, resourceGroupName, disableLocalAccounts, }: {
+    resourceName: string;
+    resourceGroupName: string;
+    disableLocalAccounts?: boolean;
+}) => Promise<string>;