juazasan/private-AKS.cli

## private-AKS.cli

# connectivity subscription

az group create --name subscription-connectivity --location eastus

az network private-dns zone create -g subscription-connectivity \
   -n privatelink.eastus.azmk8s.io

AKS_PRIVATE_DNS_ZONE_ID=$(az network private-dns zone show -g subscription-connectivity \
   -n privatelink.eastus.azmk8s.io --query id -o tsv)

# landing zone

LZ_NAME=lz1

VNET_RG_NAME=subscription-$LZ_NAME-vnet

az group create --name $VNET_RG_NAME --location eastus

az network vnet create \
  --name vnet-$LZ_NAME  \
  --resource-group $VNET_RG_NAME \
  --location eastus \
  --address-prefix 10.1.0.0/22 \
  --subnet-name aks \
  --subnet-prefixes 10.1.0.0/22

LZ_VNET_ID=$(az network vnet show --resource-group $VNET_RG_NAME --name vnet-$LZ_NAME --query id -o tsv)
LZ_SUBNET_ID=$(az network vnet subnet show --resource-group $VNET_RG_NAME --name aks --vnet-name vnet-$LZ_NAME --query id -o tsv)

az network private-dns link vnet create -g subscription-connectivity -n link-aksdnszone-$LZ_NAME \
   -z privatelink.eastus.azmk8s.io -v $LZ_VNET_ID -e false

# AKS

AKS_RG_NAME=subscription-$LZ_NAME-aks

az group create --name $AKS_RG_NAME --location eastus

# Control Panel Identity
az identity create --name msi-controlplane-aks-$LZ_NAME --resource-group $AKS_RG_NAME

MSI_CONTROL_PLANE_ID=$(az identity show --name msi-controlplane-aks-$LZ_NAME --resource-group $AKS_RG_NAME --query id -o tsv)

MSI_CONTROL_PLANE_OBJECTID=$(az identity show --name msi-controlplane-aks-$LZ_NAME --resource-group $AKS_RG_NAME --query principalId -o tsv)

az role assignment create --assignee-object-id $MSI_CONTROL_PLANE_OBJECTID --role "Network Contributor" --scope $LZ_VNET_ID --assignee-principal-type ServicePrincipal
az role assignment create --assignee-object-id $MSI_CONTROL_PLANE_OBJECTID --role "private dns zone contributor" --scope $AKS_PRIVATE_DNS_ZONE_ID --assignee-principal-type ServicePrincipal

# Kubelet Identity
az identity create --name msi-kubelet-aks-$LZ_NAME --resource-group $AKS_RG_NAME

MSI_KUBELET_ID=$(az identity show --name msi-kubelet-aks-$LZ_NAME --resource-group $AKS_RG_NAME --query id -o tsv)

# Custom Private DNS Zone name could be in formats "privatelink.<region>.azmk8s.io" or "<subzone>.privatelink.<region>.azmk8s.io"
az aks create -n aks-$LZ_NAME-01 -g $AKS_RG_NAME \
    --load-balancer-sku standard \
    --enable-private-cluster \
    --vnet-subnet-id $LZ_SUBNET_ID \
    --enable-managed-identity \
    --assign-identity $MSI_CONTROL_PLANE_ID \
    --assign-kubelet-identity $MSI_KUBELET_ID \
    --private-dns-zone $AKS_PRIVATE_DNS_ZONE_ID \
    --disable-public-fqdn --node-count 1

##  --fqdn-subdomain $LZ_NAME \

# landing zone 2

LZ_NAME=lz2

VNET_RG_NAME=subscription-$LZ_NAME-vnet

az group create --name $VNET_RG_NAME --location eastus

az network vnet create \
  --name vnet-$LZ_NAME  \
  --resource-group $VNET_RG_NAME \
  --location eastus \
  --address-prefix 10.2.0.0/22 \
  --subnet-name aks \
  --subnet-prefixes 10.2.0.0/22

LZ_VNET_ID=$(az network vnet show --resource-group $VNET_RG_NAME --name vnet-$LZ_NAME --query id -o tsv)
LZ_SUBNET_ID=$(az network vnet subnet show --resource-group $VNET_RG_NAME --name aks --vnet-name vnet-$LZ_NAME --query id -o tsv)

az network private-dns link vnet create -g subscription-connectivity -n link-aksdnszone-$LZ_NAME \
   -z privatelink.eastus.azmk8s.io -v $LZ_VNET_ID -e false

# AKS

AKS_RG_NAME=subscription-$LZ_NAME-aks

az group create --name $AKS_RG_NAME --location eastus

# Control Panel Identity
az identity create --name msi-controlplane-aks-$LZ_NAME --resource-group $AKS_RG_NAME

MSI_CONTROL_PLANE_ID=$(az identity show --name msi-controlplane-aks-$LZ_NAME --resource-group $AKS_RG_NAME --query id -o tsv)

MSI_CONTROL_PLANE_OBJECTID=$(az identity show --name msi-controlplane-aks-$LZ_NAME --resource-group $AKS_RG_NAME --query principalId -o tsv)

az role assignment create --assignee-object-id $MSI_CONTROL_PLANE_OBJECTID --role "Network Contributor" --scope $LZ_VNET_ID --assignee-principal-type ServicePrincipal
az role assignment create --assignee-object-id $MSI_CONTROL_PLANE_OBJECTID --role "private dns zone contributor" --scope $AKS_PRIVATE_DNS_ZONE_ID --assignee-principal-type ServicePrincipal

# Kubelet Identity
az identity create --name msi-kubelet-aks-$LZ_NAME --resource-group $AKS_RG_NAME

MSI_KUBELET_ID=$(az identity show --name msi-kubelet-aks-$LZ_NAME --resource-group $AKS_RG_NAME --query id -o tsv)

# Custom Private DNS Zone name could be in formats "privatelink.<region>.azmk8s.io" or "<subzone>.privatelink.<region>.azmk8s.io"
az aks create -n aks-$LZ_NAME-01 -g $AKS_RG_NAME \
    --load-balancer-sku standard \
    --enable-private-cluster \
    --vnet-subnet-id $LZ_SUBNET_ID \
    --enable-managed-identity \
    --assign-identity $MSI_CONTROL_PLANE_ID \
    --assign-kubelet-identity $MSI_KUBELET_ID \
    --private-dns-zone $AKS_PRIVATE_DNS_ZONE_ID \
    --disable-public-fqdn --node-count 1

	# connectivity subscription

	az group create --name subscription-connectivity --location eastus

	az network private-dns zone create -g subscription-connectivity \
	-n privatelink.eastus.azmk8s.io

	AKS_PRIVATE_DNS_ZONE_ID=$(az network private-dns zone show -g subscription-connectivity \
	-n privatelink.eastus.azmk8s.io --query id -o tsv)

	# landing zone

	LZ_NAME=lz1

	VNET_RG_NAME=subscription-$LZ_NAME-vnet

	az group create --name $VNET_RG_NAME --location eastus

	az network vnet create \
	--name vnet-$LZ_NAME \
	--resource-group $VNET_RG_NAME \
	--location eastus \
	--address-prefix 10.1.0.0/22 \
	--subnet-name aks \
	--subnet-prefixes 10.1.0.0/22

	LZ_VNET_ID=$(az network vnet show --resource-group $VNET_RG_NAME --name vnet-$LZ_NAME --query id -o tsv)
	LZ_SUBNET_ID=$(az network vnet subnet show --resource-group $VNET_RG_NAME --name aks --vnet-name vnet-$LZ_NAME --query id -o tsv)

	az network private-dns link vnet create -g subscription-connectivity -n link-aksdnszone-$LZ_NAME \
	-z privatelink.eastus.azmk8s.io -v $LZ_VNET_ID -e false

	# AKS

	AKS_RG_NAME=subscription-$LZ_NAME-aks

	az group create --name $AKS_RG_NAME --location eastus

	# Control Panel Identity
	az identity create --name msi-controlplane-aks-$LZ_NAME --resource-group $AKS_RG_NAME

	MSI_CONTROL_PLANE_ID=$(az identity show --name msi-controlplane-aks-$LZ_NAME --resource-group $AKS_RG_NAME --query id -o tsv)

	MSI_CONTROL_PLANE_OBJECTID=$(az identity show --name msi-controlplane-aks-$LZ_NAME --resource-group $AKS_RG_NAME --query principalId -o tsv)

	az role assignment create --assignee-object-id $MSI_CONTROL_PLANE_OBJECTID --role "Network Contributor" --scope $LZ_VNET_ID --assignee-principal-type ServicePrincipal
	az role assignment create --assignee-object-id $MSI_CONTROL_PLANE_OBJECTID --role "private dns zone contributor" --scope $AKS_PRIVATE_DNS_ZONE_ID --assignee-principal-type ServicePrincipal

	# Kubelet Identity
	az identity create --name msi-kubelet-aks-$LZ_NAME --resource-group $AKS_RG_NAME

	MSI_KUBELET_ID=$(az identity show --name msi-kubelet-aks-$LZ_NAME --resource-group $AKS_RG_NAME --query id -o tsv)

	# Custom Private DNS Zone name could be in formats "privatelink.<region>.azmk8s.io" or "<subzone>.privatelink.<region>.azmk8s.io"
	az aks create -n aks-$LZ_NAME-01 -g $AKS_RG_NAME \
	--load-balancer-sku standard \
	--enable-private-cluster \
	--vnet-subnet-id $LZ_SUBNET_ID \
	--enable-managed-identity \
	--assign-identity $MSI_CONTROL_PLANE_ID \
	--assign-kubelet-identity $MSI_KUBELET_ID \
	--private-dns-zone $AKS_PRIVATE_DNS_ZONE_ID \
	--disable-public-fqdn --node-count 1

	## --fqdn-subdomain $LZ_NAME \

	# landing zone 2

	LZ_NAME=lz2

	VNET_RG_NAME=subscription-$LZ_NAME-vnet

	az group create --name $VNET_RG_NAME --location eastus

	az network vnet create \
	--name vnet-$LZ_NAME \
	--resource-group $VNET_RG_NAME \
	--location eastus \
	--address-prefix 10.2.0.0/22 \
	--subnet-name aks \
	--subnet-prefixes 10.2.0.0/22

	LZ_VNET_ID=$(az network vnet show --resource-group $VNET_RG_NAME --name vnet-$LZ_NAME --query id -o tsv)
	LZ_SUBNET_ID=$(az network vnet subnet show --resource-group $VNET_RG_NAME --name aks --vnet-name vnet-$LZ_NAME --query id -o tsv)

	az network private-dns link vnet create -g subscription-connectivity -n link-aksdnszone-$LZ_NAME \
	-z privatelink.eastus.azmk8s.io -v $LZ_VNET_ID -e false

	# AKS

	AKS_RG_NAME=subscription-$LZ_NAME-aks

	az group create --name $AKS_RG_NAME --location eastus

	# Control Panel Identity
	az identity create --name msi-controlplane-aks-$LZ_NAME --resource-group $AKS_RG_NAME

	MSI_CONTROL_PLANE_ID=$(az identity show --name msi-controlplane-aks-$LZ_NAME --resource-group $AKS_RG_NAME --query id -o tsv)

	MSI_CONTROL_PLANE_OBJECTID=$(az identity show --name msi-controlplane-aks-$LZ_NAME --resource-group $AKS_RG_NAME --query principalId -o tsv)

	az role assignment create --assignee-object-id $MSI_CONTROL_PLANE_OBJECTID --role "Network Contributor" --scope $LZ_VNET_ID --assignee-principal-type ServicePrincipal
	az role assignment create --assignee-object-id $MSI_CONTROL_PLANE_OBJECTID --role "private dns zone contributor" --scope $AKS_PRIVATE_DNS_ZONE_ID --assignee-principal-type ServicePrincipal

	# Kubelet Identity
	az identity create --name msi-kubelet-aks-$LZ_NAME --resource-group $AKS_RG_NAME

	MSI_KUBELET_ID=$(az identity show --name msi-kubelet-aks-$LZ_NAME --resource-group $AKS_RG_NAME --query id -o tsv)

	# Custom Private DNS Zone name could be in formats "privatelink.<region>.azmk8s.io" or "<subzone>.privatelink.<region>.azmk8s.io"
	az aks create -n aks-$LZ_NAME-01 -g $AKS_RG_NAME \
	--load-balancer-sku standard \
	--enable-private-cluster \
	--vnet-subnet-id $LZ_SUBNET_ID \
	--enable-managed-identity \
	--assign-identity $MSI_CONTROL_PLANE_ID \
	--assign-kubelet-identity $MSI_KUBELET_ID \
	--private-dns-zone $AKS_PRIVATE_DNS_ZONE_ID \
	--disable-public-fqdn --node-count 1