add template for multi-tetant for multiple clusters support

Author: wanlonghenry

scripts/onboarding/aks/multi-tenancy-multiclusters/README.md

@@ -0,0 +1,85 @@
+# Multi-Tenant Container Insights Setup with Shared DCR/DCE
+
+This guide explains how to set up Container Insights monitoring for multiple AKS clusters using a shared Data Collection Rule (DCR) and Data Collection Endpoint (DCE).
+
+## Setup Process
+
+### 1. Deploy Shared DCR and DCE
+
+First, deploy the shared DCR and DCE using the `existingClusterOnboarding.json` template. This creates the core monitoring infrastructure that will be shared across multiple clusters.
+
+```bash
+az deployment group create \
+  --name shared-monitoring-setup \
+  --resource-group <resource-group-name> \
+  --template-file existingClusterOnboarding.json \
+  --parameters existingClusterParam.json 
+```
+After deployment, note the DCR ID from the output. You'll need this to connect clusters.
+
+### 2. Connect AKS Clusters to the Shared DCR
+
+After deploying the DCR/DCE setup, you'll need to connect your AKS clusters. Below are simple commands to connect multiple clusters:
+
+#### For Multiple Clusters (Bash)
+
+```bash
+# Store the DCR ID
+DCR_ID="/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Insights/dataCollectionRules/<dcr-name>"
+
+# If using private link, store the Config DCE ID
+CONFIG_DCE_ID="/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Insights/dataCollectionEndpoints/<dce-name>"
+
+# Loop through your clusters
+for cluster in \
+  "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ContainerService/managedClusters/<cluster1-name>" \
+  "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ContainerService/managedClusters/<cluster2-name>"; do
+  echo "Connecting cluster: $cluster"
+  
+  # Create DCR association
+  az monitor data-collection rule association create \
+    --name "aks-dcr-association" \
+    --rule-id "$DCR_ID" \
+    --resource "$cluster"
+
+  # If using private link, create Config DCE association
+  if [ ! -z "$CONFIG_DCE_ID" ]; then
+    az monitor data-collection rule association create \
+      --name "configurationAccessEndpoint" \
+      --endpoint-id "$CONFIG_DCE_ID" \
+      --resource "$cluster"
+  fi
+done
+```
+
+### Notes
+
+1. The shared DCR/DCE setup needs to be done only once. After that, you can connect multiple clusters to the same DCR.
+
+2. Each cluster needs:
+   - DCR Association (always required)
+   - Config DCE Association (only required when using private link)
+
+3. Parameters explanation:
+   - `subscriptionId`: The subscription where DCR/DCE will be created
+   - `resourceGroupName`: Resource group for DCR/DCE resources
+   - `location`: Location for the config DCE (only used with private link)
+   - `workspaceRegion`: Region of the Log Analytics workspace
+   - `workspaceResourceId`: Full resource ID of the Log Analytics workspace
+   - `k8sNamespaces`: Array of Kubernetes namespaces to collect logs from
+   - `transformKql`: Optional KQL query for log transformation
+   - `useAzureMonitorPrivateLinkScope`: Whether to use private link scope
+   - `azureMonitorPrivateLinkScopeResourceId`: Resource ID of private link scope (if used)
+   - `resourceTagValues`: Tags to apply to the created resources
+
+4. To list existing DCRAs for a cluster:
+```bash
+az monitor data-collection rule association list --resource "<aks-cluster-resource-id>"
+```
+
+5. To remove a DCRA:
+```bash
+az monitor data-collection rule association delete \
+  --name "aks-dcr-association" \
+  --resource "<aks-cluster-resource-id>"
+```

scripts/onboarding/aks/multi-tenancy-multiclusters/existingClusterOnboarding.json

@@ -0,0 +1,281 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "resourceGroupName": {
+            "type": "string",
+            "metadata": {
+                "description": "Resource group where DCR and DCE will be created"
+            }
+        },
+        "location": {
+            "type": "string",
+            "metadata": {
+                "description": "Location for the config DCE"
+            }
+        },
+        "subscriptionId": {
+            "type": "string",
+            "metadata": {
+                "description": "Subscription ID where DCR and DCE will be created"
+            }
+        },
+        "workspaceRegion": {
+            "type": "string",
+            "metadata": {
+                "description": "Workspace Region for data collection rule"
+            }
+        },
+        "workspaceResourceId": {
+            "type": "string",
+            "metadata": {
+                "description": "Full Resource ID of the log analytics workspace that will be used for data destination. For example /subscriptions/00000000-0000-0000-0000-0000-00000000/resourceGroups/ResourceGroupName/providers/Microsoft.operationalinsights/workspaces/ws_xyz"
+            }
+        },
+        "resourceTagValues": {
+            "type": "object",
+            "metadata": {
+                "description": "Tags to use on ContainerInsights and DataCollectionRule Resources"
+            }
+        },
+        "k8sNamespaces": {
+            "type": "array",
+            "metadata": {
+                "description": "An array of Kubernetes namespaces for Multi-tenancy logs filtering"
+            }
+        },
+        "transformKql": {
+            "type": "string",
+            "metadata": {
+                "description": "KQL filter for ingestion transformation"
+            }
+        },
+        "useAzureMonitorPrivateLinkScope": {
+            "type": "bool",
+            "metadata": {
+                "description": "Flag to indicate if Azure Monitor Private Link Scope should be used or not"
+            }
+        },
+        "azureMonitorPrivateLinkScopeResourceId": {
+            "type": "string",
+            "metadata": {
+                "description": "Specify the Resource Id of the Azure Monitor Private Link Scope."
+            }
+        }
+    },
+    "variables": {
+        "workspaceName": "[split(parameters('workspaceResourceId'),'/')[8]]",
+        "workspaceLocation": "[replace(parameters('workspaceRegion'),' ', '')]",
+        "dcrNameFull": "[Concat('MSCI-multi-tenancy-shared', '-', variables('workspaceLocation'), '-', uniqueString(parameters('workspaceResourceId')))]",
+        "dcrName": "[if(greater(length(variables('dcrNameFull')), 64), substring(variables('dcrNameFull'), 0, 64), variables('dcrNameFull'))]",
+        "ingestionDCENameFull": "[Concat('MSCI-multi-tenancy-shared', '-', variables('workspaceLocation'), '-', uniqueString(parameters('workspaceResourceId')))]",
+        "ingestionDCEName": "[if(greater(length(variables('ingestionDCENameFull')), 43), substring(variables('ingestionDCENameFull'), 0, 43), variables('ingestionDCENameFull'))]",
+        "ingestionDCE": "[if(endsWith(variables('ingestionDCEName'), '-'), substring(variables('ingestionDCEName'), 0, 42), variables('ingestionDCEName'))]",
+        "ingestionDataCollectionEndpointId": "[resourceId(parameters('subscriptionId'), parameters('resourceGroupName'), 'Microsoft.Insights/dataCollectionEndpoints', variables('ingestionDCE'))]",
+        "configDCENameFull": "[Concat('MSCI-config-shared', '-', parameters('location'), '-', uniqueString(parameters('workspaceResourceId')))]",
+        "configDCEName": "[if(greater(length(variables('configDCENameFull')), 43), substring(variables('configDCENameFull'), 0, 43), variables('configDCENameFull'))]",
+        "configDCE": "[if(endsWith(variables('configDCEName'), '-'), substring(variables('configDCEName'), 0, 42), variables('configDCEName'))]",
+        "configDataCollectionEndpointId": "[resourceId(parameters('subscriptionId'), parameters('resourceGroupName'), 'Microsoft.Insights/dataCollectionEndpoints', variables('configDCE'))]",
+        "dataCollectionRuleId": "[resourceId(parameters('subscriptionId'), parameters('resourceGroupName'), 'Microsoft.Insights/dataCollectionRules', variables('dcrName'))]",
+        "privateLinkScopeName": "[split(parameters('azureMonitorPrivateLinkScopeResourceId'),'/')[8]]",
+        "privateLinkScopeResourceGroup": "[split(parameters('azureMonitorPrivateLinkScopeResourceId'),'/')[4]]",
+        "privateLinkScopeSubscriptionId": "[split(parameters('azureMonitorPrivateLinkScopeResourceId'),'/')[2]]"
+    },
+    "resources": [
+        {
+            "condition": "[parameters('useAzureMonitorPrivateLinkScope')]",
+            "type": "Microsoft.Insights/dataCollectionEndpoints",
+            "apiVersion": "2022-06-01",
+            "name": "[variables('configDCE')]",
+            "location": "[parameters('location')]",
+            "tags": "[parameters('resourceTagValues')]",
+            "kind": "Linux",
+            "properties": {
+                "networkAcls": {
+                    "publicNetworkAccess": "[if(parameters('useAzureMonitorPrivateLinkScope'), 'Disabled', 'Enabled')]"
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Insights/dataCollectionEndpoints",
+            "apiVersion": "2023-03-11",
+            "name": "[variables('ingestionDCE')]",
+            "location": "[variables('workspaceLocation')]",
+            "tags": "[parameters('resourceTagValues')]",
+            "kind": "Linux",
+            "properties": {
+                "networkAcls": {
+                    "publicNetworkAccess": "[if(parameters('useAzureMonitorPrivateLinkScope'), 'Disabled', 'Enabled')]"
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Resources/deployments",
+            "name": "[Concat('shared-monitoring-dcr', '-',  uniqueString(variables('dcrName')))]",
+            "apiVersion": "2017-05-10",
+            "subscriptionId": "[parameters('subscriptionId')]",
+            "resourceGroup": "[parameters('resourceGroupName')]",
+            "dependsOn": [
+                "[variables('ingestionDCE')]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "parameters": {},
+                    "variables": {},
+                    "resources": [
+                        {
+                            "type": "Microsoft.Insights/dataCollectionRules",
+                            "apiVersion": "2023-03-11",
+                            "name": "[variables('dcrName')]",
+                            "location": "[parameters('workspaceRegion')]",
+                            "tags": "[parameters('resourceTagValues')]",
+                            "kind": "Linux",
+                            "properties": {
+                                "dataSources": {
+                                    "extensions": [
+                                        {
+                                            "name": "ContainerLogV2Extension",
+                                            "streams": [
+                                                "Microsoft-ContainerLogV2-HighScale"
+                                            ],
+                                            "extensionSettings": {
+                                                "dataCollectionSettings": {
+                                                    "namespaces": "[parameters('k8sNamespaces')]"
+                                                }
+                                            },
+                                            "extensionName": "ContainerLogV2Extension"
+                                        }
+                                    ]
+                                },
+                                "destinations": {
+                                    "logAnalytics": [
+                                        {
+                                            "workspaceResourceId": "[parameters('workspaceResourceId')]",
+                                            "name": "ciworkspace"
+                                        }
+                                    ]
+                                },
+                                "dataFlows": [
+                                    {
+                                        "streams": [
+                                            "Microsoft-ContainerLogV2-HighScale"
+                                        ],
+                                        "destinations": [
+                                            "ciworkspace"
+                                        ],
+                                        "transformKql": "[if(empty(parameters('transformKql')), json('null'), parameters('transformKql'))]"
+                                    }
+                                ],
+                                "dataCollectionEndpointId": "[variables('ingestionDataCollectionEndpointId')]"
+                            }
+                        }
+                    ]
+                },
+                "parameters": {}
+            }
+        },
+        {
+            "condition": "[parameters('useAzureMonitorPrivateLinkScope')]",
+            "type": "Microsoft.Resources/deployments",
+            "name": "[Concat('shared-monitoring-ampls-scope-config', '-',  uniqueString(parameters('workspaceResourceId')))]",
+            "apiVersion": "2017-05-10",
+            "subscriptionId": "[variables('privateLinkScopeSubscriptionId')]",
+            "resourceGroup": "[variables('privateLinkScopeResourceGroup')]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Insights/dataCollectionEndpoints/', variables('configDCE'))]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "parameters": {},
+                    "variables": {},
+                    "resources": [
+                        {
+                            "type": "microsoft.insights/privatelinkscopes/scopedresources",
+                            "name": "[concat(variables('privateLinkScopeName'), '/', concat(variables('configDCE'), '-connection'))]",
+                            "apiVersion": "2021-07-01-preview",
+                            "properties": {
+                                "linkedResourceId": "[variables('configDataCollectionEndpointId')]"
+                            }
+                        }
+                    ]
+                },
+                "parameters": {}
+            }
+        },
+        {
+            "condition": "[parameters('useAzureMonitorPrivateLinkScope')]",
+            "type": "Microsoft.Resources/deployments",
+            "name": "[Concat('shared-monitoring-ampls-scope-ingest', '-',  uniqueString(parameters('workspaceResourceId')))]",
+            "apiVersion": "2017-05-10",
+            "subscriptionId": "[variables('privateLinkScopeSubscriptionId')]",
+            "resourceGroup": "[variables('privateLinkScopeResourceGroup')]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Insights/dataCollectionEndpoints/', variables('ingestionDCE'))]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "parameters": {},
+                    "variables": {},
+                    "resources": [
+                        {
+                            "type": "microsoft.insights/privatelinkscopes/scopedresources",
+                            "name": "[concat(variables('privateLinkScopeName'), '/', concat(variables('ingestionDCE'), '-connection'))]",
+                            "apiVersion": "2021-07-01-preview",
+                            "properties": {
+                                "linkedResourceId": "[variables('ingestionDataCollectionEndpointId')]"
+                            }
+                        }
+                    ]
+                },
+                "parameters": {}
+            }
+        },
+        {
+            "condition": "[parameters('useAzureMonitorPrivateLinkScope')]",
+            "type": "Microsoft.Resources/deployments",
+            "name": "[Concat('shared-monitoring-ampls-scope', '-',  uniqueString(parameters('workspaceResourceId')))]",
+            "apiVersion": "2017-05-10",
+            "subscriptionId": "[variables('privateLinkScopeSubscriptionId')]",
+            "resourceGroup": "[variables('privateLinkScopeResourceGroup')]",
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "parameters": {},
+                    "variables": {},
+                    "resources": [
+                        {
+                            "type": "microsoft.insights/privatelinkscopes/scopedresources",
+                            "name": "[concat(variables('privateLinkScopeName'), '/', concat(variables('workspaceName'), '-connection'))]",
+                            "apiVersion": "2021-07-01-preview",
+                            "properties": {
+                                "linkedResourceId": "[parameters('workspaceResourceId')]"
+                            }
+                        }
+                    ]
+                },
+                "parameters": {}
+            }
+        }
+    ],
+    "outputs": {
+        "configDceId": {
+            "type": "string",
+            "value": "[variables('configDataCollectionEndpointId')]"
+        },
+        "dcrId": {
+            "type": "string",
+            "value": "[variables('dataCollectionRuleId')]"
+        }
+    }
+}