From 1e0c6b77ac5e881820377639ef63bc36bde576ae Mon Sep 17 00:00:00 2001 From: Miles Cameron <78753426+MilesCameron-DMs@users.noreply.github.com> Date: Thu, 20 Jul 2023 16:10:49 +0100 Subject: [PATCH] Feature addvalidation (#539) * Added whatif * Added needs * Adjustments to whatif configuration * Adjusted readme to remove environment ref and allow auto incrementing * Add additional clarification for What-If operation * Add missing variable for IS_PULL_REQUEST * Fix incorrect change for hub spoke file reference * Remove unneeded action id * Removed unneccssary space * Fix formatting of paths --------- Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com> Co-authored-by: Zach Trocinski --- .../.azuredevops/pipelines/alz-bicep-1.yml | 21 +++++++++++++++++++ .../.azuredevops/pipelines/alz-bicep-2.yml | 16 ++++++++++++++ .../.azuredevops/pipelines/alz-bicep-3.yml | 16 ++++++++++++++ .../.azuredevops/pipelines/alz-bicep-4a.yml | 17 +++++++++++++++ .../.azuredevops/pipelines/alz-bicep-4b.yml | 17 +++++++++++++++ accelerator/.github/workflows/alz-bicep-1.yml | 5 +++++ accelerator/.github/workflows/alz-bicep-2.yml | 5 +++++ accelerator/.github/workflows/alz-bicep-3.yml | 5 +++++ .../.github/workflows/alz-bicep-4a.yml | 5 +++++ .../.github/workflows/alz-bicep-4b.yml | 5 +++++ .../Deploy-ALZConnectivityResourceGroup.ps1 | 6 +++++- .../Deploy-ALZCustomPolicyDefinitions.ps1 | 6 +++++- .../Deploy-ALZCustomRoleDefinitions.ps1 | 6 +++++- .../Deploy-ALZHub-HubAndSpoke.ps1 | 6 +++++- .../pipeline-scripts/Deploy-ALZHub-VWAN.ps1 | 6 +++++- .../Deploy-ALZLoggingAndSentinel.ps1 | 6 +++++- ...loy-ALZLoggingAndSentinelResourceGroup.ps1 | 6 +++++- .../Deploy-ALZMGDiagnosticSettings.ps1 | 6 +++++- .../Deploy-ALZManagementGroups.ps1 | 6 +++++- .../Deploy-ALZPolicyAssignments.ps1 | 6 +++++- .../Deploy-ALZRoleAssignments.ps1 | 6 +++++- .../Deploy-ALZSubscriptionPlacement.ps1 | 6 +++++- docs/wiki/Accelerator.md | 9 ++++++++ 23 files changed, 181 insertions(+), 12 deletions(-) diff --git a/accelerator/.azuredevops/pipelines/alz-bicep-1.yml b/accelerator/.azuredevops/pipelines/alz-bicep-1.yml index f202b0fe0..f180e4bc6 100644 --- a/accelerator/.azuredevops/pipelines/alz-bicep-1.yml +++ b/accelerator/.azuredevops/pipelines/alz-bicep-1.yml @@ -1,6 +1,21 @@ name: ALZ-Bicep-1 Workflow trigger: +# YAML PR triggers are supported only in GitHub and Bitbucket Cloud. +# If you use Azure Repos Git, you can configure a branch policy for build validation to trigger your build pipeline for validation. +# https://learn.microsoft.com/en-us/azure/devops/repos/git/branch-policies#build-validation + branches: + include: + - "main" + paths: + include: + - "config/custom-parameters/managementGroups.parameters.all.json" + - "config/custom-parameters/resourceGroupLoggingAndSentinel.parameters.all.json" + - "config/custom-parameters/logging.parameters.all.json" + - "config/custom-parameters/customPolicyDefinitions.parameters.all.json" + - "config/custom-parameters/customRoleDefinitions.parameters.all.json" + - "config/custom-parameters/mgDiagSettingsAll.parameters.all.json" +pr: branches: include: - "main" @@ -16,6 +31,7 @@ trigger: variables: ENV_FILE: ".env" SERVICE_CONNECTION_NAME: "[your service connection name here]" + IS_PULL_REQUEST: "false" jobs: - job: ALZ_Bicep_1_Workflow_Job @@ -38,6 +54,11 @@ jobs: } displayName: Import Environment Variables from File + - pwsh: | + echo "##vso[task.setvariable variable=IS_PULL_REQUEST;]true" + condition: eq(variables['Build.Reason'], 'PullRequest') + displayName: Set IS_PULL_REQUEST Variable to True + - task: AzurePowerShell@5 displayName: "Management Groups Deployment" inputs: diff --git a/accelerator/.azuredevops/pipelines/alz-bicep-2.yml b/accelerator/.azuredevops/pipelines/alz-bicep-2.yml index 28c6f2740..87569594e 100644 --- a/accelerator/.azuredevops/pipelines/alz-bicep-2.yml +++ b/accelerator/.azuredevops/pipelines/alz-bicep-2.yml @@ -1,6 +1,16 @@ name: ALZ-Bicep-2 Workflow trigger: +# YAML PR triggers are supported only in GitHub and Bitbucket Cloud. +# If you use Azure Repos Git, you can configure a branch policy for build validation to trigger your build pipeline for validation. +# https://learn.microsoft.com/en-us/azure/devops/repos/git/branch-policies#build-validation + branches: + include: + - "main" + paths: + include: + - "config/custom-parameters/alzDefaultPolicyAssignments.parameters.all.json" +pr: branches: include: - "main" @@ -11,6 +21,7 @@ trigger: variables: ENV_FILE: ".env" SERVICE_CONNECTION_NAME: "[your service connection name here]" + IS_PULL_REQUEST: "false" jobs: - job: ALZ_Bicep_2_Workflow_Job @@ -33,6 +44,11 @@ jobs: } displayName: Import Environment Variables from File + - pwsh: | + echo "##vso[task.setvariable variable=IS_PULL_REQUEST;]true" + condition: eq(variables['Build.Reason'], 'PullRequest') + displayName: Set IS_PULL_REQUEST Variable to True + - task: AzurePowerShell@5 displayName: "Built-in and Custom Policy Assignments Deployment" inputs: diff --git a/accelerator/.azuredevops/pipelines/alz-bicep-3.yml b/accelerator/.azuredevops/pipelines/alz-bicep-3.yml index 5c845ec2a..6bb77e510 100644 --- a/accelerator/.azuredevops/pipelines/alz-bicep-3.yml +++ b/accelerator/.azuredevops/pipelines/alz-bicep-3.yml @@ -1,6 +1,16 @@ name: ALZ-Bicep-3 Workflow trigger: +# YAML PR triggers are supported only in GitHub and Bitbucket Cloud. +# If you use Azure Repos Git, you can configure a branch policy for build validation to trigger your build pipeline for validation. +# https://learn.microsoft.com/en-us/azure/devops/repos/git/branch-policies#build-validation + branches: + include: + - "main" + paths: + include: + - "config/custom-parameters/subPlacementAll.parameters.all.json" +pr: branches: include: - "main" @@ -11,6 +21,7 @@ trigger: variables: ENV_FILE: ".env" SERVICE_CONNECTION_NAME: "[your service connection name here]" + IS_PULL_REQUEST: "false" jobs: - job: ALZ_Bicep_3_Workflow_Job @@ -33,6 +44,11 @@ jobs: } displayName: Import Environment Variables from File + - pwsh: | + echo "##vso[task.setvariable variable=IS_PULL_REQUEST;]true" + condition: eq(variables['Build.Reason'], 'PullRequest') + displayName: Set IS_PULL_REQUEST Variable to True + - task: AzurePowerShell@5 displayName: "Deploy Subscription Placement" inputs: diff --git a/accelerator/.azuredevops/pipelines/alz-bicep-4a.yml b/accelerator/.azuredevops/pipelines/alz-bicep-4a.yml index 1d470dbec..892ffe0ed 100644 --- a/accelerator/.azuredevops/pipelines/alz-bicep-4a.yml +++ b/accelerator/.azuredevops/pipelines/alz-bicep-4a.yml @@ -1,6 +1,17 @@ name: ALZ-Bicep-4a Workflow trigger: +# YAML PR triggers are supported only in GitHub and Bitbucket Cloud. +# If you use Azure Repos Git, you can configure a branch policy for build validation to trigger your build pipeline for validation. +# https://learn.microsoft.com/en-us/azure/devops/repos/git/branch-policies#build-validation + branches: + include: + - "main" + paths: + include: + - "config/custom-parameters/resourceGroupConnectivity.parameters.all.json" + - "config/custom-parameters/hubNetworking.parameters.all.json" +pr: branches: include: - "main" @@ -12,6 +23,7 @@ trigger: variables: ENV_FILE: ".env" SERVICE_CONNECTION_NAME: "[your service connection name here]" + IS_PULL_REQUEST: "false" jobs: - job: ALZ_Bicep_4a_Workflow_Job @@ -34,6 +46,11 @@ jobs: } displayName: Import Environment Variables from File + - pwsh: | + echo "##vso[task.setvariable variable=IS_PULL_REQUEST;]true" + condition: eq(variables['Build.Reason'], 'PullRequest') + displayName: Set IS_PULL_REQUEST Variable to True + - task: AzurePowerShell@5 displayName: "Connectivity Resource Group Deployment" inputs: diff --git a/accelerator/.azuredevops/pipelines/alz-bicep-4b.yml b/accelerator/.azuredevops/pipelines/alz-bicep-4b.yml index 1fd8fa40c..dae89ddf8 100644 --- a/accelerator/.azuredevops/pipelines/alz-bicep-4b.yml +++ b/accelerator/.azuredevops/pipelines/alz-bicep-4b.yml @@ -1,6 +1,17 @@ name: ALZ-Bicep-4b Workflow trigger: +# YAML PR triggers are supported only in GitHub and Bitbucket Cloud. +# If you use Azure Repos Git, you can configure a branch policy for build validation to trigger your build pipeline for validation. +# https://learn.microsoft.com/en-us/azure/devops/repos/git/branch-policies#build-validation + branches: + include: + - "main" + paths: + include: + - "config/custom-parameters/resourceGroupConnectivity.parameters.all.json" + - "config/custom-parameters/vwanConnectivity.parameters.all.json" +pr: branches: include: - "main" @@ -12,6 +23,7 @@ trigger: variables: ENV_FILE: ".env" SERVICE_CONNECTION_NAME: "[your service connection name here]" + IS_PULL_REQUEST: "false" jobs: - job: ALZ_Bicep_4b_Workflow_Job @@ -34,6 +46,11 @@ jobs: } displayName: Import Environment Variables from File + - pwsh: | + echo "##vso[task.setvariable variable=IS_PULL_REQUEST;]true" + condition: eq(variables['Build.Reason'], 'PullRequest') + displayName: Set IS_PULL_REQUEST Variable to True + - task: AzurePowerShell@5 displayName: "Connectivity Resource Group Deployment" inputs: diff --git a/accelerator/.github/workflows/alz-bicep-1.yml b/accelerator/.github/workflows/alz-bicep-1.yml index 6399bbcd9..3cd994e34 100644 --- a/accelerator/.github/workflows/alz-bicep-1.yml +++ b/accelerator/.github/workflows/alz-bicep-1.yml @@ -4,6 +4,9 @@ on: push: branches: - "main" + pull_request: + branches: + - "main" paths: - "config/custom-parameters/managementGroups.parameters.all.json" - "config/custom-parameters/resourceGroupLoggingAndSentinel.parameters.all.json" @@ -16,9 +19,11 @@ on: permissions: id-token: write contents: read + pull-requests: write env: ENV_FILE: ".env" + IS_PULL_REQUEST: "${{ github.event_name == 'pull_request' }}" jobs: ALZ_Bicep_1_Workflow_Job: diff --git a/accelerator/.github/workflows/alz-bicep-2.yml b/accelerator/.github/workflows/alz-bicep-2.yml index f1bde2a05..651fc26d8 100644 --- a/accelerator/.github/workflows/alz-bicep-2.yml +++ b/accelerator/.github/workflows/alz-bicep-2.yml @@ -4,6 +4,9 @@ on: push: branches: - "main" + pull_request: + branches: + - "main" paths: - "config/custom-parameters/alzDefaultPolicyAssignments.parameters.all.json" workflow_dispatch: @@ -11,9 +14,11 @@ on: permissions: id-token: write contents: read + pull-requests: write env: ENV_FILE: ".env" + IS_PULL_REQUEST: "${{ github.event_name == 'pull_request' }}" jobs: ALZ_Bicep_2_Workflow_Job: diff --git a/accelerator/.github/workflows/alz-bicep-3.yml b/accelerator/.github/workflows/alz-bicep-3.yml index f4d6f8bde..93110121b 100644 --- a/accelerator/.github/workflows/alz-bicep-3.yml +++ b/accelerator/.github/workflows/alz-bicep-3.yml @@ -4,6 +4,9 @@ on: push: branches: - "main" + pull_request: + branches: + - "main" paths: - "config/custom-parameters/subPlacementAll.parameters.all.json" workflow_dispatch: @@ -11,9 +14,11 @@ on: permissions: id-token: write contents: read + pull-requests: write env: ENV_FILE: ".env" + IS_PULL_REQUEST: "${{ github.event_name == 'pull_request' }}" jobs: ALZ_Bicep_3_Workflow_Job: diff --git a/accelerator/.github/workflows/alz-bicep-4a.yml b/accelerator/.github/workflows/alz-bicep-4a.yml index 2bd136a7f..09d4ad6fb 100644 --- a/accelerator/.github/workflows/alz-bicep-4a.yml +++ b/accelerator/.github/workflows/alz-bicep-4a.yml @@ -4,6 +4,9 @@ on: push: branches: - "main" + pull_request: + branches: + - "main" paths: - "config/custom-parameters/resourceGroupConnectivity.parameters.all.json" - "config/custom-parameters/hubNetworking.parameters.all.json" @@ -12,9 +15,11 @@ on: permissions: id-token: write contents: read + pull-requests: write env: ENV_FILE: ".env" + IS_PULL_REQUEST: "${{ github.event_name == 'pull_request' }}" jobs: ALZ_Bicep_4a_Workflow_Job: diff --git a/accelerator/.github/workflows/alz-bicep-4b.yml b/accelerator/.github/workflows/alz-bicep-4b.yml index 5540b5334..ca703ab90 100644 --- a/accelerator/.github/workflows/alz-bicep-4b.yml +++ b/accelerator/.github/workflows/alz-bicep-4b.yml @@ -4,6 +4,9 @@ on: push: branches: - "main" + pull_request: + branches: + - "main" paths: - "config/custom-parameters/resourceGroupConnectivity.parameters.all.json" - "config/custom-parameters/vwanConnectivity.parameters.all.json" @@ -12,9 +15,11 @@ on: permissions: id-token: write contents: read + pull-requests: write env: ENV_FILE: ".env" + IS_PULL_REQUEST: "${{ github.event_name == 'pull_request' }}" jobs: ALZ_Bicep_4b_Workflow_Job: diff --git a/accelerator/pipeline-scripts/Deploy-ALZConnectivityResourceGroup.ps1 b/accelerator/pipeline-scripts/Deploy-ALZConnectivityResourceGroup.ps1 index 6cc2d7f21..1ed385f5b 100644 --- a/accelerator/pipeline-scripts/Deploy-ALZConnectivityResourceGroup.ps1 +++ b/accelerator/pipeline-scripts/Deploy-ALZConnectivityResourceGroup.ps1 @@ -9,7 +9,10 @@ param ( [String]$TemplateFile = "upstream-releases\$($env:UPSTREAM_RELEASE_VERSION)\infra-as-code\bicep\modules\resourceGroup\resourceGroup.bicep", [Parameter()] - [String]$TemplateParameterFile = "config\custom-parameters\resourceGroupConnectivity.parameters.all.json" + [String]$TemplateParameterFile = "config\custom-parameters\resourceGroupConnectivity.parameters.all.json", + + [Parameter()] + [Boolean]$WhatIfEnabled = [System.Convert]::ToBoolean($($env:IS_PULL_REQUEST)) ) # Parameters necessary for deployment @@ -18,6 +21,7 @@ $inputObject = @{ Location = $Location TemplateFile = $TemplateFile TemplateParameterFile = $TemplateParameterFile + WhatIf = $WhatIfEnabled Verbose = $true } diff --git a/accelerator/pipeline-scripts/Deploy-ALZCustomPolicyDefinitions.ps1 b/accelerator/pipeline-scripts/Deploy-ALZCustomPolicyDefinitions.ps1 index 3a09b0dbf..c5014167e 100644 --- a/accelerator/pipeline-scripts/Deploy-ALZCustomPolicyDefinitions.ps1 +++ b/accelerator/pipeline-scripts/Deploy-ALZCustomPolicyDefinitions.ps1 @@ -9,7 +9,10 @@ param ( [String]$TemplateFile = "upstream-releases\$($env:UPSTREAM_RELEASE_VERSION)\infra-as-code\bicep\modules\policy\definitions\customPolicyDefinitions.bicep", [Parameter()] - [String]$TemplateParameterFile = "config\custom-parameters\customPolicyDefinitions.parameters.all.json" + [String]$TemplateParameterFile = "config\custom-parameters\customPolicyDefinitions.parameters.all.json", + + [Parameter()] + [Boolean]$WhatIfEnabled = [System.Convert]::ToBoolean($($env:IS_PULL_REQUEST)) ) # Parameters necessary for deployment @@ -19,6 +22,7 @@ $inputObject = @{ ManagementGroupId = $TopLevelMGPrefix TemplateFile = $TemplateFile TemplateParameterFile = $TemplateParameterFile + WhatIf = $WhatIfEnabled Verbose = $true } diff --git a/accelerator/pipeline-scripts/Deploy-ALZCustomRoleDefinitions.ps1 b/accelerator/pipeline-scripts/Deploy-ALZCustomRoleDefinitions.ps1 index 9dbc56d42..5aece569e 100644 --- a/accelerator/pipeline-scripts/Deploy-ALZCustomRoleDefinitions.ps1 +++ b/accelerator/pipeline-scripts/Deploy-ALZCustomRoleDefinitions.ps1 @@ -9,7 +9,10 @@ param ( [String]$TemplateFile = "upstream-releases\$($env:UPSTREAM_RELEASE_VERSION)\infra-as-code\bicep\modules\customRoleDefinitions\customRoleDefinitions.bicep", [Parameter()] - [String]$TemplateParameterFile = "config\custom-parameters\customRoleDefinitions.parameters.all.json" + [String]$TemplateParameterFile = "config\custom-parameters\customRoleDefinitions.parameters.all.json", + + [Parameter()] + [Boolean]$WhatIfEnabled = [System.Convert]::ToBoolean($($env:IS_PULL_REQUEST)) ) # Parameters necessary for deployment @@ -19,6 +22,7 @@ $inputObject = @{ ManagementGroupId = $TopLevelMGPrefix TemplateFile = $TemplateFile TemplateParameterFile = $TemplateParameterFile + WhatIf = $WhatIfEnabled Verbose = $true } diff --git a/accelerator/pipeline-scripts/Deploy-ALZHub-HubAndSpoke.ps1 b/accelerator/pipeline-scripts/Deploy-ALZHub-HubAndSpoke.ps1 index 8c7c50133..7da5a19df 100644 --- a/accelerator/pipeline-scripts/Deploy-ALZHub-HubAndSpoke.ps1 +++ b/accelerator/pipeline-scripts/Deploy-ALZHub-HubAndSpoke.ps1 @@ -9,7 +9,10 @@ param ( [String]$TemplateFile = "upstream-releases\$($env:UPSTREAM_RELEASE_VERSION)\infra-as-code\bicep\modules\hubNetworking\hubNetworking.bicep", [Parameter()] - [String]$TemplateParameterFile = "config\custom-parameters\hubNetworking.parameters.all.json" + [String]$TemplateParameterFile = "config\custom-parameters\hubNetworking.parameters.all.json", + + [Parameter()] + [Boolean]$WhatIfEnabled = [System.Convert]::ToBoolean($($env:IS_PULL_REQUEST)) ) # Parameters necessary for deployment @@ -18,6 +21,7 @@ $inputObject = @{ ResourceGroupName = $ConnectivityResourceGroup TemplateFile = $TemplateFile TemplateParameterFile = $TemplateParameterFile + WhatIf = $WhatIfEnabled Verbose = $true } diff --git a/accelerator/pipeline-scripts/Deploy-ALZHub-VWAN.ps1 b/accelerator/pipeline-scripts/Deploy-ALZHub-VWAN.ps1 index 4a73fd971..2ce0e06f2 100644 --- a/accelerator/pipeline-scripts/Deploy-ALZHub-VWAN.ps1 +++ b/accelerator/pipeline-scripts/Deploy-ALZHub-VWAN.ps1 @@ -9,7 +9,10 @@ param ( [String]$TemplateFile = "upstream-releases\$($env:UPSTREAM_RELEASE_VERSION)\infra-as-code\bicep\modules\vwanConnectivity\vwanConnectivity.bicep", [Parameter()] - [String]$TemplateParameterFile = "config\custom-parameters\vwanConnectivity.parameters.all.json" + [String]$TemplateParameterFile = "config\custom-parameters\vwanConnectivity.parameters.all.json", + + [Parameter()] + [Boolean]$WhatIfEnabled = [System.Convert]::ToBoolean($($env:IS_PULL_REQUEST)) ) # Parameters necessary for deployment @@ -18,6 +21,7 @@ $inputObject = @{ ResourceGroupName = $ConnectivityResourceGroup TemplateFile = $TemplateFile TemplateParameterFile = $TemplateParameterFile + WhatIf = $WhatIfEnabled Verbose = $true } diff --git a/accelerator/pipeline-scripts/Deploy-ALZLoggingAndSentinel.ps1 b/accelerator/pipeline-scripts/Deploy-ALZLoggingAndSentinel.ps1 index ef3d578e5..cf694122b 100644 --- a/accelerator/pipeline-scripts/Deploy-ALZLoggingAndSentinel.ps1 +++ b/accelerator/pipeline-scripts/Deploy-ALZLoggingAndSentinel.ps1 @@ -9,7 +9,10 @@ param ( [String]$TemplateFile = "upstream-releases\$($env:UPSTREAM_RELEASE_VERSION)\infra-as-code\bicep\modules\logging\logging.bicep", [Parameter()] - [String]$TemplateParameterFile = "config\custom-parameters\logging.parameters.all.json" + [String]$TemplateParameterFile = "config\custom-parameters\logging.parameters.all.json", + + [Parameter()] + [Boolean]$WhatIfEnabled = [System.Convert]::ToBoolean($($env:IS_PULL_REQUEST)) ) # Parameters necessary for deployment @@ -18,6 +21,7 @@ $inputObject = @{ ResourceGroupName = $LoggingResourceGroup TemplateFile = $TemplateFile TemplateParameterFile = $TemplateParameterFile + WhatIf = $WhatIfEnabled Verbose = $true } diff --git a/accelerator/pipeline-scripts/Deploy-ALZLoggingAndSentinelResourceGroup.ps1 b/accelerator/pipeline-scripts/Deploy-ALZLoggingAndSentinelResourceGroup.ps1 index af548c989..5e0ea3492 100644 --- a/accelerator/pipeline-scripts/Deploy-ALZLoggingAndSentinelResourceGroup.ps1 +++ b/accelerator/pipeline-scripts/Deploy-ALZLoggingAndSentinelResourceGroup.ps1 @@ -9,7 +9,10 @@ param ( [String]$TemplateFile = "upstream-releases\$($env:UPSTREAM_RELEASE_VERSION)\infra-as-code\bicep\modules\resourceGroup\resourceGroup.bicep", [Parameter()] - [String]$TemplateParameterFile = "config\custom-parameters\resourceGroupLoggingAndSentinel.parameters.all.json" + [String]$TemplateParameterFile = "config\custom-parameters\resourceGroupLoggingAndSentinel.parameters.all.json", + + [Parameter()] + [Boolean]$WhatIfEnabled = [System.Convert]::ToBoolean($($env:IS_PULL_REQUEST)) ) # Parameters necessary for deployment @@ -18,6 +21,7 @@ $inputObject = @{ Location = $Location TemplateFile = $TemplateFile TemplateParameterFile = $TemplateParameterFile + WhatIf = $WhatIfEnabled Verbose = $true } diff --git a/accelerator/pipeline-scripts/Deploy-ALZMGDiagnosticSettings.ps1 b/accelerator/pipeline-scripts/Deploy-ALZMGDiagnosticSettings.ps1 index 57aeeb5be..24b2e5db4 100644 --- a/accelerator/pipeline-scripts/Deploy-ALZMGDiagnosticSettings.ps1 +++ b/accelerator/pipeline-scripts/Deploy-ALZMGDiagnosticSettings.ps1 @@ -9,7 +9,10 @@ param ( [String]$TemplateFile = "upstream-releases\$($env:UPSTREAM_RELEASE_VERSION)\infra-as-code\bicep\orchestration\mgDiagSettingsAll\mgDiagSettingsAll.bicep", [Parameter()] - [String]$TemplateParameterFile = "config\custom-parameters\mgDiagSettingsAll.parameters.all.json" + [String]$TemplateParameterFile = "config\custom-parameters\mgDiagSettingsAll.parameters.all.json", + + [Parameter()] + [Boolean]$WhatIfEnabled = [System.Convert]::ToBoolean($($env:IS_PULL_REQUEST)) ) # Parameters necessary for deployment @@ -19,6 +22,7 @@ $inputObject = @{ ManagementGroupId = $TopLevelMGPrefix TemplateFile = $TemplateFile TemplateParameterFile = $TemplateParameterFile + WhatIf = $WhatIfEnabled Verbose = $true } diff --git a/accelerator/pipeline-scripts/Deploy-ALZManagementGroups.ps1 b/accelerator/pipeline-scripts/Deploy-ALZManagementGroups.ps1 index 152f7478d..dd4ac6f1c 100644 --- a/accelerator/pipeline-scripts/Deploy-ALZManagementGroups.ps1 +++ b/accelerator/pipeline-scripts/Deploy-ALZManagementGroups.ps1 @@ -6,7 +6,10 @@ param ( [String]$TemplateFile = "upstream-releases\$($env:UPSTREAM_RELEASE_VERSION)\infra-as-code\bicep\modules\managementGroups\managementGroups.bicep", [Parameter()] - [String]$TemplateParameterFile = "config\custom-parameters\managementGroups.parameters.all.json" + [String]$TemplateParameterFile = "config\custom-parameters\managementGroups.parameters.all.json", + + [Parameter()] + [Boolean]$WhatIfEnabled = [System.Convert]::ToBoolean($($env:IS_PULL_REQUEST)) ) # Parameters necessary for deployment @@ -15,6 +18,7 @@ $inputObject = @{ Location = $Location TemplateFile = $TemplateFile TemplateParameterFile = $TemplateParameterFile + WhatIf = $WhatIfEnabled Verbose = $true } diff --git a/accelerator/pipeline-scripts/Deploy-ALZPolicyAssignments.ps1 b/accelerator/pipeline-scripts/Deploy-ALZPolicyAssignments.ps1 index 6587e01b9..ed72e6069 100644 --- a/accelerator/pipeline-scripts/Deploy-ALZPolicyAssignments.ps1 +++ b/accelerator/pipeline-scripts/Deploy-ALZPolicyAssignments.ps1 @@ -9,7 +9,10 @@ param ( [String]$TemplateFile = "upstream-releases\$($env:UPSTREAM_RELEASE_VERSION)\infra-as-code\bicep\modules\policy\assignments\alzDefaults\alzDefaultPolicyAssignments.bicep", [Parameter()] - [String]$TemplateParameterFile = "config\custom-parameters\alzDefaultPolicyAssignments.parameters.all.json" + [String]$TemplateParameterFile = "config\custom-parameters\alzDefaultPolicyAssignments.parameters.all.json", + + [Parameter()] + [Boolean]$WhatIfEnabled = [System.Convert]::ToBoolean($($env:IS_PULL_REQUEST)) ) # Parameters necessary for deployment @@ -19,6 +22,7 @@ $inputObject = @{ ManagementGroupId = $TopLevelMGPrefix TemplateFile = $TemplateFile TemplateParameterFile = $TemplateParameterFile + WhatIf = $WhatIfEnabled Verbose = $true } diff --git a/accelerator/pipeline-scripts/Deploy-ALZRoleAssignments.ps1 b/accelerator/pipeline-scripts/Deploy-ALZRoleAssignments.ps1 index 9d0721469..782cdb745 100644 --- a/accelerator/pipeline-scripts/Deploy-ALZRoleAssignments.ps1 +++ b/accelerator/pipeline-scripts/Deploy-ALZRoleAssignments.ps1 @@ -9,7 +9,10 @@ param ( [String]$TemplateFile = "upstream-releases\$($env:UPSTREAM_RELEASE_VERSION)\infra-as-code\bicep\modules\roleAssignments\roleAssignmentManagementGroupMany.bicep", [Parameter()] - [String]$TemplateParameterFile = "config\custom-parameters\roleAssignmentManagementGroupMany.servicePrincipal.parameters.all.json" + [String]$TemplateParameterFile = "config\custom-parameters\roleAssignmentManagementGroupMany.servicePrincipal.parameters.all.json", + + [Parameter()] + [Boolean]$WhatIfEnabled = [System.Convert]::ToBoolean($($env:IS_PULL_REQUEST)) ) # Parameters necessary for deployment @@ -19,6 +22,7 @@ $inputObject = @{ ManagementGroupId = $TopLevelMGPrefix TemplateFile = $TemplateFile TemplateParameterFile = $TemplateParameterFile + WhatIf = $WhatIfEnabled Verbose = $true } diff --git a/accelerator/pipeline-scripts/Deploy-ALZSubscriptionPlacement.ps1 b/accelerator/pipeline-scripts/Deploy-ALZSubscriptionPlacement.ps1 index 6b1b8ae00..8d5024381 100644 --- a/accelerator/pipeline-scripts/Deploy-ALZSubscriptionPlacement.ps1 +++ b/accelerator/pipeline-scripts/Deploy-ALZSubscriptionPlacement.ps1 @@ -9,7 +9,10 @@ param ( [String]$TemplateFile = "upstream-releases\$($env:UPSTREAM_RELEASE_VERSION)\infra-as-code\bicep\orchestration\subPlacementAll\subPlacementAll.bicep", [Parameter()] - [String]$TemplateParameterFile = "config\custom-parameters\subPlacementAll.parameters.all.json" + [String]$TemplateParameterFile = "config\custom-parameters\subPlacementAll.parameters.all.json", + + [Parameter()] + [Boolean]$WhatIfEnabled = [System.Convert]::ToBoolean($($env:IS_PULL_REQUEST)) ) # Parameters necessary for deployment @@ -19,6 +22,7 @@ $inputObject = @{ ManagementGroupId = $TopLevelMGPrefix TemplateFile = $TemplateFile TemplateParameterFile = $TemplateParameterFile + WhatIf = $WhatIfEnabled Verbose = $true } diff --git a/docs/wiki/Accelerator.md b/docs/wiki/Accelerator.md index 16f246ba5..37643fa7a 100644 --- a/docs/wiki/Accelerator.md +++ b/docs/wiki/Accelerator.md @@ -29,6 +29,10 @@ We attempted to make the pipelines as flexible as possible while also reducing o - PowerShell deployment scripts for each module that are referenced within [Azure PowerShell Action](https://github.com/marketplace/actions/azure-powershell-action) steps - The PowerShell scripts reference the modules and parameter files used within the [deployment flow documentation](https://github.com/Azure/ALZ-Bicep/wiki/DeploymentFlow#module-deployment-sequence). Therefore, we recommend you review the deployment flow documentation to understand the purpose of each module and the parameters that are used within the deployment scripts. - Environment variables file (.env) which is used to store variables that are accessed within the PowerShell scripts +- What-If Deploment conditions which are triggered automatically if a pull request is created against the main branch. This allows for a user to validate the deployment and potential changes before merging the pull request into the main branch. +- Deployment conditions which are triggered automatically if a push is made to the main branch. This allows for a user to validate the deployment and potential changes before merging the pull request into the main branch. + > **Note:** + > Currently, the output of the GitHub Action workflows or the Azure DevOps Pipelines need to viewed within the respective portal. We are working on adding support for sending the output to the Pull Request comments section in the future. The only thing that differs across the workflows is which ALZ Bicep modules are deployed as shown in the following table: @@ -119,6 +123,8 @@ In order to setup the Accelerator framework with the production GitHub Action Wo 1. Now that the remote branch has the latest commit(s), you can configure your OpenID Connect (OIDC) identity provider with GitHub which will give the workflows access to your Azure environment. 1. [Create an Azure Active Directory application/service principal](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Cwindows#create-an-azure-active-directory-application-and-service-principal) 1. [Add your federated credentials](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Cwindows#add-federated-credentials-preview) + 1. Add one federated credential with the entity type set to 'Branch' and with a value for "Based on Selection" set to 'main' + 1. Add a secondary federated credential with the entity type set to 'Pull Request' 1. [Create GitHub secrets](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Cwindows#create-github-secrets) > **Note:** > The workflows reference secret names AZURE_TENANT_ID and AZURE_CLIENT_ID. If you choose to use different names, you will need to update the workflows accordingly. @@ -232,6 +238,9 @@ In order to setup the Accelerator framework with the production ready Azure DevO - Require approvals - Require conversation resolution before merging - Do not allow bypassing the above settings + - Setup automated and required build valdiation reuquirements for all of the pipelines. This will ensure that all changes to the main branch are validated before merging as well as to provide a What-If analysis for the changes made to your ALZ environment. Finally, ensure you match the path filters for each build validation to what is specified in the pipeline files. + > **Note:** + > This last step is required if you are using GitHub and Bitbucket as your repository and integrating with Azure DevOps Pipelines. ### Incoporating a Branching Strategy