From 8dd8d53eea37133880b5d2178b7dd53f0104a005 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Thu, 18 Jul 2024 21:25:19 +0100 Subject: [PATCH] Implement bicep bootstrap (#799) * Update configuration to support bootstrap * Add networking type option * Latest updates for bootstrap * Fix RG name * Add manual whatif overrides * Fix MG id * Revert and add new config * Update for viable what if * Add destroy script * Fix script * Idempotent script * Add groups to config file * Add test starter module * Simplify destroy script * Add folders to retain into config * Latest updates for test module * Fix resource group deletion code * Filter down more * Only remove deployments created by this module * Add PREFIX env var * Add prefix param to avoid confusion * Fix linting * Update accelerator docs * Remove china policies * Fix PowerShell Typo * skip delete on no mg * Add on demand folder support * Update version json * Docs typo * Update wiki for clarity * Add header * Support regional availability zones * Fix incorrect link and misspelling --------- Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com> Co-authored-by: Zach Trocinski --- README.md | 2 +- .../.config/ALZ-Powershell-Auto.config.json | 955 ++++++++++++++++++ accelerator/scripts/destroy-landing-zone.ps1 | 190 ++++ .../managementGroup/managementGroup.bicep | 36 + .../managementGroup.parameters.all.json | 18 + docs/wiki/Accelerator.md | 26 +- infra-as-code/bicep/modules/README.md | 1 - version.json | 8 +- 8 files changed, 1222 insertions(+), 14 deletions(-) create mode 100644 accelerator/.config/ALZ-Powershell-Auto.config.json create mode 100644 accelerator/scripts/destroy-landing-zone.ps1 create mode 100644 accelerator/test_modules/managementGroup/managementGroup.bicep create mode 100644 accelerator/test_modules/managementGroup/parameters/managementGroup.parameters.all.json diff --git a/README.md b/README.md index ee937cf37..4f145153d 100644 --- a/README.md +++ b/README.md @@ -116,7 +116,7 @@ For support on the artifacts contained in this repository, please refer to [this [wiki_resiliency]: https://github.com/Azure/ALZ-Bicep/wiki/Resiliency "Wiki - Resiliency" [wiki_contributing]: https://github.com/Azure/ALZ-Bicep/wiki/Contributing "Wiki - Contributing" [wiki_accelerator]: "Wiki - Accelerator" -[wiki_amba]: "Wiki - AMBA" +[wiki_amba]: "Wiki - AMBA" [wiki_faq]: "Wiki - FAQs" [wiki_cuaid]: "Wiki - Telemetry Usage ID" [wiki_acrdeploy]: "Wiki - Private Bicep Registry" diff --git a/accelerator/.config/ALZ-Powershell-Auto.config.json b/accelerator/.config/ALZ-Powershell-Auto.config.json new file mode 100644 index 000000000..66f60d6c2 --- /dev/null +++ b/accelerator/.config/ALZ-Powershell-Auto.config.json @@ -0,0 +1,955 @@ +{ + "starter_modules": { + "complete": { + "location": ".", + "short_name": "Complete", + "description": "Complete Azure Landing Zones Deployment", + "destroy_script_path": "accelerator/scripts/destroy-landing-zone.ps1", + "folders_or_files_to_retain": [ + "accelerator", + "infra-as-code" + ], + "subfolders_or_files_to_remove" : [ + "media", + "samples", + "generateddocs", + ".azuredevops/pipelines", + ".github/workflows", + "pipeline-scripts", + "china", + "china/policy_definitions", + "china/policy_set_definitions", + "china/policy_assignments", + "parameters", + "README.md", + "ALZ-Powershell.config.json", + "test_modules/managementGroup" + ], + "on_demand_folders" : [ + { + "target": "infra-as-code", + "source": "infra-as-code" + } + ], + "deployment_file_groups" : [ + { + "name": "management_groups", + "displayName": "Management Groups", + "order": 1 + }, + { + "name": "logging_and_sentinel", + "displayName": "Logging and Sentinel", + "order": 2 + }, + { + "name": "policy_definitions", + "displayName": "Policy Definitions", + "order": 3 + }, + { + "name": "role_definitions", + "displayName": "Role Definitions", + "order": 4 + }, + { + "name": "policy_assignments", + "displayName": "Policy Assignments", + "order": 5 + }, + { + "name": "management_group_diagnostic_settings", + "displayName": "Management Group Diagnostic Settings", + "order": 6 + }, + { + "name": "subscription_placement", + "displayName": "Subscription Placement", + "order": 7 + }, + { + "name": "connectivity", + "displayName": "Connectivity", + "order": 8 + } + ], + "deployment_files": [ + { + "name": "management_groups", + "displayName": "Management Groups Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/managementGroups/managementGroupsScopeEscape.bicep", + "templateParametersFilePath": "./config/custom-parameters/managementGroups.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json", + "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", + "deploymentType": "managementGroup", + "firstRunWhatIf": true, + "order": 1, + "group": "management_groups" + }, + { + "name": "logging_and_sentinel_resource_group", + "displayName": "Logging and Sentinel Resource Group Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep", + "templateParametersFilePath": "./config/custom-parameters/resourceGroupLoggingAndSentinel.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json", + "subscriptionId": "MANAGEMENT_SUBSCRIPTION_ID", + "deploymentType": "subscription", + "firstRunWhatIf": true, + "order": 2, + "group": "logging_and_sentinel" + }, + { + "name": "logging_and_sentinel", + "displayName": "Logging and Sentinel Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/logging/logging.bicep", + "templateParametersFilePath": "./config/custom-parameters/logging.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json", + "subscriptionId": "MANAGEMENT_SUBSCRIPTION_ID", + "resourceGroupName": "LOGGING_RESOURCE_GROUP", + "deploymentType": "resourceGroup", + "firstRunWhatIf": false, + "order": 3, + "group": "logging_and_sentinel" + }, + { + "name": "custom_policy_definitions", + "displayName": "Custom Policy Definitions Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep", + "templateParametersFilePath": "./config/custom-parameters/customPolicyDefinitions.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json", + "managementGroupId": "MANAGEMENT_GROUP_ID", + "deploymentType": "managementGroup", + "firstRunWhatIf": false, + "order": 4, + "group": "policy_definitions" + }, + { + "name": "custom_role_definitions", + "displayName": "Custom Role Definitions Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep", + "templateParametersFilePath": "./config/custom-parameters/customRoleDefinitions.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json", + "managementGroupId": "MANAGEMENT_GROUP_ID", + "deploymentType": "managementGroup", + "firstRunWhatIf": false, + "order": 5, + "group": "role_definitions" + }, + { + "name": "management_group_diagnostic_settings", + "displayName": "Custom Management Group Diagnostic Settings", + "templateFilePath": "./infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep", + "templateParametersFilePath": "./config/custom-parameters/mgDiagSettingsAll.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json", + "managementGroupId": "MANAGEMENT_GROUP_ID", + "deploymentType": "managementGroup", + "firstRunWhatIf": false, + "order": 6, + "group": "management_group_diagnostic_settings" + }, + { + "name": "policy_assignments", + "displayName": "Built-in and Custom Policy Assignments Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep", + "templateParametersFilePath": "./config/custom-parameters/alzDefaultPolicyAssignments.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json", + "managementGroupId": "MANAGEMENT_GROUP_ID", + "deploymentType": "managementGroup", + "firstRunWhatIf": false, + "order": 7, + "group": "policy_assignments" + }, + { + "name": "subscription_placement", + "displayName": "Deploy Subscription Placement", + "templateFilePath": "./infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep", + "templateParametersFilePath": "./config/custom-parameters/subPlacementAll.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json", + "managementGroupId": "MANAGEMENT_GROUP_ID", + "deploymentType": "managementGroup", + "firstRunWhatIf": false, + "order": 8, + "group": "subscription_placement" + }, + { + "name": "connectivity_resource_group", + "displayName": "Connectivity Resource Group Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep", + "templateParametersFilePath": "./config/custom-parameters/resourceGroupConnectivity.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json", + "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", + "deploymentType": "subscription", + "firstRunWhatIf": true, + "order": 9, + "group": "connectivity" + }, + { + "name": "hub_and_spoke", + "displayName": "Hub (Hub-and-Spoke) Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep", + "templateParametersFilePath": "./config/custom-parameters/hubNetworking.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.az.all.json", + "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", + "resourceGroupName": "CONNECTIVITY_RESOURCE_GROUP", + "networkType": "hubNetworking", + "deploymentType": "resourceGroup", + "firstRunWhatIf": false, + "order": 10, + "group": "connectivity" + }, + { + "name": "vwan", + "displayName": "Hub (VWAN) Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep", + "templateParametersFilePath": "./config/custom-parameters/vwanConnectivity.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.az.all.json", + "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", + "resourceGroupName": "CONNECTIVITY_RESOURCE_GROUP", + "networkType": "vwanConnectivity", + "deploymentType": "resourceGroup", + "firstRunWhatIf": false, + "order": 10, + "group": "connectivity" + } + ], + "inputs": { + "ReleaseVersion": { + "source": "powershell", + "type": "string", + "Targets": [ + { + "Name": "RELEASE_VERSION", + "Destination": "Environment" + } + ] + }, + "Prefix": { + "source": "input", + "type": "string", + "description": "The prefix that will be added to all resources created by this deployment. (e.g. 'alz')", + "Targets": [ + { + "Name": "parTopLevelManagementGroupPrefix.value", + "Destination": "Parameters" + }, + { + "Name": "parCompanyPrefix.value", + "Destination": "Parameters" + }, + { + "Name": "parTargetManagementGroupId.value", + "Destination": "Parameters" + }, + { + "Name": "parAssignableScopeManagementGroupId.value", + "Destination": "Parameters" + }, + { + "name": "MANAGEMENT_GROUP_ID", + "Destination": "Environment" + }, + { + "name": "PREFIX", + "Destination": "Environment" + } + ], + "default": "alz", + "validation": "azure_name" + }, + "Location": { + "source": "input", + "type": "string", + "description": "Deployment location. (e.g. 'uksouth')", + "Targets": [ + { + "Name": "parLocation.value", + "Destination": "Parameters" + }, + { + "Name": "parAutomationAccountLocation.value", + "Destination": "Parameters" + }, + { + "Name": "parPolicyAssignmentParameters.value.ascExportResourceGroupLocation.value", + "Destination": "Parameters" + }, + { + "Name": "parVirtualWanHubs.value[0].parHubLocation", + "Destination": "Parameters" + }, + { + "Name": "LOCATION", + "Destination": "Environment" + } + ], + "validation": "azure_location" + }, + "Environment": { + "source": "input", + "type": "string", + "description": "The Type of environment that will be created. (e.g. 'live', 'canary')", + "Targets": [ + { + "Name": "parEnvironment.value", + "Destination": "Parameters" + }, + { + "Name": "parTags.value.Environment", + "Destination": "Parameters" + } + ], + "default": "live", + "validation": "azure_name_section" + }, + "networkType": { + "source": "input", + "type": "string", + "description": "The type of networking to deploy. (e.g. 'hubNetworking', 'vwanConnectivity')", + "default": "hubNetworking", + "Targets": [ + { + "Name": "NETWORK_TYPE", + "Destination": "Environment" + } + ], + "validation": "network_type" + }, + "IdentitySubscriptionId": { + "source": "input", + "type": "string", + "description": "The identifier of the Identity Subscription. (e.g '00000000-0000-0000-0000-000000000000')", + "validation": "azure_subscription_id", + "Targets": [ + { + "Name": "IDENTITY_SUBSCRIPTION_ID", + "Destination": "Environment" + } + ] + }, + "ConnectivitySubscriptionId": { + "source": "input", + "type": "string", + "description": "The identifier of the Connectivity Subscription. (e.g '00000000-0000-0000-0000-000000000000')", + "validation": "azure_subscription_id", + "Targets": [ + { + "Name": "CONNECTIVITY_SUBSCRIPTION_ID", + "Destination": "Environment" + } + ] + }, + "ManagementSubscriptionId": { + "source": "input", + "type": "string", + "description": "The identifier of the Management Subscription. (e.g 00000000-0000-0000-0000-000000000000)", + "validation": "azure_subscription_id", + "Targets": [ + { + "Name": "MANAGEMENT_SUBSCRIPTION_ID", + "Destination": "Environment" + } + ] + }, + "SecurityContact": { + "source": "input", + "type": "string", + "description": "The email address of the contact for security issues. (e.g. security@contactme.com)", + "validation": "email", + "Targets": [ + { + "Name": "parMsDefenderForCloudEmailSecurityContact.value", + "Destination": "Parameters" + } + ] + }, + "LogAnalyticsWorkspaceLocation": { + "source": "powershell", + "type": "string", + "Value": "{%Location%}", + "Process": "($args[0] -eq \"eastus\") ? \"eastus2\" : ($args[0] -eq \"eastus2\") ? \"eastus\" : $args[0]", + "Targets": [ + { + "Name": "parLogAnalyticsWorkspaceLocation.value", + "Destination": "Parameters" + }, + { + "Name": "parLogAnalyticsWorkSpaceAndAutomationAccountLocation.value", + "Destination": "Parameters" + } + ] + }, + "LogAnalyticsResourceId": { + "source": "powershell", + "type": "string", + "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/microsoft.operationalinsights/workspaces/alz-log-analytics", + "Targets": [ + { + "Name": "parLogAnalyticsWorkspaceResourceId.value", + "Destination": "Parameters" + } + ] + }, + "DataCollectionRuleVMInsightsResourceId": { + "source": "powershell", + "type": "string", + "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr", + "Targets": [ + { + "Name": "parDataCollectionRuleVMInsightsResourceId.value", + "Destination": "Parameters" + } + ] + }, + "DataCollectionRuleChangeTrackingResourceId": { + "source": "powershell", + "type": "string", + "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-ct-dcr", + "Targets": [ + { + "Name": "parDataCollectionRuleChangeTrackingResourceId.value", + "Destination": "Parameters" + } + ] + }, + "DataCollectionRuleMDFCSQLResourceId": { + "source": "powershell", + "type": "string", + "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.Insights/dataCollectionRules/ama-mdfcsql-default-dcr", + "Targets": [ + { + "Name": "parDataCollectionRuleMDFCSQLResourceId.value", + "Destination": "Parameters" + } + ] + }, + "UserAssignedManagedIdentityResourceId": { + "source": "powershell", + "type": "string", + "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/alz-umi-identity", + "Targets": [ + { + "Name": "parUserAssignedManagedIdentityResourceId.value", + "Destination": "Parameters" + } + ] + }, + "DdosPretectionPlanId": { + "source": "powershell", + "type": "string", + "Value": "/subscriptions/{%ConnectivitySubscriptionId%}/resourceGroups/rg-{%Prefix%}-connectivity/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan", + "Targets": [ + { + "Name": "parDdosProtectionPlanId.value", + "Destination": "Parameters" + } + ] + }, + "PrivateDnsResourceGroupId": { + "source": "powershell", + "type": "string", + "Value": "/subscriptions/{%ConnectivitySubscriptionId%}/resourceGroups/rg-{%Prefix%}-connectivity", + "Targets": [ + { + "Name": "parPrivateDnsResourceGroupId.value", + "Destination": "Parameters" + } + ] + }, + "ManagementSubscriptionGroup": { + "source": "powershell", + "type": "string", + "Value": [ + "{%ManagementSubscriptionId%}" + ], + "Targets": [ + { + "Name": "parPlatformManagementMgSubs.value", + "Destination": "Parameters" + } + ] + }, + "ConnectivitySubscriptionGroup": { + "source": "powershell", + "type": "string", + "Value": [ + "{%ConnectivitySubscriptionId%}" + ], + "Targets": [ + { + "Name": "parPlatformConnectivityMgSubs.value", + "Destination": "Parameters" + } + ] + }, + "IdentitySubscriptionGroup": { + "source": "powershell", + "type": "string", + "Value": [ + "{%IdentitySubscriptionId%}" + ], + "Targets": [ + { + "Name": "parPlatformIdentityMgSubs.value", + "Destination": "Parameters" + } + ] + }, + "HubNetworkName": { + "source": "powershell", + "type": "string", + "Value": "alz-hub-{%Location%}", + "Targets": [ + { + "Name": "parHubNetworkName.value", + "Destination": "Parameters" + } + ] + }, + "VirtualIdToLink": { + "source": "powershell", + "type": "string", + "Value": "", + "Targets": [ + { + "Name": "parVirtualNetworkIdToLink.value", + "Destination": "Parameters" + } + ] + }, + "VirtualWanName": { + "source": "powershell", + "type": "string", + "Value": "alz-vwan-{%Location%}", + "Targets": [ + { + "Name": "parVirtualWanName.value", + "Destination": "Parameters" + } + ] + }, + "AzFirewallName": { + "source": "powershell", + "type": "string", + "Value": "alz-azfw-{%Location%}", + "Targets": [ + { + "Name": "parAzFirewallName.value", + "Destination": "Parameters" + } + ] + }, + "FirewallPoliciesName": { + "source": "powershell", + "type": "string", + "Value": "alz-azfwpolicy-{%Location%}", + "Targets": [ + { + "Name": "parAzFirewallPoliciesName.value", + "Destination": "Parameters" + } + ] + }, + "AK8sPrivateLink": { + "source": "powershell", + "type": "string", + "Value": "privatelink.{%Location%}.azmk8s.io", + "Targets": [ + { + "Name": "parPrivateDnsZones.value[0]", + "Destination": "Parameters" + } + ] + }, + "BatchPrivateLink": { + "source": "powershell", + "type": "string", + "Value": "privatelink.{%Location%}.batch.azure.com", + "Targets": [ + { + "Name": "parPrivateDnsZones.value[1]", + "Destination": "Parameters" + } + ] + }, + "KustoPrivateLink": { + "source": "powershell", + "type": "string", + "Value": "privatelink.{%Location%}.kusto.windows.net", + "Targets": [ + { + "Name": "parPrivateDnsZones.value[2]", + "Destination": "Parameters" + } + ] + }, + "BackupPrivateLink": { + "source": "powershell", + "type": "string", + "Value": "privatelink.{%Location%}.backup.windowsazure.com", + "Targets": [ + { + "Name": "parPrivateDnsZones.value[3]", + "Destination": "Parameters" + } + ] + }, + "ConnectivityResourceGroupName": { + "source": "powershell", + "type": "string", + "Value": "rg-{%Prefix%}-connectivity", + "Targets": [ + { + "Name": "CONNECTIVITY_RESOURCE_GROUP", + "Destination": "Environment" + }, + { + "File": "resourceGroupConnectivity.parameters.all.json", + "Name": "parResourceGroupName.value", + "Destination": "Parameters" + } + ] + }, + "LoggingResourceGroupName": { + "source": "powershell", + "type": "string", + "Value": "rg-{%Prefix%}-logging", + "Targets": [ + { + "Name": "LOGGING_RESOURCE_GROUP", + "Destination": "Environment" + }, + { + "File": "resourceGroupLoggingAndSentinel.parameters.all.json", + "Name": "parResourceGroupName.value", + "Destination": "Parameters" + } + ] + }, + "RootParentManagementGroupId": { + "source": "powershell", + "type": "string", + "Value": "", + "Targets": [ + { + "Name": "ROOT_PARENT_MANAGEMENT_GROUP_ID", + "Destination": "Environment" + }, + { + "File": "managementGroups.parameters.all.json", + "Name": "parTopLevelManagementGroupParentId.value", + "Destination": "Parameters" + } + ] + }, + "AvailabilityZones": { + "source": "powershell", + "type": "list(string)", + "Value": "", + "Targets": [ + { + "Name": "AVAILABILITY_ZONES", + "Destination": "Environment" + }, + { + "File": "vwanConnectivity.parameters.all.json", + "Name": "parVirtualWanHubs.value[0].parAzFirewallAvailabilityZones", + "Destination": "Parameters" + }, + { + "File": "hubNetworking.parameters.all.json", + "Name": "parAzErGatewayAvailabilityZones.value", + "Destination": "Parameters" + }, + { + "File": "hubNetworking.parameters.all.json", + "Name": "parAzVpnGatewayAvailabilityZones.value", + "Destination": "Parameters" + }, + { + "File": "hubNetworking.parameters.all.json", + "Name": "parAzFirewallAvailabilityZones.value", + "Destination": "Parameters" + } + ] + } + } + }, + "test": { + "location": ".", + "short_name": "Test", + "description": "Test Azure Landing Zones Deployment for e2e testing", + "destroy_script_path": "accelerator/scripts/destroy-landing-zone.ps1", + "folders_or_files_to_retain": [ + "accelerator", + "infra-as-code/bicep/modules/resourceGroup", + "infra-as-code/bicep/CRML/customerUsageAttribution" + ], + "subfolders_or_files_to_remove" : [ + "media", + "samples", + "generateddocs", + ".azuredevops/pipelines", + ".github/workflows", + "pipeline-scripts", + "china", + "parameters", + "README.md", + "ALZ-Powershell.config.json" + ], + "on_demand_folders" : [ + { + "target": "infra-as-code", + "source": "infra-as-code" + } + ], + "deployment_file_groups" : [ + { + "name": "management_groups", + "displayName": "Management Groups", + "order": 1 + }, + { + "name": "resource_groups", + "displayName": "Resource Groups", + "order": 2 + } + ], + "deployment_files": [ + { + "name": "management_groups", + "displayName": "Management Groups Deployment", + "templateFilePath": "./accelerator/test_modules/managementGroup/managementGroup.bicep", + "templateParametersFilePath": "./config/custom-parameters/managementGroup.parameters.all.json", + "templateParametersSourceFilePath": "./accelerator/test_modules/managementGroup/parameters/managementGroup.parameters.all.json", + "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", + "deploymentType": "managementGroup", + "firstRunWhatIf": true, + "order": 1, + "group": "management_groups" + }, + { + "name": "management_resource_group", + "displayName": "Management Resource Group Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep", + "templateParametersFilePath": "./config/custom-parameters/resourceGroupManagement.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json", + "subscriptionId": "MANAGEMENT_SUBSCRIPTION_ID", + "deploymentType": "subscription", + "firstRunWhatIf": true, + "order": 2, + "group": "resource_groups" + }, + { + "name": "connectivity_resource_group", + "displayName": "Connectivity Resource Group Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep", + "templateParametersFilePath": "./config/custom-parameters/resourceGroupConnectivity.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json", + "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", + "deploymentType": "subscription", + "firstRunWhatIf": true, + "order": 3, + "group": "resource_groups" + }, + { + "name": "identity_resource_group", + "displayName": "Identity Resource Group Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep", + "templateParametersFilePath": "./config/custom-parameters/resourceGroupIdentity.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json", + "subscriptionId": "IDENTITY_SUBSCRIPTION_ID", + "deploymentType": "subscription", + "firstRunWhatIf": true, + "order": 4, + "group": "resource_groups" + } + ], + "inputs": { + "ReleaseVersion": { + "source": "powershell", + "type": "string", + "Targets": [ + { + "Name": "RELEASE_VERSION", + "Destination": "Environment" + } + ] + }, + "Prefix": { + "source": "input", + "type": "string", + "description": "The prefix that will be added to all resources created by this deployment. (e.g. 'alz')", + "Targets": [ + { + "Name": "parTopLevelManagementGroupPrefix.value", + "Destination": "Parameters" + }, + { + "name": "MANAGEMENT_GROUP_ID", + "Destination": "Environment" + }, + { + "Name": "PREFIX", + "Destination": "Environment" + } + ], + "default": "alz", + "validation": "azure_name" + }, + "Location": { + "source": "input", + "type": "string", + "description": "Deployment location. (e.g. 'uksouth')", + "Targets": [ + { + "Name": "parLocation.value", + "Destination": "Parameters" + }, + { + "Name": "LOCATION", + "Destination": "Environment" + } + ], + "validation": "azure_location" + }, + "Environment": { + "source": "input", + "type": "string", + "description": "The Type of environment that will be created. (e.g. 'live', 'canary')", + "Targets": [ + { + "Name": "parTags.value.Environment", + "Destination": "Parameters" + } + ], + "default": "live", + "validation": "azure_name_section" + }, + "networkType": { + "source": "input", + "type": "string", + "description": "The type of networking to deploy. (e.g. 'hubNetworking', 'vwanConnectivity')", + "default": "hubNetworking", + "Targets": [ + { + "Name": "NETWORK_TYPE", + "Destination": "Environment" + } + ], + "validation": "network_type" + }, + "IdentitySubscriptionId": { + "source": "input", + "type": "string", + "description": "The identifier of the Identity Subscription. (e.g '00000000-0000-0000-0000-000000000000')", + "validation": "azure_subscription_id", + "Targets": [ + { + "Name": "IDENTITY_SUBSCRIPTION_ID", + "Destination": "Environment" + } + ] + }, + "ConnectivitySubscriptionId": { + "source": "input", + "type": "string", + "description": "The identifier of the Connectivity Subscription. (e.g '00000000-0000-0000-0000-000000000000')", + "validation": "azure_subscription_id", + "Targets": [ + { + "Name": "CONNECTIVITY_SUBSCRIPTION_ID", + "Destination": "Environment" + } + ] + }, + "ManagementSubscriptionId": { + "source": "input", + "type": "string", + "description": "The identifier of the Management Subscription. (e.g 00000000-0000-0000-0000-000000000000)", + "validation": "azure_subscription_id", + "Targets": [ + { + "Name": "MANAGEMENT_SUBSCRIPTION_ID", + "Destination": "Environment" + } + ] + }, + "RootParentManagementGroupId": { + "source": "powershell", + "type": "string", + "Value": "", + "Targets": [ + { + "Name": "ROOT_PARENT_MANAGEMENT_GROUP_ID", + "Destination": "Environment" + }, + { + "File": "managementGroup.parameters.all.json", + "Name": "parTopLevelManagementGroupParentId.value", + "Destination": "Parameters" + } + ] + }, + "ConnectivityResourceGroupName": { + "source": "powershell", + "type": "string", + "Value": "rg-{%Prefix%}-connectivity", + "Targets": [ + { + "Name": "CONNECTIVITY_RESOURCE_GROUP", + "Destination": "Environment" + }, + { + "File": "resourceGroupConnectivity.parameters.all.json", + "Name": "parResourceGroupName.value", + "Destination": "Parameters" + } + ] + }, + "ManagementResourceGroupName": { + "source": "powershell", + "type": "string", + "Value": "rg-{%Prefix%}-management", + "Targets": [ + { + "Name": "MANAGEMENT_RESOURCE_GROUP", + "Destination": "Environment" + }, + { + "File": "resourceGroupManagement.parameters.all.json", + "Name": "parResourceGroupName.value", + "Destination": "Parameters" + } + ] + }, + "IdentityResourceGroupName": { + "source": "powershell", + "type": "string", + "Value": "rg-{%Prefix%}-identity", + "Targets": [ + { + "Name": "IDENTITY_RESOURCE_GROUP", + "Destination": "Environment" + }, + { + "File": "resourceGroupIdentity.parameters.all.json", + "Name": "parResourceGroupName.value", + "Destination": "Parameters" + } + ] + }, + "AvailabilityZones": { + "source": "powershell", + "type": "list(string)", + "Value": "", + "Targets": [ + { + "Name": "AVAILABILITY_ZONES", + "Destination": "Environment" + } + ] + } + } + } + } +} diff --git a/accelerator/scripts/destroy-landing-zone.ps1 b/accelerator/scripts/destroy-landing-zone.ps1 new file mode 100644 index 000000000..57347ea0e --- /dev/null +++ b/accelerator/scripts/destroy-landing-zone.ps1 @@ -0,0 +1,190 @@ +## This script is derived from the original by Jack Tracey, which you can find here: https://github.com/jtracey93/PublicScripts/blob/master/Azure/PowerShell/Enterprise-scale/Wipe-ESLZAzTenant.ps1 + +param ( + [bool]$whatIfEnabled = $true, + [string]$prefix = $env:PREFIX, + [string]$intermediateRootGroupID = $env:MANAGEMENT_GROUP_ID, + [string]$tenantRootGroupID = $env:ROOT_PARENT_MANAGEMENT_GROUP_ID, + [string]$connectivitySubscriptionId = $env:CONNECTIVITY_SUBSCRIPTION_ID, + [string]$identitySubscriptionId = $env:IDENTITY_SUBSCRIPTION_ID, + [string]$managementSubscriptionId = $env:MANAGEMENT_SUBSCRIPTION_ID +) + +if($whatIfEnabled) { + Write-Warning "The deploy stage of this run will delete all aspects of your landing zone. This includes all resources in your platform subscriptions. Please ensure you have a backup of any data you wish to keep." + Write-Warning "DANGER! DO NOT APPROVE THIS RUN UNLESS YOU ARE CERTAIN YOU WANT TO DELETE EVERYTHING." + exit 0 +} + +$managementGroups = Get-AzManagementGroup +$managementGroup = $managementGroups | Where-Object { $_.Name -eq $intermediateRootGroupID } +if($null -eq $managementGroup) { + Write-Warning "The $intermediateRootGroupID does not exist, so there is nothing to delete." + exit 0 +} + +if ($tenantRootGroupID -eq "") { + $tenantRootGroupID = (Get-AzContext).Tenant.TenantId +} +$resetMdfcTierOnSubs = $true + +#Toggle to stop warnings with regards to DisplayName and DisplayId +Set-Item Env:\SuppressAzurePowerShellBreakingChangeWarnings "true" + +# Start timer +$StopWatch = New-Object -TypeName System.Diagnostics.Stopwatch +$StopWatch.Start() + +# Get all Subscriptions that are in the Intermediate Root Management Group's hierarchy tree +$intermediateRootGroupChildSubscriptions = Search-AzGraph -Query "resourcecontainers | where type =~ 'microsoft.resources/subscriptions' | mv-expand mgmtGroups=properties.managementGroupAncestorsChain | where mgmtGroups.name =~ '$intermediateRootGroupID' | project subName=name, subID=subscriptionId, subState=properties.state, aadTenantID=tenantId, mgID=mgmtGroups.name, mgDisplayName=mgmtGroups.displayName" + +Write-Output "Moving all subscriptions under root management group" + +# For each Subscription in Intermediate Root Management Group's hierarchy tree, move it to the Tenant Root Management Group +$intermediateRootGroupChildSubscriptions | ForEach-Object -Parallel { + # The name 'Tenant Root Group' doesn't work. Instead, use the GUID of your Tenant Root Group + if ($_.subState -ne "Disabled") { + Write-Output "Moving Subscription: '$($_.subName)' under Tenant Root Management Group: '$($using:tenantRootGroupID)'" + New-AzManagementGroupSubscription -GroupId $using:tenantRootGroupID -SubscriptionId $_.subID | Out-Null + } +} + +# For each Subscription in the Intermediate Root Management Group's hierarchy tree, remove all Resources, Resource Groups and Deployments +Write-Output "Removing all Azure Resources, Resource Groups and Deployments from Subscriptions in scope" + +$subscriptionsToClean = @() +ForEach ($subscription in $intermediateRootGroupChildSubscriptions) { + $subscriptionsToClean += @{ + name = $subscription.subName + id = $subscription.subID + } +} + +$subscriptionIds = $subscriptionsToClean | Select-Object -ExpandProperty id + +if($subscriptionIds -notcontains $managementSubscriptionId) { + $subscriptionsToClean += @{ + name = "Management" + id = $managementSubscriptionId + } + $subscriptionIds += $managementSubscriptionId +} + +if($subscriptionIds -notcontains $identitySubscriptionId) { + $subscriptionsToClean += @{ + name = "Identity" + id = $identitySubscriptionId + } + $subscriptionIds += $identitySubscriptionId +} + +if($subscriptionIds -notcontains $connectivitySubscriptionId) { + $subscriptionsToClean += @{ + name = "Connectivity" + id = $connectivitySubscriptionId + } + $subscriptionIds += $connectivitySubscriptionId +} + +ForEach ($subscription in $subscriptionsToClean) { + Write-Output "Set context to Subscription: '$($subscription.name)'" + Set-AzContext -Subscription $subscription.id | Out-Null + + # Get all Resource Groups in Subscription + $resourceGroups = Get-AzResourceGroup + + $resourceGroupsToRemove = @() + ForEach ($resourceGroup in $resourceGroups) { + if ($resourceGroup.ResourceGroupName -like "rg-$prefix*") { + $resourceGroupsToRemove += $resourceGroup.ResourceGroupName + } + } + + $resourceGroupsToRemove | ForEach-Object -Parallel { + Write-Output "Deleting $_..." + Remove-AzResourceGroup -Name $_ -Force | Out-Null + } + + # Get Deployments for Subscription + $subDeployments = Get-AzSubscriptionDeployment + + Write-Output "Removing All Successful Subscription Deployments for: $($subscription.name)" + + $deploymentsToRemove = @() + ForEach ($deployment in $subDeployments) { + if ($deployment.DeploymentName -like "$prefix*" -and $deployment.ProvisioningState -eq "Succeeded") { + $deploymentsToRemove += $deployment + } + } + + # For each Subscription level deployment, remove it + $deploymentsToRemove | ForEach-Object -Parallel { + Write-Output "Removing $($_.DeploymentName) ..." + Remove-AzSubscriptionDeployment -Id $_.Id | Out-Null + } + + # Set MDFC tier to Free for each Subscription + if ($resetMdfcTierOnSubs) { + Write-Output "Resetting MDFC tier to Free for Subscription: $($subscription.name)" + + $currentMdfcForSubUnfiltered = Get-AzSecurityPricing + $currentMdfcForSub = $currentMdfcForSubUnfiltered | Where-Object { $_.PricingTier -ne "Free" } + + ForEach ($mdfcPricingTier in $currentMdfcForSub) { + Write-Output "Resetting $($mdfcPricingTier.Name) to Free MDFC Pricing Tier for Subscription: $($subscription.name)" + + Set-AzSecurityPricing -Name $mdfcPricingTier.Name -PricingTier 'Free' | Out-Null + } + } +} + +# This function only deletes Management Groups in the Intermediate Root Management Group's hierarchy tree and will NOT delete other Intermediate Root level Management Groups and their children e.g. in the case of "canary" + +function Remove-Recursively { + [CmdletBinding(SupportsShouldProcess = $true)] + param ( + [string]$name + ) + if($PSCmdlet.ShouldProcess($name, "Remove-AzManagementGroup")) { + # Enters the parent Level + Write-Output "Entering the scope with $name" + $parent = Get-AzManagementGroup -GroupId $name -Expand -Recurse + + # Checks if there is any parent level + if ($null -ne $parent.Children) { + Write-Output "Found the following Children :" + Write-Output ($parent.Children | Select-Object Name).Name + + foreach ($children in $parent.Children) { + # Tries to recur to each child item + Remove-Recursively($children.Name) + } + } + + # If no children are found at each scope + Write-Output "No children found in scope $name" + Write-Output "Removing the scope $name" + + Remove-AzManagementGroup -InputObject $parent | Out-Null + } +} + +# Check if Management Group exists for idempotency +$managementGroups = Get-AzManagementGroup +$managementGroup = $managementGroups | Where-Object { $_.Name -eq $intermediateRootGroupID } + +if($null -eq $managementGroup) { + Write-Output "Management Group with ID: '$intermediateRootGroupID' does not exist." +} else { + Write-Output "Management Group with ID: '$intermediateRootGroupID' exists. Proceeding with deletion." + + # Remove all the Management Groups in Intermediate Root Management Group's hierarchy tree, including itself + Remove-Recursively($intermediateRootGroupID) +} + +# Stop timer +$StopWatch.Stop() + +# Display timer output as table +Write-Output "Time taken to complete task:" +$StopWatch.Elapsed | Format-Table diff --git a/accelerator/test_modules/managementGroup/managementGroup.bicep b/accelerator/test_modules/managementGroup/managementGroup.bicep new file mode 100644 index 000000000..b7950c5e0 --- /dev/null +++ b/accelerator/test_modules/managementGroup/managementGroup.bicep @@ -0,0 +1,36 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Management Groups Module with Scope Escape' +metadata description = 'ALZ Bicep Module to set up Management Group structure, using Scope Escaping feature of ARM to allow deployment not requiring tenant root scope access.' + +@sys.description('Prefix used for the management group hierarchy. This management group will be created as part of the deployment.') +@minLength(2) +@maxLength(10) +param parTopLevelManagementGroupPrefix string = 'alz' + +@sys.description('Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix') +@maxLength(10) +param parTopLevelManagementGroupSuffix string = '' + +@sys.description('Display name for top level management group. This name will be applied to the management group prefix defined in parTopLevelManagementGroupPrefix parameter.') +@minLength(2) +param parTopLevelManagementGroupDisplayName string = 'Azure Landing Zones' + +@sys.description('Optional parent for Management Group hierarchy, used as intermediate root Management Group parent, if specified. If empty, default, will deploy beneath Tenant Root Management Group.') +param parTopLevelManagementGroupParentId string = '' + +resource resTopLevelMg 'Microsoft.Management/managementGroups@2023-04-01' = { + scope: tenant() + name: '${parTopLevelManagementGroupPrefix}${parTopLevelManagementGroupSuffix}' + properties: { + displayName: parTopLevelManagementGroupDisplayName + details: { + parent: { + id: empty(parTopLevelManagementGroupParentId) ? '/providers/Microsoft.Management/managementGroups/${tenant().tenantId}' : contains(toLower(parTopLevelManagementGroupParentId), toLower('/providers/Microsoft.Management/managementGroups/')) ? parTopLevelManagementGroupParentId : '/providers/Microsoft.Management/managementGroups/${parTopLevelManagementGroupParentId}' + } + } + } +} + +// Output Management Group IDs +output outTopLevelManagementGroupId string = resTopLevelMg.id diff --git a/accelerator/test_modules/managementGroup/parameters/managementGroup.parameters.all.json b/accelerator/test_modules/managementGroup/parameters/managementGroup.parameters.all.json new file mode 100644 index 000000000..b8d621174 --- /dev/null +++ b/accelerator/test_modules/managementGroup/parameters/managementGroup.parameters.all.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parTopLevelManagementGroupSuffix": { + "value": "" + }, + "parTopLevelManagementGroupDisplayName": { + "value": "Azure Landing Zones" + }, + "parTopLevelManagementGroupParentId": { + "value": "" + } + } +} diff --git a/docs/wiki/Accelerator.md b/docs/wiki/Accelerator.md index 48a669f5b..73327755a 100644 --- a/docs/wiki/Accelerator.md +++ b/docs/wiki/Accelerator.md @@ -1,10 +1,20 @@ -## ALZ Bicep Accelerator +## ALZ Bicep Accelerator (Classic) -This document provides prescriptive guidance around implementing, automating, and maintaining your ALZ Bicep module with the ALZ Bicep Accelerator. +> [!IMPORTANT] +> The ALZ Bicep Accelerator has been updated to automate the bootstrapping of your Version Control System and Azure resources. The ALZ Bicep Accelerator's documentation has been moved to [aka.ms/alz/accelerator/docs](https://aka.ms/alz/accelerator/docs). Head over there now to get started! +> Use the instructions below only if you need to use the classic version of the ALZ Bicep Accelerator. -### What is the ALZ Bicep Accelerator? +### Deprecation Notice + +> [!WARNING] +> The classic version of the ALZ Bicep Accelerator will be maintained for a limited time. We recommend migrating to the new version as soon as possible. + +### What is the ALZ Bicep Accelerator (Classic)? + +> [!NOTE] +> These instructions now include the `-bicepLegacyMode $true` parameter, which needs be set explicily to use the classic version. The ALZ Bicep Accelerator framework was developed to provide end-users with the following abilities: @@ -67,7 +77,7 @@ In order to setup the Accelerator framework with the production GitHub Action Wo 1. Create your ALZ Bicep Accelerator framework with the following ALZ PowerShell Module cmdlet: ```powershell - Deploy-Accelerator -o -i "bicep" -b "alz_github + Deploy-Accelerator -o -i "bicep" -b "alz_github" -bicepLegacyMode $true ``` > **Note:** @@ -137,7 +147,7 @@ In order to setup the Accelerator framework with the production ready Azure DevO 1. Create your ALZ Bicep Accelerator framework with the following ALZ PowerShell Module cmdlet: ```powershell - Deploy-Accelerator -o -i "bicep" -b "alz_azuredevops" + Deploy-Accelerator -o -i "bicep" -b "alz_azuredevops" -bicepLegacyMode $true ``` > **Note:** @@ -217,20 +227,20 @@ The ALZ-Bicep repository regularly releases new [versions](https://github.com/Az With the ALZ Accelerator framework, we have designed the pipelines and directory structure to make it easy to upgrade to the latest ALZ Bicep version. The following steps will guide you through the upgrade process. -1. Prior to upgrading, read the release note:s for the version you are upgrading to. The release note:s will provide you with information on any breaking changes that may impact your deployment. This is especially important if you have created any custom modules or have [modified any of the ALZ Bicep modules](#incorporating-modified-alz-modules) that may have dependencies on the modules that are being upgraded. +1. Prior to upgrading, read the release notes for the version you are upgrading to. The release notes will provide you with information on any breaking changes that may impact your deployment. This is especially important if you have created any custom modules or have [modified any of the ALZ Bicep modules](#incorporating-modified-alz-modules) that may have dependencies on the modules that are being upgraded. 1. Using the ALZ PowerShell Module, you can update to the latest or a specified version. You must specifiy the same IaC, Bootstrap and Output directory that you used when you initially deployed the ALZ Bicep Accelerator. Here is an example of using the cmdlet to upgrade to the latest version: ```powershell - Deploy-Accelerator -i "bicep" -b "alz_github" -o "C:\Repos\ALZ\accelerator" + Deploy-Accelerator -i "bicep" -b "alz_github" -o "C:\Repos\ALZ\accelerator" -bicepLegacyMode $true ``` Here is an example of using the to upgrade to version v0.17.2: ```powershell - Deploy-Accelerator -i "bicep" -b "alz_github" -v "v0.17.2" -o "C:\Repos\ALZ\accelerator" + Deploy-Accelerator -i "bicep" -b "alz_github" -v "v0.17.2" -o "C:\Repos\ALZ\accelerator" -bicepLegacyMode $true ``` You will be prompted for inputs again and the upgrade will be run for you. diff --git a/infra-as-code/bicep/modules/README.md b/infra-as-code/bicep/modules/README.md index d252a94af..c1d5bf847 100644 --- a/infra-as-code/bicep/modules/README.md +++ b/infra-as-code/bicep/modules/README.md @@ -12,7 +12,6 @@ To get started with ALZ Bicep, please refer to the [Deployment Flow wiki page][w 2. High-level deployment flow. 3. Links to more detailed instructions on individual modules. - [//]: # (************************) [//]: # (INSERT LINK LABELS BELOW) [//]: # (************************) diff --git a/version.json b/version.json index c2c88a6c1..e92f40423 100644 --- a/version.json +++ b/version.json @@ -1,6 +1,6 @@ { - "version": "0.18.0", - "gitTag": "v0.18.0", - "releaseNotes": "https://github.com/Azure/ALZ-Bicep/releases/tag/v0.18.0", - "releaseDateTimeUTC": "20240709T0222079056Z" + "version": "0.19.0", + "gitTag": "v0.19.0", + "releaseNotes": "https://github.com/Azure/ALZ-Bicep/releases/tag/v0.19.0", + "releaseDateTimeUTC": "20240713T1000000000Z" }