Skip to content

Commit

Permalink
Add MG Flexibility Feature & Intermediate Root MG Parent Flexibility (#…
Browse files Browse the repository at this point in the history 
…276)

* add mg flexibility feature

* add mg top level parent flex

* add what-if to testing

* set param back to default

* update codetour
  • Loading branch information
@jtracey93
jtracey93 authored Jul 4, 2022
1 parent aebf60d commit be28a4c
Show file tree
Hide file tree
Showing 5 changed files with 247 additions and 58 deletions.
95 changes: 89 additions & 6 deletions .vscode/tours/E2Etesttour.tour
View file
Original file line number Diff line number Diff line change
Expand Up @@ -333,18 +333,101 @@
},
{
"file": "tests/pipelines/bicep-build-to-validate.yml",
"description": "Takes output variable from previous job to later determine if anything was deployed. ",
"line": 251
"selection": {
"start": {
"line": 248,
"character": 1
},
"end": {
"line": 249,
"character": 1
}
},
"description": "Start ARM WhatIf checks to confirm no false positives from whats just been deployed"
},
{
"file": "tests/pipelines/bicep-build-to-validate.yml",
"selection": {
"start": {
"line": 252,
"character": 1
},
"end": {
"line": 253,
"character": 1
}
},
"description": "Only runs if Management Groups were deployed, using same condition"
},
{
"file": "tests/pipelines/bicep-build-to-validate.yml",
"selection": {
"start": {
"line": 256,
"character": 1
},
"end": {
"line": 257,
"character": 1
}
},
"description": "Run WhatIf deployment and only report on changes, if any."
},
{
"file": "tests/pipelines/bicep-build-to-validate.yml",
"selection": {
"start": {
"line": 259,
"character": 11
},
"end": {
"line": 261,
"character": 17
}
},
"description": "If there are any changes fail the step and report as output to Azure DevOps Pipeline"
},
{
"file": "tests/pipelines/bicep-build-to-validate.yml",
"description": "Run cleanup if anything was deployed.",
"line": 258
"selection": {
"start": {
"line": 267,
"character": 1
},
"end": {
"line": 268,
"character": 1
}
},
"description": "Takes output variable from previous job to later determine if anything was deployed. "
},
{
"file": "tests/pipelines/bicep-build-to-validate.yml",
"description": "Run PowerShell script to do the following (in order):\r\n- Move subscription from connectivity management group to tenant root group.\r\n- Delete all resource groups in subscription\r\n- Remove all subscription scope deployments\r\n- Remove all tenant scope deployments\r\n- Remove management group structure\r\n",
"line": 262
"selection": {
"start": {
"line": 274,
"character": 1
},
"end": {
"line": 275,
"character": 1
}
},
"description": "Run cleanup if anything was deployed."
},
{
"file": "tests/pipelines/bicep-build-to-validate.yml",
"selection": {
"start": {
"line": 275,
"character": 5
},
"end": {
"line": 281,
"character": 17
}
},
"description": "Run PowerShell script to do the following (in order):\r\n- Move subscription from connectivity management group to tenant root group.\r\n- Delete all resource groups in subscription\r\n- Remove all subscription scope deployments\r\n- Remove all tenant scope deployments\r\n- Remove management group structure"
}
]
}
114 changes: 87 additions & 27 deletions infra-as-code/bicep/modules/managementGroups/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,38 +18,98 @@ The Management Groups module deploys a management group hierarchy in a customer'

The module requires the following inputs:

| Parameter | Type | Description | Requirements | Example |
| ------------------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | --------------------- |
| parTopLevelManagementGroupPrefix | string | Prefix for the management group hierarchy. This management group will be created as part of the deployment. | 2-10 characters | `alz` |
| parTopLevelManagementGroupDisplayName | string | Display name for top level management group. This name will be applied to the management group prefix defined in `parTopLevelManagementGroupPrefix` parameter. | Minimum two characters | `Azure Landing Zones` |
| parTelemetryOptOut | bool | Set Parameter to true to Opt-out of deployment telemetry | Mandatory input, default: `false` | `false` |
| Parameter | Type | Description | Requirements | Example |
| ------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------- | --------------------------------------------------------------------------------------- |
| parTopLevelManagementGroupPrefix | string | Prefix for the management group hierarchy. This management group will be created as part of the deployment. | 2-10 characters | `alz` |
| parTopLevelManagementGroupDisplayName | string | Display name for top level management group. This name will be applied to the management group prefix defined in `parTopLevelManagementGroupPrefix` parameter. | Minimum two characters | `Azure Landing Zones` |
| parTopLevelManagementGroupParentId | string | Optional parent for Management Group hierarchy, used as intermediate root Management Group parent, if specified. If empty, default, will deploy beneath Tenant Root Management Group. | Not required input, default `''` | `/providers/Microsoft.Management/managementGroups/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` |
| parLandingZoneMgAlzDefaultsEnable | bool | Deploys Corp & Online Management Groups beneath Landing Zones Management Group if set to true. | Mandatory input, default: `true` | `true` |
| parLandingZoneMgConfidentialEnable | bool | Deploys Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group if set to true. | Mandatory input, default: `false` | `false` |
| parLandingZoneMgChildren | object | Dictionary Object to allow additional or different child Management Groups of Landing Zones Management Group to be deployed. | Not required input, default `{}` | `{pci: {displayName: 'PCI'}}` |
| parTelemetryOptOut | bool | Set Parameter to true to Opt-out of deployment telemetry | Mandatory input, default: `false` | `false` |

### Child Landing Zone Management Groups Flexibility

This module allows some flexibility for deploying child Landing Zone Management Groups, e.g. Management Groups that live beneath the Landing Zones Management Group. This flexibility is controlled by three parameters which are detailed below. All of these parameters can be used together to tailor the child Landing Zone Management Groups.

- `parLandingZoneMgAlzDefaultsEnable`
- Boolean - defaults to `true`
- **Required**
- Deploys following child Landing Zone Management groups if set to `true`:
- `Corp`
- `Online`
- *These are the default ALZ Management Groups as per the conceptual architecture*
- `parLandingZoneMgConfidentialEnable`
- Boolean - defaults to `false`
- **Required**
- Deploys following child Landing Zone Management groups if set to `true`:
- `Confidential Corp`
- `Confidential Online`
- `parLandingZoneMgChildren`
- Object - default is an empty object `{}`
- **Optional**
- Deploys whatever you specify in the object as child Landing Zone Management groups.

These three parameters are then used to collate a single variable that is used to create the child Landing Zone Management Groups. Duplicates are removed if entered. This is done by using the `union()` function in bicep.

> Investigate the variable called `varLandingZoneMgChildrenUnioned` if you want to see how this works in the module.
#### `parLandingZoneMgChildren` Input Examples

Below are some examples of how to use this input parameter in both Bicep & JSON formats.

##### Bicep Example

```bicep
parLandingZoneMgChildren: {
pci: {
displayName: 'PCI'
}
'another-example': {
displayName: 'Another Example'
}
}
```

##### JSON Parameter File Input Example

```json
"parLandingZoneMgChildren": {
"value": {
"pci": {
"displayName": "PCI"
},
"another-example": {
"displayName": "Another Example"
}
}
}
```

## Outputs

The module will generate the following outputs:

| Output | Type | Example |
| ------------------------------------------ | ------ | -------------------------------------------------------------------------- |
| outTopLevelManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz |
| outPlatformManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform |
| outPlatformManagementManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform-management |
| outPlatformConnectivityManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform-connectivity |
| outPlatformIdentityManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform-identity |
| outLandingZonesManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-landingzones |
| outLandingZonesCorpManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-landingzones-corp |
| outLandingZonesOnlineManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-landingzones-online |
| outSandboxManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-sandbox |
| outDecommissionedManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-decommissioned |
| outTopLevelManagementGroupName | string | alz |
| outPlatformManagementGroupName | string | alz-platform |
| outPlatformManagementManagementGroupName | string | alz-platform-management |
| outPlatformConnectivityManagementGroupName | string | alz-platform-connectivity |
| outPlatformIdentityManagementGroupName | string | alz-platform-identity |
| outLandingZonesManagementGroupName | string | alz-landingzones |
| outLandingZonesCorpManagementGroupName | string | alz-landingzones-corp |
| outLandingZonesOnlineManagementGroupName | string | alz-landingzones-online |
| outSandboxManagementGroupName | string | alz-sandbox |
| outDecommissionedManagementGroupName | string | alz-decommissioned |
| Output | Type | Example |
| ------------------------------------------ | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
| outTopLevelManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz |
| outPlatformManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform |
| outPlatformManagementManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform-management |
| outPlatformConnectivityManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform-connectivity |
| outPlatformIdentityManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform-identity |
| outLandingZonesManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-landingzones |
| outLandingZoneChildrenManagementGroupIds | array | `[/providers/Microsoft.Management/managementGroups/alz-landingzones-corp, /providers/Microsoft.Management/managementGroups/alz-landingzones-online]` |
| outSandboxManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-sandbox |
| outDecommissionedManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-decommissioned |
| outTopLevelManagementGroupName | string | alz |
| outPlatformManagementGroupName | string | alz-platform |
| outPlatformManagementManagementGroupName | string | alz-platform-management |
| outPlatformConnectivityManagementGroupName | string | alz-platform-connectivity |
| outPlatformIdentityManagementGroupName | string | alz-platform-identity |
| outLandingZonesManagementGroupName | string | alz-landingzones |
| outLandingZoneChildrenManagementGroupNames | array | `[Corp, Online]` |
| outSandboxManagementGroupName | string | alz-sandbox |
| outDecommissionedManagementGroupName | string | alz-decommissioned |

## Deployment

Expand Down
Loading

0 comments on commit be28a4c

Please sign in to comment.