Change deployment scope for MG Diagnostics #338 (#372)

* Updated README to show new scope at mg level * Changes to mgDiagSettingsAll.bicep with new mg deployment scope * Added mgDiagSettingsAll as a new orchestration module to the list * Fixed a URL tfor step 4.1 to point to the corret module * Update infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> * Changed the test-pipelines to reflec the deployment at the mg level now Co-authored-by: Luis Chaves <luchaves@microsoft.com> Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>
Azure · Nov 3, 2022 · d2accf8 · d2accf8
1 parent 503e9af
commit d2accf8
Show file tree

Hide file tree

Showing 6 changed files with 38 additions and 27 deletions.
diff --git a/docs/wiki/DeploymentFlow.md b/docs/wiki/DeploymentFlow.md
@@ -75,6 +75,8 @@ The current available orchestration modules are listed below:
 | --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- |
 | hubPeeredSpoke  | Creates Spoke networking infrastructure for workloads with Virtual Network Peering (optional) to support Hub & Spoke network topology or Virtual Hub Connection (optional). Also can optionally place Subscription in specified Management Group, create VNet Peering in both directions, create UDR and configure a next hop IP for the default route (`0.0.0.0/0`) ***Review docs of module for more information.*** | [infra-as-code/bicep/orchestration/hubPeeredSpoke](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/hubPeeredSpoke)   |
 | subPlacementAll | Moves Subscription IDs that are passed in via the input parameters to the specified Management Group. Useful to have a single module's parameters that are updated over time and can be tracked in git, etc.                                                                                                                                                                                                           | [infra-as-code/bicep/orchestration/subPlacementAll](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/subPlacementAll) |
+| mgDiagSettingsAll | Enables Diagnostic Settings to the Log Analytics Workspace created in the Logging subscription for the Management Groups that are passed in via the input parameters.                                                                                                                                                                                                           | [infra-as-code/bicep/orchestration/mgDiagSettingsAll](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/orchestration/mgDiagSettingsAll) |
+
 
 > Orchestration modules to deliver the entire ALZ deployment in a single Bicep file are on our backlog and being worked on, stay tuned!
 

diff --git a/infra-as-code/bicep/orchestration/mgDiagSettingsAll/README.md b/infra-as-code/bicep/orchestration/mgDiagSettingsAll/README.md
@@ -2,19 +2,19 @@
 
 This module acts as an orchestration module that helps enable Diagnostic Settings on the Management Group hierarchy as was defined during the deployment of the Management Group module (this can be deployed via the [`managementGroups.bicep` module](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/managementGroups)), which is also described in the wiki on the [Deployment Flow article](https://github.com/Azure/ALZ-Bicep/wiki/DeploymentFlow).
 
-This is accomplished through a tenant-scoped Azure Resource Manager (ARM) deployment. There are two boolean parameters that should match the options selected during the deployment of Management Group module regarding creation or not of Corp and Online Landing Zones and Confidential Corp and Confidential Online Landing zones.
+This is accomplished through a managementGroup-scoped Azure Resource Manager (ARM) deployment. There are two boolean parameters that should match the options selected during the deployment of Management Group module regarding creation or not of Corp and Online Landing Zones and Confidential Corp and Confidential Online Landing zones.
 It also enables Diagnostic Settings for existing custom child landing zones if those are specified.
 
 
-> This module calls the [`diagSettings.bicep`](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/mgDiagSettings) module multiple times to enable Diagnostic Settings to the desired Management Groups. If you only want to enable Diagnostic Settings at a time to a specified Management Group, then you could consider using the child module directly.
+> This module calls the [`mgDiagSettings.bicep`](https://github.com/Azure/ALZ-Bicep/tree/main/infra-as-code/bicep/modules/mgDiagSettings) module multiple times to enable Diagnostic Settings to the desired Management Groups. If you only want to enable Diagnostic Settings at a time to a specified Management Group, then you could consider using the child module directly.
 
 ## Parameters
 
 The module requires the following inputs:
 
 | Parameter                             | Type   | Description                                                                                                                                                                          | Requirements                      | Example                                                                                 |
 | ------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------- | --------------------------------------------------------------------------------------- |
-| parTopLevelManagementGroupPrefix      | string | Prefix for the management group hierarchy.  This management group will be created as part of the deployment.                                                                         | 2-10 characters, default: `alz`                   | `alz`                                                                                   |
+| parTopLevelManagementGroupPrefix      | string | Prefix for the management group hierarchy.  This management group will be created as part of the deployment.                                                                         | 2-10 characters                   | `alz`                                                                                   |
 | parLandingZoneMgAlzDefaultsEnable     | bool   | Deploys Corp & Online Management Groups beneath Landing Zones Management Group if set to true.                                                                                       | Mandatory input, default: `true`  | `true`                                                                                  |
 | parLandingZoneMgConfidentialEnable    | bool   | Deploys Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group if set to true.                                                             | Mandatory input, default: `false` | `false`                                                                                 |
 | parLogAnalyticsWorkspaceResourceId | string   | Resource ID of the Log Analytics Workspace                                                             | Mandatory input | `/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/alz-logging/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics` |
@@ -50,10 +50,14 @@ Below are some examples of how to use this input parameter in both Bicep & JSON
 ##### Bicep Example
 
 ```bicep
-parLandingZoneMgChildren: [
-    'pci'
-    'another-example'
-]
+parLandingZoneMgChildren: {
+  pci: {
+    displayName: 'PCI'
+  }
+  'another-example': {
+    displayName: 'Another Example'
+  }
+}
 ```
 
 ##### JSON Parameter File Input Example
@@ -73,48 +77,53 @@ parLandingZoneMgChildren: [
 
 ## Deployment
 
-In this example, the Diagnostic Settings are enabled on the management groups through a tenant-scoped deployment.
+In this example, the Diagnostic Settings are enabled on the management groups through a managementGroup-scoped deployment.
 
 > For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice.
 
 ### Azure CLI
 
 ```bash
 # For Azure global regions
-az deployment tenant create \
+az deployment mg create \
   --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep \
   --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json \
-  --location eastus
+  --location eastus \
+  --management-group-id alz
 ```
 
 OR
 
 ```bash
 # For Azure China regions
-az deployment tenant create \
+az deployment mg create \
   --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep \
   --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json \
-  --location chinaeast2
+  --location chinaeast2 \
+  --management-group-id alz
 ```
 
 ### PowerShell
 
 ```powershell
 # For Azure global regions
-New-AzTenantDeployment `
+New-AzManagementGroupDeployment `
   -TemplateFile infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep `
   -TemplateParameterFile infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json `
-  -Location eastus
+  -Location eastus `
+  -ManagementGroupId alz
+
 ```
 
 OR
 
 ```powershell
 # For Azure China regions
-New-AzTenantDeployment `
+New-AzManagementGroupDeployment `
   -TemplateFile infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep `
   -TemplateParameterFile infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json `
-  -Location chinaeast2
+  -Location chinaeast2 `
+  -ManagementGroupId alz
 
 ```
 

diff --git a/infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep b/infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep
@@ -1,23 +1,23 @@
-targetScope = 'tenant'
+targetScope = 'managementGroup'
 
-@description('Prefix used for the management group hierarchy in the managementGroups module. Default: alz')
+@description('Prefix used for the management group hierarchy in the managementGroups module.')
 @minLength(2)
 @maxLength(10)
 param parTopLevelManagementGroupPrefix string = 'alz'
 
-@description('Dictionary Object to allow additional or different child Management Groups of the Landing Zones Management Group. Default: Empty Array')
+@description('Dictionary Object to allow additional or different child Management Groups of the Landing Zones Management Group.')
 param parLandingZoneMgChildren array = []
 
 @description('Log Analytics Workspace Resource ID.')
 param parLogAnalyticsWorkspaceResourceId string
 
-@description('Deploys Corp & Online Management Groups beneath Landing Zones Management Group if set to true. Default: true')
+@description('Deploys Corp & Online Management Groups beneath Landing Zones Management Group if set to true.')
 param parLandingZoneMgAlzDefaultsEnable bool = true
 
-@description('Deploys Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group if set to true. Default: false')
+@description('Deploys Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group if set to true.')
 param parLandingZoneMgConfidentialEnable bool = false
 
-@description('Set Parameter to true to Opt-out of deployment telemetry. Default: false')
+@description('Set Parameter to true to Opt-out of deployment telemetry')
 param parTelemetryOptOut bool = false
 
 var varMgIds = {
@@ -81,8 +81,9 @@ module modMgChildrenDiagSet '../../modules/mgDiagSettings/mgDiagSettings.bicep'
 }]
 
 // Optional Deployment for Customer Usage Attribution
-module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdTenant.bicep' = if (!parTelemetryOptOut) {
+module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) {
   #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information
   name: 'pid-${varCuaid}-${uniqueString(deployment().location)}'
+  scope: managementGroup()
   params: {}
 }
diff --git a/tests/pipelines/base-unit-validate.yml b/tests/pipelines/base-unit-validate.yml
@@ -66,7 +66,6 @@ jobs:
             az account set --subscription $(subscriptionId)
             az provider register -n 'Microsoft.Insights'
 
-
       - task: Bash@3
         displayName: Az CLI Deploy Management Groups for PR
         name: create_mgs
@@ -105,7 +104,7 @@ jobs:
         inputs:
           targetType: "inline"
           script: |
-            az deployment tenant validate --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parLogAnalyticsWorkspaceResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" --location $(Location)
+            az deployment mg validate --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parLogAnalyticsWorkspaceResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
 
       - task: Bash@3
         displayName: Az CLI Validate Subscription Placement for PR

diff --git a/tests/pipelines/bicep-build-to-validate.yml b/tests/pipelines/bicep-build-to-validate.yml
@@ -194,7 +194,7 @@ jobs:
         inputs:
           targetType: "inline"
           script: |
-            az deployment tenant create --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parLogAnalyticsWorkspaceResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" --location $(Location)
+            az deployment mg create --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parLogAnalyticsWorkspaceResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" --location $(Location) --management-group-id $(ManagementGroupPrefix)
 
       - task: Bash@3
         displayName: Az CLI Subscription Placement for PR

diff --git a/tests/pipelines/mc-base-unit-validate.yml b/tests/pipelines/mc-base-unit-validate.yml
@@ -85,7 +85,7 @@ jobs:
         inputs:
           targetType: "inline"
           script: |
-            az deployment tenant validate --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parLogAnalyticsWorkspaceResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" --location $(Location)
+            az deployment mg validate --template-file infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep --parameters @infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.min.json parTopLevelManagementGroupPrefix="$(ManagementGroupPrefix)" parLogAnalyticsWorkspaceResourceId="/subscriptions/$(subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.OperationalInsights/workspaces/alz-log-analytics" --location $(Location) --management-group-id $(ManagementGroupPrefix) --name $(ManagementGroupPrefix)
 
       - task: Bash@3
         displayName: Az CLI Validate Subscription Placement for PR