Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add MG Flexibility Feature & Intermediate Root MG Parent Flexibility #276

Merged
merged 5 commits into from
Jul 4, 2022
Merged

Add MG Flexibility Feature & Intermediate Root MG Parent Flexibility #276

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
1221265
add mg flexibility feature
jtracey93 Jul 2, 2022
9ed71a8
add mg top level parent flex
jtracey93 Jul 4, 2022
71ac589
add what-if to testing
jtracey93 Jul 4, 2022
385b15b
set param back to default
jtracey93 Jul 4, 2022
26a6e18
update codetour
jtracey93 Jul 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
95 changes: 89 additions & 6 deletions .vscode/tours/E2Etesttour.tour
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -333,18 +333,101 @@
},
{
"file": "tests/pipelines/bicep-build-to-validate.yml",
"description": "Takes output variable from previous job to later determine if anything was deployed. ",
"line": 251
"selection": {
"start": {
"line": 248,
"character": 1
},
"end": {
"line": 249,
"character": 1
}
},
"description": "Start ARM WhatIf checks to confirm no false positives from whats just been deployed"
},
{
"file": "tests/pipelines/bicep-build-to-validate.yml",
"selection": {
"start": {
"line": 252,
"character": 1
},
"end": {
"line": 253,
"character": 1
}
},
"description": "Only runs if Management Groups were deployed, using same condition"
},
{
"file": "tests/pipelines/bicep-build-to-validate.yml",
"selection": {
"start": {
"line": 256,
"character": 1
},
"end": {
"line": 257,
"character": 1
}
},
"description": "Run WhatIf deployment and only report on changes, if any."
},
{
"file": "tests/pipelines/bicep-build-to-validate.yml",
"selection": {
"start": {
"line": 259,
"character": 11
},
"end": {
"line": 261,
"character": 17
}
},
"description": "If there are any changes fail the step and report as output to Azure DevOps Pipeline"
},
{
"file": "tests/pipelines/bicep-build-to-validate.yml",
"description": "Run cleanup if anything was deployed.",
"line": 258
"selection": {
"start": {
"line": 267,
"character": 1
},
"end": {
"line": 268,
"character": 1
}
},
"description": "Takes output variable from previous job to later determine if anything was deployed. "
},
{
"file": "tests/pipelines/bicep-build-to-validate.yml",
"description": "Run PowerShell script to do the following (in order):\r\n- Move subscription from connectivity management group to tenant root group.\r\n- Delete all resource groups in subscription\r\n- Remove all subscription scope deployments\r\n- Remove all tenant scope deployments\r\n- Remove management group structure\r\n",
"line": 262
"selection": {
"start": {
"line": 274,
"character": 1
},
"end": {
"line": 275,
"character": 1
}
},
"description": "Run cleanup if anything was deployed."
},
{
"file": "tests/pipelines/bicep-build-to-validate.yml",
"selection": {
"start": {
"line": 275,
"character": 5
},
"end": {
"line": 281,
"character": 17
}
},
"description": "Run PowerShell script to do the following (in order):\r\n- Move subscription from connectivity management group to tenant root group.\r\n- Delete all resource groups in subscription\r\n- Remove all subscription scope deployments\r\n- Remove all tenant scope deployments\r\n- Remove management group structure"
}
]
}
114 changes: 87 additions & 27 deletions infra-as-code/bicep/modules/managementGroups/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,38 +18,98 @@ The Management Groups module deploys a management group hierarchy in a customer'

The module requires the following inputs:

| Parameter | Type | Description | Requirements | Example |
| ------------------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | --------------------- |
| parTopLevelManagementGroupPrefix | string | Prefix for the management group hierarchy. This management group will be created as part of the deployment. | 2-10 characters | `alz` |
| parTopLevelManagementGroupDisplayName | string | Display name for top level management group. This name will be applied to the management group prefix defined in `parTopLevelManagementGroupPrefix` parameter. | Minimum two characters | `Azure Landing Zones` |
| parTelemetryOptOut | bool | Set Parameter to true to Opt-out of deployment telemetry | Mandatory input, default: `false` | `false` |
| Parameter | Type | Description | Requirements | Example |
| ------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------- | --------------------------------------------------------------------------------------- |
| parTopLevelManagementGroupPrefix | string | Prefix for the management group hierarchy. This management group will be created as part of the deployment. | 2-10 characters | `alz` |
| parTopLevelManagementGroupDisplayName | string | Display name for top level management group. This name will be applied to the management group prefix defined in `parTopLevelManagementGroupPrefix` parameter. | Minimum two characters | `Azure Landing Zones` |
| parTopLevelManagementGroupParentId | string | Optional parent for Management Group hierarchy, used as intermediate root Management Group parent, if specified. If empty, default, will deploy beneath Tenant Root Management Group. | Not required input, default `''` | `/providers/Microsoft.Management/managementGroups/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` |
| parLandingZoneMgAlzDefaultsEnable | bool | Deploys Corp & Online Management Groups beneath Landing Zones Management Group if set to true. | Mandatory input, default: `true` | `true` |
| parLandingZoneMgConfidentialEnable | bool | Deploys Confidential Corp & Confidential Online Management Groups beneath Landing Zones Management Group if set to true. | Mandatory input, default: `false` | `false` |
| parLandingZoneMgChildren | object | Dictionary Object to allow additional or different child Management Groups of Landing Zones Management Group to be deployed. | Not required input, default `{}` | `{pci: {displayName: 'PCI'}}` |
| parTelemetryOptOut | bool | Set Parameter to true to Opt-out of deployment telemetry | Mandatory input, default: `false` | `false` |

### Child Landing Zone Management Groups Flexibility

This module allows some flexibility for deploying child Landing Zone Management Groups, e.g. Management Groups that live beneath the Landing Zones Management Group. This flexibility is controlled by three parameters which are detailed below. All of these parameters can be used together to tailor the child Landing Zone Management Groups.

- `parLandingZoneMgAlzDefaultsEnable`
- Boolean - defaults to `true`
- **Required**
- Deploys following child Landing Zone Management groups if set to `true`:
- `Corp`
- `Online`
- *These are the default ALZ Management Groups as per the conceptual architecture*
- `parLandingZoneMgConfidentialEnable`
- Boolean - defaults to `false`
- **Required**
- Deploys following child Landing Zone Management groups if set to `true`:
- `Confidential Corp`
- `Confidential Online`
- `parLandingZoneMgChildren`
- Object - default is an empty object `{}`
- **Optional**
- Deploys whatever you specify in the object as child Landing Zone Management groups.

These three parameters are then used to collate a single variable that is used to create the child Landing Zone Management Groups. Duplicates are removed if entered. This is done by using the `union()` function in bicep.

> Investigate the variable called `varLandingZoneMgChildrenUnioned` if you want to see how this works in the module.

#### `parLandingZoneMgChildren` Input Examples

Below are some examples of how to use this input parameter in both Bicep & JSON formats.

##### Bicep Example

```bicep
parLandingZoneMgChildren: {
pci: {
displayName: 'PCI'
}
'another-example': {
displayName: 'Another Example'
}
}
```

##### JSON Parameter File Input Example

```json
"parLandingZoneMgChildren": {
"value": {
"pci": {
"displayName": "PCI"
},
"another-example": {
"displayName": "Another Example"
}
}
}
```

## Outputs

The module will generate the following outputs:

| Output | Type | Example |
| ------------------------------------------ | ------ | -------------------------------------------------------------------------- |
| outTopLevelManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz |
| outPlatformManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform |
| outPlatformManagementManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform-management |
| outPlatformConnectivityManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform-connectivity |
| outPlatformIdentityManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform-identity |
| outLandingZonesManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-landingzones |
| outLandingZonesCorpManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-landingzones-corp |
| outLandingZonesOnlineManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-landingzones-online |
| outSandboxManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-sandbox |
| outDecommissionedManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-decommissioned |
| outTopLevelManagementGroupName | string | alz |
| outPlatformManagementGroupName | string | alz-platform |
| outPlatformManagementManagementGroupName | string | alz-platform-management |
| outPlatformConnectivityManagementGroupName | string | alz-platform-connectivity |
| outPlatformIdentityManagementGroupName | string | alz-platform-identity |
| outLandingZonesManagementGroupName | string | alz-landingzones |
| outLandingZonesCorpManagementGroupName | string | alz-landingzones-corp |
| outLandingZonesOnlineManagementGroupName | string | alz-landingzones-online |
| outSandboxManagementGroupName | string | alz-sandbox |
| outDecommissionedManagementGroupName | string | alz-decommissioned |
| Output | Type | Example |
| ------------------------------------------ | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
| outTopLevelManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz |
| outPlatformManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform |
| outPlatformManagementManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform-management |
| outPlatformConnectivityManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform-connectivity |
| outPlatformIdentityManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-platform-identity |
| outLandingZonesManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-landingzones |
| outLandingZoneChildrenManagementGroupIds | array | `[/providers/Microsoft.Management/managementGroups/alz-landingzones-corp, /providers/Microsoft.Management/managementGroups/alz-landingzones-online]` |
| outSandboxManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-sandbox |
| outDecommissionedManagementGroupId | string | /providers/Microsoft.Management/managementGroups/alz-decommissioned |
| outTopLevelManagementGroupName | string | alz |
| outPlatformManagementGroupName | string | alz-platform |
| outPlatformManagementManagementGroupName | string | alz-platform-management |
| outPlatformConnectivityManagementGroupName | string | alz-platform-connectivity |
| outPlatformIdentityManagementGroupName | string | alz-platform-identity |
| outLandingZonesManagementGroupName | string | alz-landingzones |
| outLandingZoneChildrenManagementGroupNames | array | `[Corp, Online]` |
| outSandboxManagementGroupName | string | alz-sandbox |
| outDecommissionedManagementGroupName | string | alz-decommissioned |

## Deployment

Expand Down
Loading