From 97fa4c30425f3f7183bb642fc97a726c075bee96 Mon Sep 17 00:00:00 2001 From: oliverlabs <70239916+oliverlabs@users.noreply.github.com> Date: Fri, 23 Sep 2022 08:01:49 +0100 Subject: [PATCH 01/15] fixed the subnetId (should be subnetResourceId) old reference for the nicConfigurations array in the readme.md --- .../virtualMachines/readme.md | 210 +++++++++--------- 1 file changed, 100 insertions(+), 110 deletions(-) diff --git a/modules/Microsoft.Compute/virtualMachines/readme.md b/modules/Microsoft.Compute/virtualMachines/readme.md index b6b0270d4a..2954587c3f 100644 --- a/modules/Microsoft.Compute/virtualMachines/readme.md +++ b/modules/Microsoft.Compute/virtualMachines/readme.md @@ -13,16 +13,16 @@ This module deploys one Virtual Machine with one or multiple nics and optionally ## Resource Types -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Automanage/configurationProfileAssignments` | [2021-04-30-preview](https://docs.microsoft.com/en-us/azure/templates) | -| `Microsoft.Compute/virtualMachines` | [2021-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-07-01/virtualMachines) | -| `Microsoft.Compute/virtualMachines/extensions` | [2021-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-07-01/virtualMachines/extensions) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/networkInterfaces` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-08-01/networkInterfaces) | -| `Microsoft.Network/publicIPAddresses` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-08-01/publicIPAddresses) | +| Resource Type | API Version | +| :------------------------------------------------------------------------------------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | +| `Microsoft.Automanage/configurationProfileAssignments` | [2021-04-30-preview](https://docs.microsoft.com/en-us/azure/templates) | +| `Microsoft.Compute/virtualMachines` | [2021-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-07-01/virtualMachines) | +| `Microsoft.Compute/virtualMachines/extensions` | [2021-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-07-01/virtualMachines/extensions) | +| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | +| `Microsoft.Network/networkInterfaces` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-08-01/networkInterfaces) | +| `Microsoft.Network/publicIPAddresses` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-08-01/publicIPAddresses) | | `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems` | [2022-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-02-01/vaults/backupFabrics/protectionContainers/protectedItems) | ## Parameters @@ -30,88 +30,87 @@ This module deploys one Virtual Machine with one or multiple nics and optionally **Required parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `adminUsername` | secureString | | | Administrator username. | +| `adminUsername` | secureString | | | Administrator username. | | `configurationProfile` | string | `''` | `['', /providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest, /providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction]` | The configuration profile of automanage. | -| `imageReference` | object | | | OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. | -| `nicConfigurations` | array | | | Configures NICs and PIPs. | -| `osDisk` | object | | | Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | -| `osType` | string | | `[Linux, Windows]` | The chosen OS type. | -| `vmSize` | string | | | Specifies the size for the VMs. | +| `imageReference` | object | | | OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. | +| `nicConfigurations` | array | | | Configures NICs and PIPs. | +| `osDisk` | object | | | Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | +| `osType` | string | | `[Linux, Windows]` | The chosen OS type. | +| `vmSize` | string | | | Specifies the size for the VMs. | **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `additionalUnattendContent` | array | `[]` | | Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object. | -| `adminPassword` | secureString | `''` | | When specifying a Windows Virtual Machine, this value should be passed. | -| `allowExtensionOperations` | bool | `True` | | Specifies whether extension operations should be allowed on the virtual machine. This may only be set to False when no extensions are present on the virtual machine. | -| `availabilitySetResourceId` | string | `''` | | Resource ID of an availability set. Cannot be used in combination with availability zone nor scale set. | +| `additionalUnattendContent` | array | `[]` | | Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object. | +| `adminPassword` | secureString | `''` | | When specifying a Windows Virtual Machine, this value should be passed. | +| `allowExtensionOperations` | bool | `True` | | Specifies whether extension operations should be allowed on the virtual machine. This may only be set to False when no extensions are present on the virtual machine. | +| `availabilitySetResourceId` | string | `''` | | Resource ID of an availability set. Cannot be used in combination with availability zone nor scale set. | | `availabilityZone` | int | `0` | `[0, 1, 2, 3]` | If set to 1, 2 or 3, the availability zone for all VMs is hardcoded to that value. If zero, then availability zones is not used. Cannot be used in combination with availability set nor scale set. | -| `backupPolicyName` | string | `'DefaultPolicy'` | | Backup policy the VMs should be using for backup. If not provided, it will use the DefaultPolicy from the backup recovery service vault. | -| `backupVaultName` | string | `''` | | Recovery service vault name to add VMs to backup. | -| `backupVaultResourceGroup` | string | `[resourceGroup().name]` | | Resource group of the backup recovery service vault. If not provided the current resource group name is considered by default. | -| `bootDiagnostics` | bool | `False` | | Whether boot diagnostics should be enabled on the Virtual Machine. Boot diagnostics will be enabled with a managed storage account if no bootDiagnosticsStorageAccountName value is provided. If bootDiagnostics and bootDiagnosticsStorageAccountName values are not provided, boot diagnostics will be disabled. | -| `bootDiagnosticStorageAccountName` | string | `''` | | Custom storage account used to store boot diagnostic information. Boot diagnostics will be enabled with a custom storage account if a value is provided. | -| `bootDiagnosticStorageAccountUri` | string | `[format('.blob.{0}/', environment().suffixes.storage)]` | | Storage account boot diagnostic base URI. | -| `certificatesToBeInstalled` | array | `[]` | | Specifies set of certificates that should be installed onto the virtual machine. | -| `customData` | string | `''` | | Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. | -| `dataDisks` | array | `[]` | | Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | -| `dedicatedHostId` | string | `''` | | Specifies resource ID about the dedicated host that the virtual machine resides in. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogsRetentionInDays` | int | `365` | | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `disablePasswordAuthentication` | bool | `False` | | Specifies whether password authentication should be disabled. | -| `enableAutomaticUpdates` | bool | `True` | | Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `enableEvictionPolicy` | bool | `False` | | Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | -| `enableServerSideEncryption` | bool | `False` | | Specifies if Windows VM disks should be encrypted with Server-side encryption + Customer managed Key. | -| `encryptionAtHost` | bool | `True` | | This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | -| `extensionAntiMalwareConfig` | object | `{object}` | | The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionCustomScriptConfig` | object | `{object}` | | The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionCustomScriptProtectedSetting` | secureObject | `{object}` | | Any object that contains the extension specific protected settings. | -| `extensionDependencyAgentConfig` | object | `{object}` | | The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionDiskEncryptionConfig` | object | `{object}` | | The configuration for the [Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionDomainJoinConfig` | object | `{object}` | | The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionDomainJoinPassword` | secureString | `''` | | Required if name is specified. Password of the user specified in user parameter. | -| `extensionDSCConfig` | object | `{object}` | | The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionMonitoringAgentConfig` | object | `{object}` | | The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionNetworkWatcherAgentConfig` | object | `{object}` | | The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed. | +| `backupPolicyName` | string | `'DefaultPolicy'` | | Backup policy the VMs should be using for backup. If not provided, it will use the DefaultPolicy from the backup recovery service vault. | +| `backupVaultName` | string | `''` | | Recovery service vault name to add VMs to backup. | +| `backupVaultResourceGroup` | string | `[resourceGroup().name]` | | Resource group of the backup recovery service vault. If not provided the current resource group name is considered by default. | +| `bootDiagnostics` | bool | `False` | | Whether boot diagnostics should be enabled on the Virtual Machine. Boot diagnostics will be enabled with a managed storage account if no bootDiagnosticsStorageAccountName value is provided. If bootDiagnostics and bootDiagnosticsStorageAccountName values are not provided, boot diagnostics will be disabled. | +| `bootDiagnosticStorageAccountName` | string | `''` | | Custom storage account used to store boot diagnostic information. Boot diagnostics will be enabled with a custom storage account if a value is provided. | +| `bootDiagnosticStorageAccountUri` | string | `[format('.blob.{0}/', environment().suffixes.storage)]` | | Storage account boot diagnostic base URI. | +| `certificatesToBeInstalled` | array | `[]` | | Specifies set of certificates that should be installed onto the virtual machine. | +| `customData` | string | `''` | | Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. | +| `dataDisks` | array | `[]` | | Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | +| `dedicatedHostId` | string | `''` | | Specifies resource ID about the dedicated host that the virtual machine resides in. | +| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `diagnosticLogsRetentionInDays` | int | `365` | | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | +| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | +| `disablePasswordAuthentication` | bool | `False` | | Specifies whether password authentication should be disabled. | +| `enableAutomaticUpdates` | bool | `True` | | Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| `enableEvictionPolicy` | bool | `False` | | Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | +| `enableServerSideEncryption` | bool | `False` | | Specifies if Windows VM disks should be encrypted with Server-side encryption + Customer managed Key. | +| `encryptionAtHost` | bool | `True` | | This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | +| `extensionAntiMalwareConfig` | object | `{object}` | | The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. | +| `extensionCustomScriptConfig` | object | `{object}` | | The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. | +| `extensionCustomScriptProtectedSetting` | secureObject | `{object}` | | Any object that contains the extension specific protected settings. | +| `extensionDependencyAgentConfig` | object | `{object}` | | The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed. | +| `extensionDiskEncryptionConfig` | object | `{object}` | | The configuration for the [Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. | +| `extensionDomainJoinConfig` | object | `{object}` | | The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed. | +| `extensionDomainJoinPassword` | secureString | `''` | | Required if name is specified. Password of the user specified in user parameter. | +| `extensionDSCConfig` | object | `{object}` | | The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed. | +| `extensionMonitoringAgentConfig` | object | `{object}` | | The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed. | +| `extensionNetworkWatcherAgentConfig` | object | `{object}` | | The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed. | | `licenseType` | string | `''` | `['', Windows_Client, Windows_Server]` | Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | +| `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `maxPriceForLowPriorityVm` | string | `''` | | Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | -| `monitoringWorkspaceId` | string | `''` | | Resource ID of the monitoring log analytics workspace. Must be set when extensionMonitoringAgentConfig is set to true. | -| `name` | string | `[take(toLower(uniqueString(resourceGroup().name)), 10)]` | | The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. | +| `maxPriceForLowPriorityVm` | string | `''` | | Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | +| `monitoringWorkspaceId` | string | `''` | | Resource ID of the monitoring log analytics workspace. Must be set when extensionMonitoringAgentConfig is set to true. | +| `name` | string | `[take(toLower(uniqueString(resourceGroup().name)), 10)]` | | The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. | | `nicdiagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `nicDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the NIC diagnostic setting, if deployed. | +| `nicDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the NIC diagnostic setting, if deployed. | | `pipdiagnosticLogCategoriesToEnable` | array | `[DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | `[DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | The name of logs that will be streamed. | | `pipdiagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `pipDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the PIP diagnostic setting, if deployed. | -| `plan` | object | `{object}` | | Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. | -| `provisionVMAgent` | bool | `True` | | Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. | -| `proximityPlacementGroupResourceId` | string | `''` | | Resource ID of a proximity placement group. | -| `publicKeys` | array | `[]` | | The list of SSH public keys used to authenticate with linux based VMs. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `sasTokenValidityLength` | string | `'PT8H'` | | SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | -| `secureBootEnabled` | bool | `False` | | Specifies whether secure boot should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | -| `securityType` | string | `''` | | Specifies the SecurityType of the virtual machine. It is set as TrustedLaunch to enable UefiSettings. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `timeZone` | string | `''` | | Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`. | -| `ultraSSDEnabled` | bool | `False` | | The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | +| `pipDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the PIP diagnostic setting, if deployed. | +| `plan` | object | `{object}` | | Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. | +| `provisionVMAgent` | bool | `True` | | Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. | +| `proximityPlacementGroupResourceId` | string | `''` | | Resource ID of a proximity placement group. | +| `publicKeys` | array | `[]` | | The list of SSH public keys used to authenticate with linux based VMs. | +| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `sasTokenValidityLength` | string | `'PT8H'` | | SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | +| `secureBootEnabled` | bool | `False` | | Specifies whether secure boot should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | +| `securityType` | string | `''` | | Specifies the SecurityType of the virtual machine. It is set as TrustedLaunch to enable UefiSettings. | +| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | +| `tags` | object | `{object}` | | Tags of the resource. | +| `timeZone` | string | `''` | | Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`. | +| `ultraSSDEnabled` | bool | `False` | | The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. | +| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | | `vmComputerNamesTransformation` | string | `'none'` | `[lowercase, none, uppercase]` | Specifies whether the computer names should be transformed. The transformation is performed on all computer names. Available transformations are 'none' (Default), 'uppercase' and 'lowercase'. | | `vmPriority` | string | `'Regular'` | `[Low, Regular, Spot]` | Specifies the priority for the virtual machine. | -| `vTpmEnabled` | bool | `False` | | Specifies whether vTPM should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | -| `winRM` | object | `{object}` | | Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. | +| `vTpmEnabled` | bool | `False` | | Specifies whether vTPM should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | +| `winRM` | object | `{object}` | | Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. | **Generated parameters** | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | | `baseTime` | string | `[utcNow('u')]` | Do not provide a value! This date value is used to generate a registration token. | - ### Parameter Usage: `imageReference` #### Marketplace images @@ -319,6 +318,7 @@ dataDisks: [ ### Parameter Usage: `nicConfigurations` Comments: + - The field `nicSuffix` and `subnetId` are mandatory. - If `enablePublicIP` is set to true, then `publicIpNameSuffix` is also mandatory. - Each IP config needs to have the mandatory field `name`. @@ -337,7 +337,7 @@ Comments: "ipConfigurations": [ { "name": "ipconfig1", - "subnetId": "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/", + "subnetResourceId": "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/", "pipConfiguration": { "publicIpNameSuffix": "-pip-01", "roleAssignments": [ @@ -352,7 +352,7 @@ Comments: }, { "name": "ipconfig2", - "subnetId": "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/", + "subnetResourceId": "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/", } ], "nsgId": "/subscriptions//resourceGroups//providers/Microsoft.Network/networkSecurityGroups/", @@ -370,7 +370,7 @@ Comments: "ipConfigurations": [ { "name": "ipconfig1", - "subnetId": "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/", + "subnetResourceId": "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/", "pipConfiguration": { "publicIpNameSuffix": "-pip-02" } @@ -402,7 +402,7 @@ nicConfigurations: { ipConfigurations: [ { name: 'ipconfig1' - subnetId: '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/' + subnetResourceId: '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/' pipConfiguration: { publicIpNameSuffix: '-pip-01' roleAssignments: [ @@ -435,7 +435,7 @@ nicConfigurations: { ipConfigurations: [ { name: 'ipconfig1' - subnetId: '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/' + subnetResourceId: '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/' pipConfiguration: { publicIpNameSuffix: '-pip-02' } @@ -987,36 +987,38 @@ userAssignedIdentities: { ## Considerations Enabling automanage triggers the creation of additional resources outside of the specific virtual machine deployment, such as: + - an `Automanage-Automate-` in the same Virtual Machine Resource Group and linking to the log analytics workspace leveraged by Azure Security Center. - a `DefaultResourceGroup-` rg hosting a recovery services vault `DefaultBackupVault-` where vm backups are stored -For further details on automanage please refer to [Automanage virtual machines](https://docs.microsoft.com/en-us/azure/automanage/automanage-virtual-machines). + For further details on automanage please refer to [Automanage virtual machines](https://docs.microsoft.com/en-us/azure/automanage/automanage-virtual-machines). ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the VM. | -| `resourceGroupName` | string | The name of the resource group the VM was created in. | -| `resourceId` | string | The resource ID of the VM. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| Output Name | Type | Description | +| :-------------------------- | :----- | :---------------------------------------------------- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the VM. | +| `resourceGroupName` | string | The name of the resource group the VM was created in. | +| `resourceId` | string | The resource ID of the VM. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). -| Reference | Type | -| :-- | :-- | -| `Microsoft.Network/networkInterfaces` | Local reference | -| `Microsoft.Network/publicIPAddresses` | Local reference | +| Reference | Type | +| :---------------------------------------------------------------------- | :-------------- | +| `Microsoft.Network/networkInterfaces` | Local reference | +| `Microsoft.Network/publicIPAddresses` | Local reference | | `Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems` | Local reference | ## Deployment examples The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. - >**Note**: The name of each example is based on the name of the file from which it is taken. - >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. +> **Note**: The name of each example is based on the name of the file from which it is taken. + +> **Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.

Example 1: Linux Autmg

@@ -1489,9 +1491,7 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "publicIpNameSuffix": "-pip-01", "roleAssignments": [ { - "principalIds": [ - "<>" - ], + "principalIds": ["<>"], "roleDefinitionIdOrName": "Reader" } ] @@ -1502,9 +1502,7 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "nicSuffix": "-nic-01", "roleAssignments": [ { - "principalIds": [ - "<>" - ], + "principalIds": ["<>"], "roleDefinitionIdOrName": "Reader" } ] @@ -1655,9 +1653,7 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "roleAssignments": { "value": [ { - "principalIds": [ - "<>" - ], + "principalIds": ["<>"], "roleDefinitionIdOrName": "Reader" } ] @@ -2146,9 +2142,7 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "publicIpNameSuffix": "-pip-01", "roleAssignments": [ { - "principalIds": [ - "<>" - ], + "principalIds": ["<>"], "roleDefinitionIdOrName": "Reader" } ] @@ -2159,9 +2153,7 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "nicSuffix": "-nic-01", "roleAssignments": [ { - "principalIds": [ - "<>" - ], + "principalIds": ["<>"], "roleDefinitionIdOrName": "Reader" } ] @@ -2332,9 +2324,7 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "roleAssignments": { "value": [ { - "principalIds": [ - "<>" - ], + "principalIds": ["<>"], "roleDefinitionIdOrName": "Reader" } ] From 92a3520de33ecca864d8141113b31dc19b7ac270 Mon Sep 17 00:00:00 2001 From: Oliver Gulich <70239916+oliverlabs@users.noreply.github.com> Date: Fri, 23 Sep 2022 12:52:50 +0100 Subject: [PATCH 02/15] Hub&Spoke [skip ci] --- azure-pipelines.yml | 50 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 azure-pipelines.yml diff --git a/azure-pipelines.yml b/azure-pipelines.yml new file mode 100644 index 0000000000..bcd5ea1f2f --- /dev/null +++ b/azure-pipelines.yml @@ -0,0 +1,50 @@ +name: 'Solutions - HUb & Spoke' + +pr: none + +trigger: + batch: true + branches: + include: + - main +# paths: +# include: +# - root (b3b845c6-2a30-6f4c-62d3-a8b417cb9173)/prfx-connectivity-ae (3e51c849-d082-4b01-9385-455f253a5729)/prfx-conn-ae-monitoring-rg/* + +variables: + - template: /settings.yml + - template: pipeline.variables.yml + +# resources: +# repositories: +# - repository: modules +# name: $(modulesRepository) +# ref: $(ref) +# endpoint: segraef +# type: github + +stages: + - stage: + displayName: WhatIf + jobs: + - template: /.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml + parameters: + jobName: resourceGroups + displayName: 'Hub & Spoke' + modulePath: '/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/deploy.bicep' + moduleTestFilePath: '.test/parameters.json' + whatif: true + checkoutRepositories: + - self + + - stage: + displayName: Deploy + jobs: + - template: /.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml + parameters: + jobName: resourceGroups + displayName: 'Hub & Spoke' + modulePath: '/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/deploy.bicep' + moduleTestFilePath: '.test/parameters.json' + checkoutRepositories: + - self From 94a17396e79311771a24ae3fcebc75ce4ed6ef36 Mon Sep 17 00:00:00 2001 From: oliverlabs <70239916+oliverlabs@users.noreply.github.com> Date: Fri, 23 Sep 2022 13:16:56 +0100 Subject: [PATCH 03/15] adding the /solutions folder --- .../.test/parameters.json | 155 +++++++++ .../TemplateOrchestrated/deploy.bicep | 312 ++++++++++++++++++ .../pipeline.variables.yml | 9 + .../solution.hubnetwork.yml | 50 +++ .../.test/parameters.json | 155 +++++++++ .../TemplateOrchestrated/deploy.bicep | 203 ++++++++++++ .../pipeline.variables.yml | 9 + .../solution.hubnetwork.yml | 50 +++ .../.test/parameters.json | 149 +++++++++ .../Spoke/TemplateOrchestrated/deploy.bicep | 75 +++++ .../pipeline.variables.yml | 9 + .../solution.hubnetwork.yml | 50 +++ .../.test/deploy.parameters.json | 9 + .../.github/actions.variables.yml | 8 + .../.github/solutions.test.yml | 115 +++++++ solutions/ResourceGroup/deploy.bicep | 12 + 16 files changed, 1370 insertions(+) create mode 100644 solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/.test/parameters.json create mode 100644 solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/deploy.bicep create mode 100644 solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml create mode 100644 solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/solution.hubnetwork.yml create mode 100644 solutions/CoreInfra/HubNetwork/TemplateOrchestrated/.test/parameters.json create mode 100644 solutions/CoreInfra/HubNetwork/TemplateOrchestrated/deploy.bicep create mode 100644 solutions/CoreInfra/HubNetwork/TemplateOrchestrated/pipeline.variables.yml create mode 100644 solutions/CoreInfra/HubNetwork/TemplateOrchestrated/solution.hubnetwork.yml create mode 100644 solutions/CoreInfra/Spoke/TemplateOrchestrated/.test/parameters.json create mode 100644 solutions/CoreInfra/Spoke/TemplateOrchestrated/deploy.bicep create mode 100644 solutions/CoreInfra/Spoke/TemplateOrchestrated/pipeline.variables.yml create mode 100644 solutions/CoreInfra/Spoke/TemplateOrchestrated/solution.hubnetwork.yml create mode 100644 solutions/ResourceGroup/.test/deploy.parameters.json create mode 100644 solutions/ResourceGroup/TemplateOrchestrated/.github/actions.variables.yml create mode 100644 solutions/ResourceGroup/TemplateOrchestrated/.github/solutions.test.yml create mode 100644 solutions/ResourceGroup/deploy.bicep diff --git a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/.test/parameters.json b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/.test/parameters.json new file mode 100644 index 0000000000..25a61064ea --- /dev/null +++ b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/.test/parameters.json @@ -0,0 +1,155 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "bastionName": { + "value": "myBastion" + }, + "azureFirewallName": { + "value": "myAzureFirewall" + }, + "resourceGroupName": { + "value": "solutions-ne-rg" + }, + "location": { + "value": "northeurope" + }, + "lock": { + "value": "" + }, + "tags": { + "value": {} + }, + "nsgBastionSubnetName": { + "value": "nsg-hub-bastion-subnet" + }, + "vnet_hub": { + "value": "vnet-hub" + }, + "bastion_nsg_rules": { + "value": [ + { + "name": "AllowhttpsInbound", + "properties": { + "description": "Allow inbound TCP 443 connections from the Internet", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "Internet", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 120, + "direction": "Inbound" + } + }, + { + "name": "AllowGatewayManagerInbound", + "properties": { + "description": "Allow inbound TCP 443 connections from the Gateway Manager", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "GatewayManager", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 130, + "direction": "Inbound" + } + }, + { + "name": "AllowAzureLoadBalancerInbound", + "properties": { + "description": "Allow inbound TCP 443 connections from the Azure Load Balancer", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "AzureLoadBalancer", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 140, + "direction": "Inbound" + } + }, + { + "name": "AllowBastionHostCommunication", + "properties": { + "description": "Allow inbound 8080 and 5701 connections from the Virtual Network", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRanges": [ + "8080", + "5701" + ], + "sourceAddressPrefix": "VirtualNetwork", + "destinationAddressPrefix": "VirtualNetwork", + "access": "Allow", + "priority": 150, + "direction": "Inbound" + } + }, + { + "name": "AllowSshRdpOutbound", + "properties": { + "description": "Allow outbound SSH and RDP connections to Virtual Network", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRanges": [ + "22", + "3389" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "VirtualNetwork", + "access": "Allow", + "priority": 100, + "direction": "Outbound" + } + }, + { + "name": "AllowAzureCloudOutbound", + "properties": { + "description": "Allow outbound 443 connections to Azure cloud", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "AzureCloud", + "access": "Allow", + "priority": 110, + "direction": "Outbound" + } + }, + { + "name": "AllowBastionCommunication", + "properties": { + "description": "Allow outbound 8080 and 5701 connections to Virtual Network", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRanges": [ + "8080", + "5701" + ], + "sourceAddressPrefix": "VirtualNetwork", + "destinationAddressPrefix": "VirtualNetwork", + "access": "Allow", + "priority": 120, + "direction": "Outbound" + } + }, + { + "name": "AllowGetSessionInformation", + "properties": { + "description": "Allow outbound 80 connections to Internet", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "80", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "Internet", + "access": "Allow", + "priority": 130, + "direction": "Outbound" + } + } + ] + } + } +} diff --git a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/deploy.bicep b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/deploy.bicep new file mode 100644 index 0000000000..f295768c98 --- /dev/null +++ b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/deploy.bicep @@ -0,0 +1,312 @@ +targetScope = 'subscription' + +@description('Required. Name of the Resource Group.') +param resourceGroupName string + +@description('Optional. Tags to be applied on all resources/resource groups in this deployment.') +param tags object = {} + +@description('Optional. Name of the Azure Bastion Service.') +param bastionName string = '' + +@description('Optional. Azure Firewall Name') +param azureFirewallName string + +@description('Optional. Resource Group location') +param location string = deployment().location + +@allowed([ + '' + 'CanNotDelete' + 'ReadOnly' +]) +@description('Optional. Specify the type of lock for all resources/resource group defined in this template.') +param lock string = '' + +@description('Optional. Name of the network security group for the Azure Bastion Host subnet.') +param nsgBastionSubnetName string = '' + +@description('Optional. NSG security rules for the Azure Bastion Host subnet.') +param bastion_nsg_rules array = [] + +@description('Optional. Name of the hub virtual network.') +param vnet_hub string = 'vnet-hub' + +@description('Optional. Name of the spoke virtual network.') +param vnetName2 string = 'vnet-spoke' + +@description('Optional. Resource ID of the storage account to be used for diagnostic logs.') +param diagnosticStorageAccountId string = '' + +@description('Optional. Resource ID of the Log Analytics workspace to be used for diagnostic logs.') +param workspaceId string = '' + +@description('Optional. Authorization ID of the Event Hub Namespace to be used for diagnostic logs.') +param eventHubAuthorizationRuleId string = '' + +@description('Optional. Name of the Event Hub to be used for diagnostic logs.') +param eventHubName string = '' +module Resource_Groups '../../../../modules/Microsoft.Resources/resourceGroups/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-rg' + params: { + name: resourceGroupName + location: location + tags: tags + } +} + +module NSG_bastion_subnet '../../../../modules/Microsoft.Network/networkSecurityGroups/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-bastion-subnet' + scope: resourceGroup(resourceGroupName) + params: { + name: !empty(nsgBastionSubnetName) ? nsgBastionSubnetName : 'nsg-bas-${location}' + securityRules: bastion_nsg_rules + tags: tags + lock: lock + diagnosticWorkspaceId: workspaceId + diagnosticStorageAccountId: diagnosticStorageAccountId + diagnosticEventHubAuthorizationRuleId: eventHubAuthorizationRuleId + diagnosticEventHubName: eventHubName + } + dependsOn: [ + Resource_Groups + ] +} +module Virtual_Network_Hub '../../../../modules/Microsoft.Network/virtualNetworks/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-VirtualNetwork_Hub' + scope: resourceGroup(resourceGroupName) + params: { + name: vnet_hub + addressPrefixes: [ + '192.168.100.0/24' + ] + subnets: [ + // { + // addressPrefix: '192.168.100.0/26' + // name: 'Subnet-Hub' + // // networkSecurityGroupId: '' + // // routeTableId: '' + // } + { + addressPrefix: '192.168.100.64/26' + name: 'AzureBastionSubnet' + networkSecurityGroupId: NSG_bastion_subnet.outputs.resourceId + // routeTableId: '' + } + { + addressPrefix: '192.168.100.128/26' + name: 'GatewaySubnet' + } + { + addressPrefix: '192.168.100.192/26' + name: 'AzureFirewallSubnet' + } + ] + tags: tags + lock: lock + diagnosticWorkspaceId: workspaceId + diagnosticStorageAccountId: diagnosticStorageAccountId + diagnosticEventHubAuthorizationRuleId: eventHubAuthorizationRuleId + diagnosticEventHubName: eventHubName + } +} +module Virtual_Network_Spoke '../../../../modules/Microsoft.Network/virtualNetworks/deploy.bicep' = { + name: 'VirtualNetwork_Spoke' + scope: resourceGroup(resourceGroupName) + params: { + name: vnetName2 + addressPrefixes: [ + '192.168.101.0/24' + ] + subnets: [ + { + addressPrefix: '192.168.101.0/26' + name: 'DefaultSubnet' + } + ] + tags: tags + lock: lock + diagnosticWorkspaceId: workspaceId + diagnosticStorageAccountId: diagnosticStorageAccountId + diagnosticEventHubAuthorizationRuleId: eventHubAuthorizationRuleId + diagnosticEventHubName: eventHubName + } + dependsOn: [ + Resource_Groups + ] +} + +module Virtual_Network_Peering_Hub_to_Spoke '../../../../modules/Microsoft.Network/virtualNetworks/virtualNetworkPeerings/deploy.bicep' = { + name: 'VirtualNetwork_Peering_Hub_to_Spoke' + scope: resourceGroup(resourceGroupName) + params: { + name: 'Peering-Hub-to-Spoke' + remoteVirtualNetworkId: Virtual_Network_Spoke.outputs.resourceId + allowVirtualNetworkAccess: true + allowForwardedTraffic: true + allowGatewayTransit: true + useRemoteGateways: false + localVnetName: vnet_hub + } + dependsOn: [ + Resource_Groups + Virtual_Network_Hub + Virtual_Network_Spoke + ] +} + +module Virtual_Network_Peering_Spoke_to_Hub '../../../../modules/Microsoft.Network/virtualNetworks/virtualNetworkPeerings/deploy.bicep' = { + name: 'VirtualNetwork_Peering_Spoke_to_Hub' + scope: resourceGroup(resourceGroupName) + params: { + name: 'Peering-Spoke-to-Hub' + remoteVirtualNetworkId: Virtual_Network_Hub.outputs.resourceId + allowVirtualNetworkAccess: true + allowForwardedTraffic: true + allowGatewayTransit: true + useRemoteGateways: false + localVnetName: vnetName2 + } + dependsOn: [ + Resource_Groups + Virtual_Network_Spoke + Virtual_Network_Hub + ] +} +module virtualMachines '../../../../modules/Microsoft.Compute/virtualMachines/deploy.bicep' = { + scope: resourceGroup(resourceGroupName) + name: '${uniqueString(deployment().name)}-VirtualMachines' + params: { + location: location + // Required parameters + adminUsername: 'azureadmin' + imageReference: { + offer: 'WindowsServer' + publisher: 'MicrosoftWindowsServer' + sku: '2019-Datacenter' + version: 'latest' + } + nicConfigurations: [ + { + ipConfigurations: [ + { + name: 'ipconfig01' + subnetResourceId: Virtual_Network_Spoke.outputs.subnetResourceIds[0] + // subnetId: '/subscriptions/d3696aa4-85af-44e1-a83f-5c1516a22fff/resourceGroups/solutions-ne-rg/providers/Microsoft.Network/virtualNetworks/vnet-spoke/subnets/DefaultSubnet' + } + ] + nicSuffix: '-nic-01' + enableAcceleratedNetworking: false + } + ] + encryptionAtHost: false + osDisk: { + diskSizeGB: '128' + managedDisk: { + storageAccountType: 'StandardSSD_LRS' + } + } + osType: 'Windows' + vmSize: 'Standard_B2s' + // Non-required parameters + adminPassword: 'Class123!' + name: 'spoke-vm-win-01' + } + dependsOn: [ + Virtual_Network_Spoke + ] +} + +// add Azure Firewall module + +module Azure_Firewall '../../../../modules/Microsoft.Network/azureFirewalls/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-AzureFirewall' + scope: resourceGroup(resourceGroupName) + params: { + name: !empty(azureFirewallName) ? azureFirewallName : 'azfw-${Virtual_Network_Hub.outputs.name}' + location: location + firewallPolicyId: '' + vNetId: Virtual_Network_Hub.outputs.resourceId + tags: tags + lock: lock + diagnosticWorkspaceId: workspaceId + diagnosticStorageAccountId: diagnosticStorageAccountId + diagnosticEventHubAuthorizationRuleId: eventHubAuthorizationRuleId + diagnosticEventHubName: eventHubName + } + dependsOn: [ + Resource_Groups + Virtual_Network_Hub + ] +} + +// deploying a route table for the spoke vnet +//TODO: Paramertise the below values + +module Route_Table_Hub '../../../../modules/Microsoft.Network/routeTables/deploy.bicep' = { + + name: '${uniqueString(deployment().name)}-RouteTable-Hub' + scope: resourceGroup(resourceGroupName) + params: { + name: 'subnet-to-AFW-udr-x-001' + // lock: 'CanNotDelete' + + routes: [ + { + name: 'default' + properties: { + addressPrefix: '0.0.0.0/0' + nextHopIpAddress: Azure_Firewall.outputs.privateIp + nextHopType: 'VirtualAppliance' + } + } + ] + } + dependsOn: [ + Azure_Firewall + ] +} + +module Hub_Subnet '../../../../modules/Microsoft.Network/virtualNetworks/subnets/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-Subnet-Hub' + scope: resourceGroup(resourceGroupName) + params: { + name: 'Subnet-Hub' + addressPrefix: '192.168.100.0/26' + routeTableId: Route_Table_Hub.outputs.resourceId + virtualNetworkName: Virtual_Network_Hub.outputs.name + } + dependsOn: [ + Route_Table_Hub + ] +} + +//TODO: Paramertise the below values +module publicIPAddresses '../../../../modules/Microsoft.Network/publicIPAddresses/deploy.bicep' = { + scope: resourceGroup(resourceGroupName) + name: '${uniqueString(deployment().name)}-bastion-pip' + params: { + location: location + name: 'az-pip-bastion-001' + skuName: 'Standard' + publicIPAllocationMethod: 'Static' + } + dependsOn: [ + Resource_Groups + ] +} + +module bastionHosts '../../../../modules/Microsoft.Network/bastionHosts/deploy.bicep' = { + scope: resourceGroup(resourceGroupName) + name: '${uniqueString(deployment().name)}-bastionHosts' + params: { + location: location + name: !empty(bastionName) ? bastionName : 'bas-${Virtual_Network_Hub.outputs.name}' + vNetId: Virtual_Network_Hub.outputs.resourceId + azureBastionSubnetPublicIpId: publicIPAddresses.outputs.resourceId + } + dependsOn: [ + Virtual_Network_Hub + publicIPAddresses + ] +} diff --git a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml new file mode 100644 index 0000000000..9b99fdcd8e --- /dev/null +++ b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml @@ -0,0 +1,9 @@ +variables: + resourceGroupName: '' + environmentPath: 'solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated' + location: 'northeurope' + vmImage: 'ubuntu-latest' + poolName: '' + serviceConnection: 'CARML-Hack5' + subscriptionId: 'be5ec5d6-8bcf-4049-8a47-1beb59796b15' + managementGroupId: '' diff --git a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/solution.hubnetwork.yml b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/solution.hubnetwork.yml new file mode 100644 index 0000000000..bcd5ea1f2f --- /dev/null +++ b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/solution.hubnetwork.yml @@ -0,0 +1,50 @@ +name: 'Solutions - HUb & Spoke' + +pr: none + +trigger: + batch: true + branches: + include: + - main +# paths: +# include: +# - root (b3b845c6-2a30-6f4c-62d3-a8b417cb9173)/prfx-connectivity-ae (3e51c849-d082-4b01-9385-455f253a5729)/prfx-conn-ae-monitoring-rg/* + +variables: + - template: /settings.yml + - template: pipeline.variables.yml + +# resources: +# repositories: +# - repository: modules +# name: $(modulesRepository) +# ref: $(ref) +# endpoint: segraef +# type: github + +stages: + - stage: + displayName: WhatIf + jobs: + - template: /.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml + parameters: + jobName: resourceGroups + displayName: 'Hub & Spoke' + modulePath: '/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/deploy.bicep' + moduleTestFilePath: '.test/parameters.json' + whatif: true + checkoutRepositories: + - self + + - stage: + displayName: Deploy + jobs: + - template: /.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml + parameters: + jobName: resourceGroups + displayName: 'Hub & Spoke' + modulePath: '/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/deploy.bicep' + moduleTestFilePath: '.test/parameters.json' + checkoutRepositories: + - self diff --git a/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/.test/parameters.json b/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/.test/parameters.json new file mode 100644 index 0000000000..ac9d91adf8 --- /dev/null +++ b/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/.test/parameters.json @@ -0,0 +1,155 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroupName": { + "value": "solutions-ne-rg" + }, + "location": { + "value": "westeurope" + }, + "lock": { + "value": "" + }, + "tags": { + "value": {} + }, + "nsgBastionSubnetName": { + "value": "nsg-hub-bastion-subnet" + }, + "vnet_hub": { + "value": "vnet-hub" + }, + "bastionName": { + "value": "az-bastion-001" + }, + "azureFirewallName": { + "value": "az-fw-001" + }, + "bastion_nsg_rules": { + "value": [ + { + "name": "AllowhttpsInbound", + "properties": { + "description": "Allow inbound TCP 443 connections from the Internet", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "Internet", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 120, + "direction": "Inbound" + } + }, + { + "name": "AllowGatewayManagerInbound", + "properties": { + "description": "Allow inbound TCP 443 connections from the Gateway Manager", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "GatewayManager", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 130, + "direction": "Inbound" + } + }, + { + "name": "AllowAzureLoadBalancerInbound", + "properties": { + "description": "Allow inbound TCP 443 connections from the Azure Load Balancer", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "AzureLoadBalancer", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 140, + "direction": "Inbound" + } + }, + { + "name": "AllowBastionHostCommunication", + "properties": { + "description": "Allow inbound 8080 and 5701 connections from the Virtual Network", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRanges": [ + "8080", + "5701" + ], + "sourceAddressPrefix": "VirtualNetwork", + "destinationAddressPrefix": "VirtualNetwork", + "access": "Allow", + "priority": 150, + "direction": "Inbound" + } + }, + { + "name": "AllowSshRdpOutbound", + "properties": { + "description": "Allow outbound SSH and RDP connections to Virtual Network", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRanges": [ + "22", + "3389" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "VirtualNetwork", + "access": "Allow", + "priority": 100, + "direction": "Outbound" + } + }, + { + "name": "AllowAzureCloudOutbound", + "properties": { + "description": "Allow outbound 443 connections to Azure cloud", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "AzureCloud", + "access": "Allow", + "priority": 110, + "direction": "Outbound" + } + }, + { + "name": "AllowBastionCommunication", + "properties": { + "description": "Allow outbound 8080 and 5701 connections to Virtual Network", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRanges": [ + "8080", + "5701" + ], + "sourceAddressPrefix": "VirtualNetwork", + "destinationAddressPrefix": "VirtualNetwork", + "access": "Allow", + "priority": 120, + "direction": "Outbound" + } + }, + { + "name": "AllowGetSessionInformation", + "properties": { + "description": "Allow outbound 80 connections to Internet", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "80", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "Internet", + "access": "Allow", + "priority": 130, + "direction": "Outbound" + } + } + ] + } + } +} diff --git a/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/deploy.bicep b/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/deploy.bicep new file mode 100644 index 0000000000..18da5dea67 --- /dev/null +++ b/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/deploy.bicep @@ -0,0 +1,203 @@ +targetScope = 'subscription' + +@description('Required. Name of the Resource Group.') +param resourceGroupName string + +@description('Optional. Tags to be applied on all resources/resource groups in this deployment.') +param tags object + +@description('Resource Group location') +param location string + +@allowed([ + '' + 'CanNotDelete' + 'ReadOnly' +]) +@description('Optional. Specify the type of lock for all resources/resource group defined in this template.') +param lock string + +@description('Required. Name of the network security group for the Azure Bastion Host subnet.') +param nsgBastionSubnetName string + +@description('Required. NSG security rules for the Azure Bastion Host subnet.') +param bastion_nsg_rules array + +@description('Required. Name of the virtual network.') +param vnet_hub string + +@description('Required. Name of Azure Bastion.') +param bastionName string + +@description('Required. Name of Azure Firewall.') +param azureFirewallName string + +/* +@description('Optional. Resource ID of the storage account to be used for diagnostic logs.') +param diagnosticStorageAccountId string + +@description('Optional. Resource ID of the Log Analytics workspace to be used for diagnostic logs.') +param workspaceId string + +@description('Optional. Authorization ID of the Event Hub Namespace to be used for diagnostic logs.') +param eventHubAuthorizationRuleId string + +@description('Optional. Name of the Event Hub to be used for diagnostic logs.') +param eventHubName string +*/ + +module resourceGroups '../../../../modules/Microsoft.Resources/resourceGroups/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-rg' + params: { + name: resourceGroupName + location: location + tags: tags + } +} + +module NSG_bastion_subnet '../../../../modules/Microsoft.Network/networkSecurityGroups/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-bastion-subnet' + scope: resourceGroup(resourceGroupName) + params: { + name: nsgBastionSubnetName + securityRules: bastion_nsg_rules + tags: tags + lock: lock + /* + diagnosticWorkspaceId: workspaceId + diagnosticStorageAccountId: diagnosticStorageAccountId + diagnosticEventHubAuthorizationRuleId: eventHubAuthorizationRuleId + diagnosticEventHubName: eventHubName + */ + } + dependsOn: [ + resourceGroups + ] +} +module VirtualNetwork '../../../../modules/Microsoft.Network/virtualNetworks/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-VirtualNetwork_Hub' + scope: resourceGroup(resourceGroupName) + params: { + name: vnet_hub + addressPrefixes: [ + '192.168.100.0/24' + ] + subnets: [ + // { + // addressPrefix: '192.168.100.0/26' + // name: 'Subnet-Hub' + // // networkSecurityGroupId: '' + // // routeTableId: '' + // } + { + addressPrefix: '192.168.100.64/26' + name: 'AzureBastionSubnet' + networkSecurityGroupId: NSG_bastion_subnet.outputs.resourceId + // routeTableId: '' + } + { + addressPrefix: '192.168.100.128/26' + name: 'GatewaySubnet' + } + { + addressPrefix: '192.168.100.192/26' + name: 'AzureFirewallSubnet' + } + ] + tags: tags + lock: lock + /* + diagnosticWorkspaceId: workspaceId + diagnosticStorageAccountId: diagnosticStorageAccountId + diagnosticEventHubAuthorizationRuleId: eventHubAuthorizationRuleId + diagnosticEventHubName: eventHubName + */ + } +} +module publicIPAddresses '../../../../modules/Microsoft.Network/publicIPAddresses/deploy.bicep' = { + scope: resourceGroup(resourceGroupName) + name: '${uniqueString(deployment().name)}-bastion-pip' + params: { + location: location + name: 'az-pip-bastion-001' + skuName: 'Standard' + publicIPAllocationMethod: 'Static' + } + dependsOn: [ + resourceGroups + ] +} + +module bastionHosts '../../../../modules/Microsoft.Network/bastionHosts/deploy.bicep' = { + scope: resourceGroup(resourceGroupName) + name: '${uniqueString(deployment().name)}-bastionHosts' + params: { + location: location + name: bastionName + vNetId: VirtualNetwork.outputs.resourceId + azureBastionSubnetPublicIpId: publicIPAddresses.outputs.resourceId + } + dependsOn: [ + VirtualNetwork + publicIPAddresses + ] +} + +module Azure_Firewall '../../../../modules/Microsoft.Network/azureFirewalls/deploy.bicep' = { + + name: '${uniqueString(deployment().name)}-AzureFirewall' + scope: resourceGroup(resourceGroupName) + params: { + name: azureFirewallName + location: location + firewallPolicyId: '' + vNetId: VirtualNetwork.outputs.resourceId + tags: tags + lock: lock + // diagnosticWorkspaceId: workspaceId + // diagnosticStorageAccountId: diagnosticStorageAccountId + // diagnosticEventHubAuthorizationRuleId: eventHubAuthorizationRuleId + // diagnosticEventHubName: eventHubName + } + dependsOn: [ + VirtualNetwork + ] +} + +module Route_Table_Hub '../../../../modules/Microsoft.Network/routeTables/deploy.bicep' = { + + name: '${uniqueString(deployment().name)}-RouteTable-Hub' + scope: resourceGroup(resourceGroupName) + params: { + name: 'subnet-to-AFW-udr-x-001' + // lock: 'CanNotDelete' + + routes: [ + { + name: 'default' + properties: { + addressPrefix: '0.0.0.0/0' + nextHopIpAddress: Azure_Firewall.outputs.privateIp + nextHopType: 'VirtualAppliance' + } + } + ] + } + dependsOn: [ + Azure_Firewall + ] +} + +module Hub_Subnet '../../../../modules/Microsoft.Network/virtualNetworks/subnets/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-Subnet-Hub' + scope: resourceGroup(resourceGroupName) + params: { + name: 'Subnet-Hub' + addressPrefix: '192.168.100.0/26' + routeTableId: Route_Table_Hub.outputs.resourceId + virtualNetworkName: VirtualNetwork.outputs.name + } + dependsOn: [ + Route_Table_Hub + ] +} diff --git a/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/pipeline.variables.yml b/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/pipeline.variables.yml new file mode 100644 index 0000000000..dc08b984a8 --- /dev/null +++ b/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/pipeline.variables.yml @@ -0,0 +1,9 @@ +variables: + resourceGroupName: 'solutions-ne-rg' + environmentPath: 'solutions/CoreInfra/HubNetwork/TemplateOrchestrated' + location: 'northeurope' + vmImage: 'ubuntu-latest' + poolName: '' + serviceConnection: 'CARML-Hack5' + subscriptionId: 'be5ec5d6-8bcf-4049-8a47-1beb59796b15' + managementGroupId: '' diff --git a/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/solution.hubnetwork.yml b/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/solution.hubnetwork.yml new file mode 100644 index 0000000000..d8c4ba3c15 --- /dev/null +++ b/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/solution.hubnetwork.yml @@ -0,0 +1,50 @@ +name: 'Solutions - Vnet' + +pr: none + +trigger: + batch: true + branches: + include: + - main +# paths: +# include: +# - root (b3b845c6-2a30-6f4c-62d3-a8b417cb9173)/prfx-connectivity-ae (3e51c849-d082-4b01-9385-455f253a5729)/prfx-conn-ae-monitoring-rg/* + +variables: + - template: /settings.yml + - template: pipeline.variables.yml + +# resources: +# repositories: +# - repository: modules +# name: $(modulesRepository) +# ref: $(ref) +# endpoint: segraef +# type: github + +stages: + - stage: + displayName: WhatIf + jobs: + - template: /.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml + parameters: + jobName: resourceGroups + displayName: 'Resource Group' + modulePath: '/modules/Microsoft.Resources/resourceGroups/deploy.bicep' + moduleTestFilePath: 'rg.parameters.json' + whatif: true + checkoutRepositories: + - self + + - stage: + displayName: Deploy + jobs: + - template: /.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml + parameters: + jobName: resourceGroups + displayName: 'Resource Group' + modulePath: '/modules/Microsoft.Resources/resourceGroups/deploy.bicep' + moduleTestFilePath: 'rg.parameters.json' + checkoutRepositories: + - self diff --git a/solutions/CoreInfra/Spoke/TemplateOrchestrated/.test/parameters.json b/solutions/CoreInfra/Spoke/TemplateOrchestrated/.test/parameters.json new file mode 100644 index 0000000000..bfc8f0d37d --- /dev/null +++ b/solutions/CoreInfra/Spoke/TemplateOrchestrated/.test/parameters.json @@ -0,0 +1,149 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroupName": { + "value": "solutions-ne-rg" + }, + "location": { + "value": "westeurope" + }, + "lock": { + "value": "" + }, + "tags": { + "value": {} + }, + "nsgBastionSubnetName": { + "value": "nsg-hub-bastion-subnet" + }, + "vnet_hub": { + "value": "vnet-hub" + }, + "bastion_nsg_rules": { + "value": [ + { + "name": "AllowhttpsInbound", + "properties": { + "description": "Allow inbound TCP 443 connections from the Internet", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "Internet", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 120, + "direction": "Inbound" + } + }, + { + "name": "AllowGatewayManagerInbound", + "properties": { + "description": "Allow inbound TCP 443 connections from the Gateway Manager", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "GatewayManager", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 130, + "direction": "Inbound" + } + }, + { + "name": "AllowAzureLoadBalancerInbound", + "properties": { + "description": "Allow inbound TCP 443 connections from the Azure Load Balancer", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "AzureLoadBalancer", + "destinationAddressPrefix": "*", + "access": "Allow", + "priority": 140, + "direction": "Inbound" + } + }, + { + "name": "AllowBastionHostCommunication", + "properties": { + "description": "Allow inbound 8080 and 5701 connections from the Virtual Network", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRanges": [ + "8080", + "5701" + ], + "sourceAddressPrefix": "VirtualNetwork", + "destinationAddressPrefix": "VirtualNetwork", + "access": "Allow", + "priority": 150, + "direction": "Inbound" + } + }, + { + "name": "AllowSshRdpOutbound", + "properties": { + "description": "Allow outbound SSH and RDP connections to Virtual Network", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRanges": [ + "22", + "3389" + ], + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "VirtualNetwork", + "access": "Allow", + "priority": 100, + "direction": "Outbound" + } + }, + { + "name": "AllowAzureCloudOutbound", + "properties": { + "description": "Allow outbound 443 connections to Azure cloud", + "protocol": "Tcp", + "sourcePortRange": "*", + "destinationPortRange": "443", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "AzureCloud", + "access": "Allow", + "priority": 110, + "direction": "Outbound" + } + }, + { + "name": "AllowBastionCommunication", + "properties": { + "description": "Allow outbound 8080 and 5701 connections to Virtual Network", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRanges": [ + "8080", + "5701" + ], + "sourceAddressPrefix": "VirtualNetwork", + "destinationAddressPrefix": "VirtualNetwork", + "access": "Allow", + "priority": 120, + "direction": "Outbound" + } + }, + { + "name": "AllowGetSessionInformation", + "properties": { + "description": "Allow outbound 80 connections to Internet", + "protocol": "*", + "sourcePortRange": "*", + "destinationPortRange": "80", + "sourceAddressPrefix": "*", + "destinationAddressPrefix": "Internet", + "access": "Allow", + "priority": 130, + "direction": "Outbound" + } + } + ] + } + } +} diff --git a/solutions/CoreInfra/Spoke/TemplateOrchestrated/deploy.bicep b/solutions/CoreInfra/Spoke/TemplateOrchestrated/deploy.bicep new file mode 100644 index 0000000000..a12a60db8c --- /dev/null +++ b/solutions/CoreInfra/Spoke/TemplateOrchestrated/deploy.bicep @@ -0,0 +1,75 @@ +targetScope = 'subscription' + +@description('Required. Name of the Resource Group.') +param resourceGroupName string + +@description('Optional. Tags to be applied on all resources/resource groups in this deployment.') +param tags object + +@description('Resource Group location') +param location string + +@allowed([ + '' + 'CanNotDelete' + 'ReadOnly' +]) +@description('Optional. Specify the type of lock for all resources/resource group defined in this template.') +param lock string + +@description('Required. Name of the network security group for the Azure Bastion Host subnet.') +param nsgBastionSubnetName string + +@description('Required. NSG security rules for the Azure Bastion Host subnet.') +param bastion_nsg_rules array + +@description('Required. Name of the virtual network.') +param vnet_hub string + +@description('Required. Name of the virtual network.') +param vnetName2 string = 'vnet-spoke' + +@description('Optional. Resource ID of the storage account to be used for diagnostic logs.') +param diagnosticStorageAccountId string + +@description('Optional. Resource ID of the Log Analytics workspace to be used for diagnostic logs.') +param workspaceId string + +@description('Optional. Authorization ID of the Event Hub Namespace to be used for diagnostic logs.') +param eventHubAuthorizationRuleId string + +@description('Optional. Name of the Event Hub to be used for diagnostic logs.') +param eventHubName string +module resourceGroups '../../../../modules/Microsoft.Resources/resourceGroups/deploy.bicep' = { + name: '${uniqueString(deployment().name)}-rg' + params: { + name: resourceGroupName + location: location + tags: tags + } +} +module VirtualNetworkSpoke '../../../../modules/Microsoft.Network/virtualNetworks/deploy.bicep' = { + name: 'VirtualNetwork_Spoke' + scope: resourceGroup(resourceGroupName) + params: { + name: vnetName2 + addressPrefixes: [ + '192.168.101.0/24' + ] + subnets: [ + { + addressPrefix: '192.168.101.0/26' + name: 'DefaultSubnet' + } + ] + tags: tags + lock: lock + diagnosticWorkspaceId: workspaceId + diagnosticStorageAccountId: diagnosticStorageAccountId + diagnosticEventHubAuthorizationRuleId: eventHubAuthorizationRuleId + diagnosticEventHubName: eventHubName + } + dependsOn: [ + resourceGroups + ] +} diff --git a/solutions/CoreInfra/Spoke/TemplateOrchestrated/pipeline.variables.yml b/solutions/CoreInfra/Spoke/TemplateOrchestrated/pipeline.variables.yml new file mode 100644 index 0000000000..dc08b984a8 --- /dev/null +++ b/solutions/CoreInfra/Spoke/TemplateOrchestrated/pipeline.variables.yml @@ -0,0 +1,9 @@ +variables: + resourceGroupName: 'solutions-ne-rg' + environmentPath: 'solutions/CoreInfra/HubNetwork/TemplateOrchestrated' + location: 'northeurope' + vmImage: 'ubuntu-latest' + poolName: '' + serviceConnection: 'CARML-Hack5' + subscriptionId: 'be5ec5d6-8bcf-4049-8a47-1beb59796b15' + managementGroupId: '' diff --git a/solutions/CoreInfra/Spoke/TemplateOrchestrated/solution.hubnetwork.yml b/solutions/CoreInfra/Spoke/TemplateOrchestrated/solution.hubnetwork.yml new file mode 100644 index 0000000000..d8c4ba3c15 --- /dev/null +++ b/solutions/CoreInfra/Spoke/TemplateOrchestrated/solution.hubnetwork.yml @@ -0,0 +1,50 @@ +name: 'Solutions - Vnet' + +pr: none + +trigger: + batch: true + branches: + include: + - main +# paths: +# include: +# - root (b3b845c6-2a30-6f4c-62d3-a8b417cb9173)/prfx-connectivity-ae (3e51c849-d082-4b01-9385-455f253a5729)/prfx-conn-ae-monitoring-rg/* + +variables: + - template: /settings.yml + - template: pipeline.variables.yml + +# resources: +# repositories: +# - repository: modules +# name: $(modulesRepository) +# ref: $(ref) +# endpoint: segraef +# type: github + +stages: + - stage: + displayName: WhatIf + jobs: + - template: /.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml + parameters: + jobName: resourceGroups + displayName: 'Resource Group' + modulePath: '/modules/Microsoft.Resources/resourceGroups/deploy.bicep' + moduleTestFilePath: 'rg.parameters.json' + whatif: true + checkoutRepositories: + - self + + - stage: + displayName: Deploy + jobs: + - template: /.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml + parameters: + jobName: resourceGroups + displayName: 'Resource Group' + modulePath: '/modules/Microsoft.Resources/resourceGroups/deploy.bicep' + moduleTestFilePath: 'rg.parameters.json' + checkoutRepositories: + - self diff --git a/solutions/ResourceGroup/.test/deploy.parameters.json b/solutions/ResourceGroup/.test/deploy.parameters.json new file mode 100644 index 0000000000..26e59bd8bc --- /dev/null +++ b/solutions/ResourceGroup/.test/deploy.parameters.json @@ -0,0 +1,9 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceGroupName": { + "value": "chirss-test-rg" + } + } +} diff --git a/solutions/ResourceGroup/TemplateOrchestrated/.github/actions.variables.yml b/solutions/ResourceGroup/TemplateOrchestrated/.github/actions.variables.yml new file mode 100644 index 0000000000..ce8081045f --- /dev/null +++ b/solutions/ResourceGroup/TemplateOrchestrated/.github/actions.variables.yml @@ -0,0 +1,8 @@ +variables: + resourceGroupName: 'solutions-ne-rg' + environmentPath: 'solutions\ResourceGroup' + location: 'northeurope' + vmImage: 'ubuntu-latest' + poolName: '' + tokenPrefix: '<<' + tokenSuffix: '>>' diff --git a/solutions/ResourceGroup/TemplateOrchestrated/.github/solutions.test.yml b/solutions/ResourceGroup/TemplateOrchestrated/.github/solutions.test.yml new file mode 100644 index 0000000000..e7a564ee04 --- /dev/null +++ b/solutions/ResourceGroup/TemplateOrchestrated/.github/solutions.test.yml @@ -0,0 +1,115 @@ +name: 'Solutions: Test' + +on: + workflow_dispatch: + inputs: + removeDeployment: + type: boolean + description: 'Remove deployed module' + required: false + default: true + prerelease: + type: boolean + description: 'Publish prerelease module' + required: false + default: false + push: + branches: + - main + paths: + - '.github/actions/templates/**' + - '.github/workflows/ms.resources.resourcegroups.yml' + - 'modules/Microsoft.AAD/DomainServices/**' + - 'utilities/pipelines/**' + - '!utilities/pipelines/dependencies/**' + - '!*/**/readme.md' + +env: + variablesPath: 'actions.variables.yml' + modulePath: 'solutions/ResourceGroup' + workflowPath: 'solutions/ResourceGroup/TemplateOrchestrated/.github/solutions.test.yml' + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' + ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' + TOKEN_NAMEPREFIX: '${{ secrets.TOKEN_NAMEPREFIX }}' + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-20.04 + name: 'Initialize pipeline' + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Set input parameters to output variables' + id: get-workflow-param + uses: ./.github/actions/templates/getWorkflowInput + with: + workflowPath: '${{ env.workflowPath}}' + - name: 'Get parameter file paths' + id: get-module-test-file-paths + uses: ./.github/actions/templates/getModuleTestFiles + with: + modulePath: '${{ env.modulePath }}' + outputs: + removeDeployment: ${{ steps.get-workflow-param.outputs.removeDeployment }} + moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} + + ######################### + # Static validation # + ######################### + job_module_pester_validation: + runs-on: ubuntu-20.04 + name: 'Static validation' + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: ./.github/actions/templates/setEnvironmentVariables + with: + variablesPath: ${{ env.variablesPath }} + - name: 'Run tests' + uses: ./.github/actions/templates/validateModulePester + with: + modulePath: '${{ env.modulePath }}' + moduleTestFilePath: '${{ env.moduleTestFilePath }}' + + ############################# + # Deployment validation # + ############################# + job_module_deploy_validation: + runs-on: ubuntu-20.04 + name: 'Deployment validation' + needs: + - job_initialize_pipeline + - job_module_pester_validation + strategy: + fail-fast: false + matrix: + moduleTestFilePaths: ${{ fromJSON(needs.job_initialize_pipeline.outputs.moduleTestFilePaths) }} + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: ./.github/actions/templates/setEnvironmentVariables + with: + variablesPath: ${{ env.variablesPath }} + - name: 'Using test file [${{ matrix.moduleTestFilePaths }}]' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + parameterFilePath: '${{ env.modulePath }}/${{ matrix.moduleTestFilePaths }}' + location: '${{ env.location }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' diff --git a/solutions/ResourceGroup/deploy.bicep b/solutions/ResourceGroup/deploy.bicep new file mode 100644 index 0000000000..816e632728 --- /dev/null +++ b/solutions/ResourceGroup/deploy.bicep @@ -0,0 +1,12 @@ + +targetScope = 'subscription' + +@description('Required. Resource Group Name.') +param resourceGroupName string + +module resourceGroup '../../modules/Microsoft.Resources/resourceGroups/deploy.bicep' = { + name: 'resourceGroup_Test' + params: { + name: resourceGroupName + } +} From e01ae48ea34e3efa1556aec5a76eeba3444386b3 Mon Sep 17 00:00:00 2001 From: Oliver Gulich <70239916+oliverlabs@users.noreply.github.com> Date: Fri, 23 Sep 2022 13:23:09 +0100 Subject: [PATCH 04/15] Update azure-pipelines.yml for Azure Pipelines --- azure-pipelines.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index bcd5ea1f2f..29cf3a4dab 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -13,7 +13,7 @@ trigger: variables: - template: /settings.yml - - template: pipeline.variables.yml + - template: /solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml # resources: # repositories: From 42aa5fc4d675feff872619b6dcb989822ac55b9d Mon Sep 17 00:00:00 2001 From: oliverlabs <70239916+oliverlabs@users.noreply.github.com> Date: Fri, 23 Sep 2022 13:25:50 +0100 Subject: [PATCH 05/15] added jobs.solutionDeployment.yml --- .../jobs.solutionDeployment.yml | 300 ++++++++++++++++++ .vscode/settings.json | 13 +- 2 files changed, 304 insertions(+), 9 deletions(-) create mode 100644 .azuredevops/pipelineTemplates/jobs.solutionDeployment.yml diff --git a/.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml b/.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml new file mode 100644 index 0000000000..e631172f59 --- /dev/null +++ b/.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml @@ -0,0 +1,300 @@ +######################################################### +## DEPLOYMENT PIPELINE ## +######################################################### +## +## This pipeline template contains the logic to deploy a given module's ARM template using the provided parameter file(s) +## +## Enabled levels of deployment +## - Resource-Group-Level +## - Subscription-Level +## - Management-Group-Level +## - Tenant-Level +## +######################################################## +## +##---------------------------------------------## +## TEMPLATE PARAMETERS ## +##---------------------------------------------## +## +## By default it uses the variables specified in the below [parameters] section. However, you can overwrite these variables in the +## referencing pipeline by providing the parameter explicitly. +## +## NOTE: If you don't need to overwrite a shared value, you can IGNORE this section +## +## |============================================================================================================================================================================================================================================| +## | Parameter | Default Value | Description | Example | +## |---------------------------------|--------------------------------------|-----------------------------------------------------------------------------------------------------------|-------------------------------------------------------| +## | serviceConnection | '$(serviceConnection)' | The service connection that connects to Azure. | 'demo-internal' | +## | poolName | '$(poolName)' | You can provide either a [poolname] or [vmImage] to run the job on. | 'Custom Deployment Pool' | +## | vmImage | '$(vmImage)' | You can provide either a [poolname] or [vmImage] to run the job on. | 'ubuntu20.04' | +## | defaultJobTimeoutInMinutes | 120 | The timeout for the job in this pipeline. | 120 | +## | removeDeployment | 'true' | Set to [true] to flag resources for removal. If not provided, defaults to true. | 'true' | +## | templateFilePath | '' | Path to the template file to deploy. | 'arm/Microsoft.AnalysisServices/servers/deploy.bicep' | +## | customParameterFileTokens | '' | | | +## | jobDisplayName | '' | The display name of the job. | 'Deploy module' | +## | modulePath | '$(modulePath)' | The path to the module to deploy. | 'c:/KeyVault' | +## | location | '$(location)' | The location to deploy resources to. | 'EastUs2' | +## | resourceGroupName | '$(resourceGroupName)' | The resourcegroup to deploy into. Required only for Resource-Group-Level deployments. | 'validation-rg' | +## | subscriptionId | '$(ARM_SUBSCRIPTION_ID)' | The id of the subscription to deploy into when using a Management group service connection. | 'aed7c000-6387-412e-bed0-24dfddf4bbc6' | +## | managementGroupId | '$(ARM_MGMTGROUP_ID)' | The id of the management group to deploy into. Required only for Management-Group-Level deployments. | '6ycc9620-cb01-454f-9ebc-fc6b1df48d64' | +## | azurePowerShellVersion | '$(azurePowerShellVersion)' | Used for configuring the Azure PowerShellModules Version, one of the example values. | 'latestVersion' or 'OtherVersion' | +## | preferredAzurePowerShellVersion | '$(preferredAzurePowerShellVersion)' | Used for configuring the Azure PowerShellModules Version, either an empty string or the specific version. | '4.4.0' | +## |============================================================================================================================================================================================================================================| +## +##---------------------------------------------## + +parameters: + # Pipeline-related parameters + jobName: '' + displayName: '' + moduleName: '' + moduleVersion: '$(moduleVersion)' + artifactFeedPath: '$(artifactFeedPath)' + checkoutRepositories: '' + # environment: '' + serviceConnection: '$(serviceConnection)' + poolName: '$(poolName)' + vmImage: '$(vmImage)' + defaultJobTimeoutInMinutes: 120 + whatif: false + + # Logic-related parameters + removeDeployment: false + templateFilePath: '' + moduleTestFilePath: '' + customParameterFileTokens: '' + modulePath: '$(modulePath)' + location: '$(location)' + resourceGroupName: '$(resourceGroupName)' + subscriptionId: '$(subscriptionId)' + managementGroupId: '$(managementGroupId)' + + # Azure PowerShell Version parameters + azurePowerShellVersion: '$(azurePowerShellVersion)' + preferredAzurePowerShellVersion: '$(preferredAzurePowerShellVersion)' + +##---------------------------------------------## +## TEMPLATE LOGIC ## +##---------------------------------------------## +jobs: + - job: ${{ parameters.jobName }}${{ parameters.whatif }} + ${{ if eq( parameters.whatif, true) }}: + displayName: ${{ parameters.displayName }} WhatIf + ${{ if ne( parameters.whatif, true) }}: + displayName: ${{ parameters.displayName }} + ${{ if ne( parameters.dependsOn, '') }}: + dependsOn: + - ${{ each dependency in parameters.dependsOn }}: + - ${{ dependency }}${{ parameters.whatif }} + # environment: ${{ parameters.environment }} + timeoutInMinutes: ${{ parameters.defaultJobTimeoutInMinutes }} + pool: + ${{ if ne(parameters.vmImage, '') }}: + vmImage: ${{ parameters.vmImage }} + ${{ if ne(parameters.poolName, '') }}: + name: ${{ parameters.poolName }} + # strategy: + # runOnce: + # deploy: + ##---------------------------------------------## + ## TEMPLATE LOGIC ## + ##---------------------------------------------## + steps: + # [Environment Variables] task(s) + #-------------------------------- + - pwsh: | + $modulePath = Join-Path '$(System.DefaultWorkingDirectory)' '$(environmentPath)' '${{ parameters.modulePath }}' + $sourceDirectory = '$(System.DefaultWorkingDirectory)' + Write-Output "##vso[task.setvariable variable=ENVMODULEPATH]$modulePath" + Write-Output "##vso[task.setvariable variable=ENVSOURCEDIRECTORY]$sourceDirectory" + # [Checkout Repositories] task(s) + #-------------------------------- + - checkout: self + - ${{ if ne(parameters.checkoutRepositories, '') }}: + - ${{ each checkoutRepository in parameters.checkoutRepositories }}: + - checkout: ${{ checkoutRepository }} + fetchDepth: 0 # the depth of commits to ask Git to fetch; if not set defaults to no limit + path: 's/${{ checkoutRepository }}' + - ${{ each checkoutRepository in parameters.checkoutRepositories }}: + # [Multi Repo] Support task + #-------------------------- + - task: PowerShell@2 + displayName: Handle Multi-Repo Invocation + inputs: + targetType: inline + pwsh: true + script: | + # ---------------------------- # + # HANDLE MULTI-REPO INVOCATION # + # ---------------------------- # + + # Handle multiple-repositories + Write-Verbose "Multi-Repo Checkout" -Verbose + $sourceDirectory = '$(Build.Repository.Name)' + $sourceDirectory = $sourceDirectory.Split('/')[-1] + $modulePath = Join-Path '$(System.DefaultWorkingDirectory)' ${{ checkoutRepository }} '${{ parameters.modulePath }}' + Write-Verbose "modulePath: $modulePath" -Verbose + Write-Verbose "sourceDirectory: $sourceDirectory" -Verbose + Write-Output "##vso[task.setvariable variable=ENVMODULEPATH]$modulePath" + Write-Output "##vso[task.setvariable variable=ENVSOURCEDIRECTORY]$sourceDirectory" + + # [Download Azure Artifacts] task(s) + #--------------------- + - ${{ if ne(parameters.moduleName, '') }}: + - pwsh : | + $lowerModuleName = "${{ parameters.moduleName }}".ToLower() + Write-Host "##vso[task.setVariable variable=lowerModuleName]$lowerModuleName" + + $modulePath = Join-Path '$(downloadDirectory)/${{ parameters.moduleName }}' 'deploy.json' + + Write-Output "##vso[task.setvariable variable=ENVMODULEPATH]$modulePath" + displayName: 'Prepare download from artifacts feed' + - task: UniversalPackages@0 + displayName: 'Download module [${{ parameters.moduleName }}] version [${{ parameters.moduleVersion }}] from feed [${{ parameters.artifactFeedPath }}]' + inputs: + command: download + vstsFeed: '${{ parameters.artifactFeedPath }}' + vstsFeedPackage: '$(lowerModuleName)' + vstsPackageVersion: '${{ parameters.moduleVersion }}' + downloadDirectory: '$(downloadDirectory)/$(lowerModuleName)' + + # [Validation] task(s) + #--------------------- + - ${{ if eq( parameters.whatif, true) }}: + - task: AzurePowerShell@5 + displayName: 'Validate template file via connection [${{ parameters.serviceConnection }}]' + inputs: + azureSubscription: ${{ parameters.serviceConnection }} + azurePowerShellVersion: 'latestVersion' + preferredAzurePowerShellVersion: '' + ScriptType: InlineScript + pwsh: true + inline: | + # Load used functions + #. (Join-Path '$(ENVSOURCEDIRECTORY)' '$(pipelineFunctionsPath)' 'resourceDeployment' 'Test-TemplateDeployment.ps1') + . (Join-Path '$(System.DefaultWorkingDirectory)' 'self' '$(pipelineFunctionsPath)' 'resourceDeployment' 'Test-TemplateDeployment.ps1') + + # Fetching parameters + $location = '${{ parameters.location }}' + $resourceGroupName = '${{ parameters.resourceGroupName }}' + $subscriptionId = '${{ parameters.subscriptionId }}' + $managementGroupId = '${{ parameters.managementGroupId }}' + + $moduleTestFilePath = Join-Path '$(System.DefaultWorkingDirectory)' 'self' '$(environmentPath)' '${{ parameters.moduleTestFilePath }}' + + # ----------- # + # INVOKE TEST # + # ----------- # + + # Building input object + $functionInput = @{ + templateFilePath = '$(ENVMODULEPATH)' + parameterFilePath = $moduleTestFilePath + location = $location + resourceGroupName = $resourceGroupName + subscriptionId = $subscriptionId + managementGroupId = $managementGroupId + additionalParameters = @{} + } + + Write-Verbose "Invoke task with" -Verbose + Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + Test-TemplateDeployment @functionInput -Verbose + + # [Deployment] task(s) + #--------------------- + - ${{ if ne( parameters.whatif, true) }}: + - task: AzurePowerShell@5 + name: deployModule + displayName: 'Deploy template file via connection [${{ parameters.serviceConnection }}]' + inputs: + azureSubscription: ${{ parameters.serviceConnection }} + azurePowerShellVersion: 'latestVersion' + preferredAzurePowerShellVersion: '' + pwsh: true + ScriptType: InlineScript + inline: | + # Load used functions + . (Join-Path '$(System.DefaultWorkingDirectory)' 'self' '$(pipelineFunctionsPath)' 'resourceDeployment' 'New-TemplateDeployment.ps1') + + $location = '${{ parameters.location }}' + $resourceGroupName = '${{ parameters.resourceGroupName }}' + $subscriptionId = '${{ parameters.subscriptionId }}' + $managementGroupId = '${{ parameters.managementGroupId }}' + + $moduleTestFilePath = Join-Path '$(System.DefaultWorkingDirectory)' 'self' '$(environmentPath)' '${{ parameters.moduleTestFilePath }}' + + # ----------- # + # INVOKE TEST # + # ----------- # + + # Building input object + $functionInput = @{ + templateFilePath = '$(ENVMODULEPATH)' + parameterFilePath = $moduleTestFilePath + location = $location + resourceGroupName = $resourceGroupName + subscriptionId = $subscriptionId + managementGroupId = $managementGroupId + additionalParameters = @{} + } + + Write-Verbose 'Invoke task with' -Verbose + Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + # Invoke deployment + $res = New-TemplateDeployment @functionInput -Verbose + + # Get deployment name + $deploymentName = $res.deploymentName + Write-Verbose "Deployment name: $deploymentName" -Verbose + Write-Host "##vso[task.setvariable variable=deploymentName]$deploymentName" + Write-Host "##vso[task.setvariable variable=deploymentName;isOutput=true]$deploymentName" + + # Populate further outputs + $deploymentOutputHash=@{} + + foreach ($outputKey in $res.deploymentOutput.Keys) { + Write-Output ('##vso[task.setvariable variable={0}]{1}' -f $outputKey, $res.deploymentOutput[$outputKey].Value) + $deploymentOutputHash.add($outputKey,$res.deploymentOutput[$outputKey].Value) + } + + $deploymentOutput = $deploymentOutputHash | ConvertTo-Json -Compress -Depth 100 + Write-Verbose "Deployment output: $deploymentOutput" -Verbose + Write-Output "##vso[task.setvariable variable=deploymentOutput;isOutput=true]$deploymentOutput" + + if ($res.ContainsKey('exception')) { + # Happens only if there is an exception + throw $res.exception + } + + # [Removal] task(s) + #------------------ + - task: AzurePowerShell@5 + displayName: 'Remove deployed resources via [${{ parameters.serviceConnection }}]' + condition: and(succeededOrFailed(), eq('${{ parameters.removeDeployment }}', 'True'), not(eq(variables['deploymentName'],'')), not(startsWith(variables['deploymentName'], 'variables[' ))) + inputs: + azureSubscription: ${{ parameters.serviceConnection }} + azurePowerShellVersion: ${{ parameters.azurePowerShellVersion }} + preferredAzurePowerShellVersion: ${{ parameters.preferredAzurePowerShellVersion }} + ScriptType: InlineScript + failOnStandardError: false + pwsh: true + inline: | + # Load used function + . (Join-Path '$(System.DefaultWorkingDirectory)' 'self' '$(pipelineFunctionsPath)' 'resourceRemoval' 'Initialize-DeploymentRemoval.ps1') + + $functionInput = @{ + TemplateFilePath = '$(ENVMODULEPATH)' + ResourceGroupName = '${{ parameters.resourceGroupName }}' + subscriptionId = '${{ parameters.subscriptionId }}' + ManagementGroupId = '${{ parameters.managementGroupId }}' + deploymentName = '$(deploymentName)' + Verbose = $true + } + + Write-Verbose 'Invoke task with' -Verbose + Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + Initialize-DeploymentRemoval @functionInput diff --git a/.vscode/settings.json b/.vscode/settings.json index 5f2c554af0..cb26dfb404 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -42,13 +42,8 @@ "powershell.codeFormatting.useConstantStrings": true, "powershell.codeFormatting.useCorrectCasing": true, "powershell.codeFormatting.whitespaceBetweenParameters": true, - "spellright.documentTypes": [ - "markdown", - "latex", - "plaintext" - ], - "spellright.language": [ - "en" - ], - "yaml.format.singleQuote": true + "spellright.documentTypes": ["markdown", "latex", "plaintext"], + "spellright.language": ["en"], + "yaml.format.singleQuote": true, + "githubPullRequests.ignoredPullRequestBranches": ["main"] } From ced2cbe68ca3a4c1dd9f8c7e5fb547fe79e49849 Mon Sep 17 00:00:00 2001 From: oliverlabs <70239916+oliverlabs@users.noreply.github.com> Date: Fri, 23 Sep 2022 13:29:43 +0100 Subject: [PATCH 06/15] added own service connection name --- .../TemplateOrchestrated/pipeline.variables.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml index 9b99fdcd8e..d57a3f43f4 100644 --- a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml +++ b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml @@ -1,9 +1,9 @@ variables: - resourceGroupName: '' - environmentPath: 'solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated' - location: 'northeurope' - vmImage: 'ubuntu-latest' - poolName: '' - serviceConnection: 'CARML-Hack5' - subscriptionId: 'be5ec5d6-8bcf-4049-8a47-1beb59796b15' - managementGroupId: '' + resourceGroupName: "" + environmentPath: "solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated" + location: "northeurope" + vmImage: "ubuntu-latest" + poolName: "" + serviceConnection: "CARML-Pipeline" + subscriptionId: "be5ec5d6-8bcf-4049-8a47-1beb59796b15" + managementGroupId: "" From b5c9c050018c1113aa9458514c325827c7809e99 Mon Sep 17 00:00:00 2001 From: oliverlabs <70239916+oliverlabs@users.noreply.github.com> Date: Fri, 23 Sep 2022 13:33:37 +0100 Subject: [PATCH 07/15] added own service connection name --- .../HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml index d57a3f43f4..f1af71c317 100644 --- a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml +++ b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml @@ -4,6 +4,6 @@ variables: location: "northeurope" vmImage: "ubuntu-latest" poolName: "" - serviceConnection: "CARML-Pipeline" + serviceConnection: "OliverlabsAzurePipe" subscriptionId: "be5ec5d6-8bcf-4049-8a47-1beb59796b15" managementGroupId: "" From 34e000cbf4aa86990c343caaf111fb2ab37b97b2 Mon Sep 17 00:00:00 2001 From: oliverlabs <70239916+oliverlabs@users.noreply.github.com> Date: Fri, 23 Sep 2022 13:40:18 +0100 Subject: [PATCH 08/15] updated subscription id --- .../HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml index f1af71c317..0a454cc346 100644 --- a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml +++ b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml @@ -5,5 +5,5 @@ variables: vmImage: "ubuntu-latest" poolName: "" serviceConnection: "OliverlabsAzurePipe" - subscriptionId: "be5ec5d6-8bcf-4049-8a47-1beb59796b15" + subscriptionId: "d3696aa4-85af-44e1-a83f-5c1516a22fff" managementGroupId: "" From 1a445f4a3469ee8b716b0668f3e55a769a776562 Mon Sep 17 00:00:00 2001 From: oliverlabs <70239916+oliverlabs@users.noreply.github.com> Date: Fri, 23 Sep 2022 13:47:25 +0100 Subject: [PATCH 09/15] location changed to westeurope --- .../HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml index 0a454cc346..86da3c210d 100644 --- a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml +++ b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml @@ -1,7 +1,7 @@ variables: resourceGroupName: "" environmentPath: "solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated" - location: "northeurope" + location: "westeurope" vmImage: "ubuntu-latest" poolName: "" serviceConnection: "OliverlabsAzurePipe" From 899e4dd5d759a4c1e86fa136eaa1ebc8cc11c9ed Mon Sep 17 00:00:00 2001 From: oliverlabs <70239916+oliverlabs@users.noreply.github.com> Date: Fri, 23 Sep 2022 14:30:39 +0100 Subject: [PATCH 10/15] changed to a personal sub --- .../HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml index 86da3c210d..2a61cac862 100644 --- a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml +++ b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml @@ -1,9 +1,9 @@ variables: resourceGroupName: "" environmentPath: "solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated" - location: "westeurope" + location: "northeurope" vmImage: "ubuntu-latest" poolName: "" - serviceConnection: "OliverlabsAzurePipe" - subscriptionId: "d3696aa4-85af-44e1-a83f-5c1516a22fff" + serviceConnection: "vsent-azure" + subscriptionId: "188438bd-4e39-4b0f-b3cf-4edf0ca5c6b0" managementGroupId: "" From b59867402df27793220e836b912cf0a32cabfe84 Mon Sep 17 00:00:00 2001 From: oliverlabs <70239916+oliverlabs@users.noreply.github.com> Date: Fri, 23 Sep 2022 17:16:22 +0100 Subject: [PATCH 11/15] moved changed made throughout a day to a different branch --- .../jobs.solutionDeployment.yml | 300 ----------------- .../.test/parameters.json | 155 --------- .../TemplateOrchestrated/deploy.bicep | 312 ------------------ .../pipeline.variables.yml | 9 - .../solution.hubnetwork.yml | 50 --- .../.test/parameters.json | 155 --------- .../TemplateOrchestrated/deploy.bicep | 203 ------------ .../pipeline.variables.yml | 9 - .../solution.hubnetwork.yml | 50 --- .../.test/parameters.json | 149 --------- .../Spoke/TemplateOrchestrated/deploy.bicep | 75 ----- .../pipeline.variables.yml | 9 - .../solution.hubnetwork.yml | 50 --- .../.test/deploy.parameters.json | 9 - .../.github/actions.variables.yml | 8 - .../.github/solutions.test.yml | 115 ------- solutions/ResourceGroup/deploy.bicep | 12 - 17 files changed, 1670 deletions(-) delete mode 100644 .azuredevops/pipelineTemplates/jobs.solutionDeployment.yml delete mode 100644 solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/.test/parameters.json delete mode 100644 solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/deploy.bicep delete mode 100644 solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml delete mode 100644 solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/solution.hubnetwork.yml delete mode 100644 solutions/CoreInfra/HubNetwork/TemplateOrchestrated/.test/parameters.json delete mode 100644 solutions/CoreInfra/HubNetwork/TemplateOrchestrated/deploy.bicep delete mode 100644 solutions/CoreInfra/HubNetwork/TemplateOrchestrated/pipeline.variables.yml delete mode 100644 solutions/CoreInfra/HubNetwork/TemplateOrchestrated/solution.hubnetwork.yml delete mode 100644 solutions/CoreInfra/Spoke/TemplateOrchestrated/.test/parameters.json delete mode 100644 solutions/CoreInfra/Spoke/TemplateOrchestrated/deploy.bicep delete mode 100644 solutions/CoreInfra/Spoke/TemplateOrchestrated/pipeline.variables.yml delete mode 100644 solutions/CoreInfra/Spoke/TemplateOrchestrated/solution.hubnetwork.yml delete mode 100644 solutions/ResourceGroup/.test/deploy.parameters.json delete mode 100644 solutions/ResourceGroup/TemplateOrchestrated/.github/actions.variables.yml delete mode 100644 solutions/ResourceGroup/TemplateOrchestrated/.github/solutions.test.yml delete mode 100644 solutions/ResourceGroup/deploy.bicep diff --git a/.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml b/.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml deleted file mode 100644 index e631172f59..0000000000 --- a/.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml +++ /dev/null @@ -1,300 +0,0 @@ -######################################################### -## DEPLOYMENT PIPELINE ## -######################################################### -## -## This pipeline template contains the logic to deploy a given module's ARM template using the provided parameter file(s) -## -## Enabled levels of deployment -## - Resource-Group-Level -## - Subscription-Level -## - Management-Group-Level -## - Tenant-Level -## -######################################################## -## -##---------------------------------------------## -## TEMPLATE PARAMETERS ## -##---------------------------------------------## -## -## By default it uses the variables specified in the below [parameters] section. However, you can overwrite these variables in the -## referencing pipeline by providing the parameter explicitly. -## -## NOTE: If you don't need to overwrite a shared value, you can IGNORE this section -## -## |============================================================================================================================================================================================================================================| -## | Parameter | Default Value | Description | Example | -## |---------------------------------|--------------------------------------|-----------------------------------------------------------------------------------------------------------|-------------------------------------------------------| -## | serviceConnection | '$(serviceConnection)' | The service connection that connects to Azure. | 'demo-internal' | -## | poolName | '$(poolName)' | You can provide either a [poolname] or [vmImage] to run the job on. | 'Custom Deployment Pool' | -## | vmImage | '$(vmImage)' | You can provide either a [poolname] or [vmImage] to run the job on. | 'ubuntu20.04' | -## | defaultJobTimeoutInMinutes | 120 | The timeout for the job in this pipeline. | 120 | -## | removeDeployment | 'true' | Set to [true] to flag resources for removal. If not provided, defaults to true. | 'true' | -## | templateFilePath | '' | Path to the template file to deploy. | 'arm/Microsoft.AnalysisServices/servers/deploy.bicep' | -## | customParameterFileTokens | '' | | | -## | jobDisplayName | '' | The display name of the job. | 'Deploy module' | -## | modulePath | '$(modulePath)' | The path to the module to deploy. | 'c:/KeyVault' | -## | location | '$(location)' | The location to deploy resources to. | 'EastUs2' | -## | resourceGroupName | '$(resourceGroupName)' | The resourcegroup to deploy into. Required only for Resource-Group-Level deployments. | 'validation-rg' | -## | subscriptionId | '$(ARM_SUBSCRIPTION_ID)' | The id of the subscription to deploy into when using a Management group service connection. | 'aed7c000-6387-412e-bed0-24dfddf4bbc6' | -## | managementGroupId | '$(ARM_MGMTGROUP_ID)' | The id of the management group to deploy into. Required only for Management-Group-Level deployments. | '6ycc9620-cb01-454f-9ebc-fc6b1df48d64' | -## | azurePowerShellVersion | '$(azurePowerShellVersion)' | Used for configuring the Azure PowerShellModules Version, one of the example values. | 'latestVersion' or 'OtherVersion' | -## | preferredAzurePowerShellVersion | '$(preferredAzurePowerShellVersion)' | Used for configuring the Azure PowerShellModules Version, either an empty string or the specific version. | '4.4.0' | -## |============================================================================================================================================================================================================================================| -## -##---------------------------------------------## - -parameters: - # Pipeline-related parameters - jobName: '' - displayName: '' - moduleName: '' - moduleVersion: '$(moduleVersion)' - artifactFeedPath: '$(artifactFeedPath)' - checkoutRepositories: '' - # environment: '' - serviceConnection: '$(serviceConnection)' - poolName: '$(poolName)' - vmImage: '$(vmImage)' - defaultJobTimeoutInMinutes: 120 - whatif: false - - # Logic-related parameters - removeDeployment: false - templateFilePath: '' - moduleTestFilePath: '' - customParameterFileTokens: '' - modulePath: '$(modulePath)' - location: '$(location)' - resourceGroupName: '$(resourceGroupName)' - subscriptionId: '$(subscriptionId)' - managementGroupId: '$(managementGroupId)' - - # Azure PowerShell Version parameters - azurePowerShellVersion: '$(azurePowerShellVersion)' - preferredAzurePowerShellVersion: '$(preferredAzurePowerShellVersion)' - -##---------------------------------------------## -## TEMPLATE LOGIC ## -##---------------------------------------------## -jobs: - - job: ${{ parameters.jobName }}${{ parameters.whatif }} - ${{ if eq( parameters.whatif, true) }}: - displayName: ${{ parameters.displayName }} WhatIf - ${{ if ne( parameters.whatif, true) }}: - displayName: ${{ parameters.displayName }} - ${{ if ne( parameters.dependsOn, '') }}: - dependsOn: - - ${{ each dependency in parameters.dependsOn }}: - - ${{ dependency }}${{ parameters.whatif }} - # environment: ${{ parameters.environment }} - timeoutInMinutes: ${{ parameters.defaultJobTimeoutInMinutes }} - pool: - ${{ if ne(parameters.vmImage, '') }}: - vmImage: ${{ parameters.vmImage }} - ${{ if ne(parameters.poolName, '') }}: - name: ${{ parameters.poolName }} - # strategy: - # runOnce: - # deploy: - ##---------------------------------------------## - ## TEMPLATE LOGIC ## - ##---------------------------------------------## - steps: - # [Environment Variables] task(s) - #-------------------------------- - - pwsh: | - $modulePath = Join-Path '$(System.DefaultWorkingDirectory)' '$(environmentPath)' '${{ parameters.modulePath }}' - $sourceDirectory = '$(System.DefaultWorkingDirectory)' - Write-Output "##vso[task.setvariable variable=ENVMODULEPATH]$modulePath" - Write-Output "##vso[task.setvariable variable=ENVSOURCEDIRECTORY]$sourceDirectory" - # [Checkout Repositories] task(s) - #-------------------------------- - - checkout: self - - ${{ if ne(parameters.checkoutRepositories, '') }}: - - ${{ each checkoutRepository in parameters.checkoutRepositories }}: - - checkout: ${{ checkoutRepository }} - fetchDepth: 0 # the depth of commits to ask Git to fetch; if not set defaults to no limit - path: 's/${{ checkoutRepository }}' - - ${{ each checkoutRepository in parameters.checkoutRepositories }}: - # [Multi Repo] Support task - #-------------------------- - - task: PowerShell@2 - displayName: Handle Multi-Repo Invocation - inputs: - targetType: inline - pwsh: true - script: | - # ---------------------------- # - # HANDLE MULTI-REPO INVOCATION # - # ---------------------------- # - - # Handle multiple-repositories - Write-Verbose "Multi-Repo Checkout" -Verbose - $sourceDirectory = '$(Build.Repository.Name)' - $sourceDirectory = $sourceDirectory.Split('/')[-1] - $modulePath = Join-Path '$(System.DefaultWorkingDirectory)' ${{ checkoutRepository }} '${{ parameters.modulePath }}' - Write-Verbose "modulePath: $modulePath" -Verbose - Write-Verbose "sourceDirectory: $sourceDirectory" -Verbose - Write-Output "##vso[task.setvariable variable=ENVMODULEPATH]$modulePath" - Write-Output "##vso[task.setvariable variable=ENVSOURCEDIRECTORY]$sourceDirectory" - - # [Download Azure Artifacts] task(s) - #--------------------- - - ${{ if ne(parameters.moduleName, '') }}: - - pwsh : | - $lowerModuleName = "${{ parameters.moduleName }}".ToLower() - Write-Host "##vso[task.setVariable variable=lowerModuleName]$lowerModuleName" - - $modulePath = Join-Path '$(downloadDirectory)/${{ parameters.moduleName }}' 'deploy.json' - - Write-Output "##vso[task.setvariable variable=ENVMODULEPATH]$modulePath" - displayName: 'Prepare download from artifacts feed' - - task: UniversalPackages@0 - displayName: 'Download module [${{ parameters.moduleName }}] version [${{ parameters.moduleVersion }}] from feed [${{ parameters.artifactFeedPath }}]' - inputs: - command: download - vstsFeed: '${{ parameters.artifactFeedPath }}' - vstsFeedPackage: '$(lowerModuleName)' - vstsPackageVersion: '${{ parameters.moduleVersion }}' - downloadDirectory: '$(downloadDirectory)/$(lowerModuleName)' - - # [Validation] task(s) - #--------------------- - - ${{ if eq( parameters.whatif, true) }}: - - task: AzurePowerShell@5 - displayName: 'Validate template file via connection [${{ parameters.serviceConnection }}]' - inputs: - azureSubscription: ${{ parameters.serviceConnection }} - azurePowerShellVersion: 'latestVersion' - preferredAzurePowerShellVersion: '' - ScriptType: InlineScript - pwsh: true - inline: | - # Load used functions - #. (Join-Path '$(ENVSOURCEDIRECTORY)' '$(pipelineFunctionsPath)' 'resourceDeployment' 'Test-TemplateDeployment.ps1') - . (Join-Path '$(System.DefaultWorkingDirectory)' 'self' '$(pipelineFunctionsPath)' 'resourceDeployment' 'Test-TemplateDeployment.ps1') - - # Fetching parameters - $location = '${{ parameters.location }}' - $resourceGroupName = '${{ parameters.resourceGroupName }}' - $subscriptionId = '${{ parameters.subscriptionId }}' - $managementGroupId = '${{ parameters.managementGroupId }}' - - $moduleTestFilePath = Join-Path '$(System.DefaultWorkingDirectory)' 'self' '$(environmentPath)' '${{ parameters.moduleTestFilePath }}' - - # ----------- # - # INVOKE TEST # - # ----------- # - - # Building input object - $functionInput = @{ - templateFilePath = '$(ENVMODULEPATH)' - parameterFilePath = $moduleTestFilePath - location = $location - resourceGroupName = $resourceGroupName - subscriptionId = $subscriptionId - managementGroupId = $managementGroupId - additionalParameters = @{} - } - - Write-Verbose "Invoke task with" -Verbose - Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - Test-TemplateDeployment @functionInput -Verbose - - # [Deployment] task(s) - #--------------------- - - ${{ if ne( parameters.whatif, true) }}: - - task: AzurePowerShell@5 - name: deployModule - displayName: 'Deploy template file via connection [${{ parameters.serviceConnection }}]' - inputs: - azureSubscription: ${{ parameters.serviceConnection }} - azurePowerShellVersion: 'latestVersion' - preferredAzurePowerShellVersion: '' - pwsh: true - ScriptType: InlineScript - inline: | - # Load used functions - . (Join-Path '$(System.DefaultWorkingDirectory)' 'self' '$(pipelineFunctionsPath)' 'resourceDeployment' 'New-TemplateDeployment.ps1') - - $location = '${{ parameters.location }}' - $resourceGroupName = '${{ parameters.resourceGroupName }}' - $subscriptionId = '${{ parameters.subscriptionId }}' - $managementGroupId = '${{ parameters.managementGroupId }}' - - $moduleTestFilePath = Join-Path '$(System.DefaultWorkingDirectory)' 'self' '$(environmentPath)' '${{ parameters.moduleTestFilePath }}' - - # ----------- # - # INVOKE TEST # - # ----------- # - - # Building input object - $functionInput = @{ - templateFilePath = '$(ENVMODULEPATH)' - parameterFilePath = $moduleTestFilePath - location = $location - resourceGroupName = $resourceGroupName - subscriptionId = $subscriptionId - managementGroupId = $managementGroupId - additionalParameters = @{} - } - - Write-Verbose 'Invoke task with' -Verbose - Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - # Invoke deployment - $res = New-TemplateDeployment @functionInput -Verbose - - # Get deployment name - $deploymentName = $res.deploymentName - Write-Verbose "Deployment name: $deploymentName" -Verbose - Write-Host "##vso[task.setvariable variable=deploymentName]$deploymentName" - Write-Host "##vso[task.setvariable variable=deploymentName;isOutput=true]$deploymentName" - - # Populate further outputs - $deploymentOutputHash=@{} - - foreach ($outputKey in $res.deploymentOutput.Keys) { - Write-Output ('##vso[task.setvariable variable={0}]{1}' -f $outputKey, $res.deploymentOutput[$outputKey].Value) - $deploymentOutputHash.add($outputKey,$res.deploymentOutput[$outputKey].Value) - } - - $deploymentOutput = $deploymentOutputHash | ConvertTo-Json -Compress -Depth 100 - Write-Verbose "Deployment output: $deploymentOutput" -Verbose - Write-Output "##vso[task.setvariable variable=deploymentOutput;isOutput=true]$deploymentOutput" - - if ($res.ContainsKey('exception')) { - # Happens only if there is an exception - throw $res.exception - } - - # [Removal] task(s) - #------------------ - - task: AzurePowerShell@5 - displayName: 'Remove deployed resources via [${{ parameters.serviceConnection }}]' - condition: and(succeededOrFailed(), eq('${{ parameters.removeDeployment }}', 'True'), not(eq(variables['deploymentName'],'')), not(startsWith(variables['deploymentName'], 'variables[' ))) - inputs: - azureSubscription: ${{ parameters.serviceConnection }} - azurePowerShellVersion: ${{ parameters.azurePowerShellVersion }} - preferredAzurePowerShellVersion: ${{ parameters.preferredAzurePowerShellVersion }} - ScriptType: InlineScript - failOnStandardError: false - pwsh: true - inline: | - # Load used function - . (Join-Path '$(System.DefaultWorkingDirectory)' 'self' '$(pipelineFunctionsPath)' 'resourceRemoval' 'Initialize-DeploymentRemoval.ps1') - - $functionInput = @{ - TemplateFilePath = '$(ENVMODULEPATH)' - ResourceGroupName = '${{ parameters.resourceGroupName }}' - subscriptionId = '${{ parameters.subscriptionId }}' - ManagementGroupId = '${{ parameters.managementGroupId }}' - deploymentName = '$(deploymentName)' - Verbose = $true - } - - Write-Verbose 'Invoke task with' -Verbose - Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - Initialize-DeploymentRemoval @functionInput diff --git a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/.test/parameters.json b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/.test/parameters.json deleted file mode 100644 index 25a61064ea..0000000000 --- a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/.test/parameters.json +++ /dev/null @@ -1,155 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "bastionName": { - "value": "myBastion" - }, - "azureFirewallName": { - "value": "myAzureFirewall" - }, - "resourceGroupName": { - "value": "solutions-ne-rg" - }, - "location": { - "value": "northeurope" - }, - "lock": { - "value": "" - }, - "tags": { - "value": {} - }, - "nsgBastionSubnetName": { - "value": "nsg-hub-bastion-subnet" - }, - "vnet_hub": { - "value": "vnet-hub" - }, - "bastion_nsg_rules": { - "value": [ - { - "name": "AllowhttpsInbound", - "properties": { - "description": "Allow inbound TCP 443 connections from the Internet", - "protocol": "Tcp", - "sourcePortRange": "*", - "destinationPortRange": "443", - "sourceAddressPrefix": "Internet", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": 120, - "direction": "Inbound" - } - }, - { - "name": "AllowGatewayManagerInbound", - "properties": { - "description": "Allow inbound TCP 443 connections from the Gateway Manager", - "protocol": "Tcp", - "sourcePortRange": "*", - "destinationPortRange": "443", - "sourceAddressPrefix": "GatewayManager", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": 130, - "direction": "Inbound" - } - }, - { - "name": "AllowAzureLoadBalancerInbound", - "properties": { - "description": "Allow inbound TCP 443 connections from the Azure Load Balancer", - "protocol": "Tcp", - "sourcePortRange": "*", - "destinationPortRange": "443", - "sourceAddressPrefix": "AzureLoadBalancer", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": 140, - "direction": "Inbound" - } - }, - { - "name": "AllowBastionHostCommunication", - "properties": { - "description": "Allow inbound 8080 and 5701 connections from the Virtual Network", - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRanges": [ - "8080", - "5701" - ], - "sourceAddressPrefix": "VirtualNetwork", - "destinationAddressPrefix": "VirtualNetwork", - "access": "Allow", - "priority": 150, - "direction": "Inbound" - } - }, - { - "name": "AllowSshRdpOutbound", - "properties": { - "description": "Allow outbound SSH and RDP connections to Virtual Network", - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRanges": [ - "22", - "3389" - ], - "sourceAddressPrefix": "*", - "destinationAddressPrefix": "VirtualNetwork", - "access": "Allow", - "priority": 100, - "direction": "Outbound" - } - }, - { - "name": "AllowAzureCloudOutbound", - "properties": { - "description": "Allow outbound 443 connections to Azure cloud", - "protocol": "Tcp", - "sourcePortRange": "*", - "destinationPortRange": "443", - "sourceAddressPrefix": "*", - "destinationAddressPrefix": "AzureCloud", - "access": "Allow", - "priority": 110, - "direction": "Outbound" - } - }, - { - "name": "AllowBastionCommunication", - "properties": { - "description": "Allow outbound 8080 and 5701 connections to Virtual Network", - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRanges": [ - "8080", - "5701" - ], - "sourceAddressPrefix": "VirtualNetwork", - "destinationAddressPrefix": "VirtualNetwork", - "access": "Allow", - "priority": 120, - "direction": "Outbound" - } - }, - { - "name": "AllowGetSessionInformation", - "properties": { - "description": "Allow outbound 80 connections to Internet", - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRange": "80", - "sourceAddressPrefix": "*", - "destinationAddressPrefix": "Internet", - "access": "Allow", - "priority": 130, - "direction": "Outbound" - } - } - ] - } - } -} diff --git a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/deploy.bicep b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/deploy.bicep deleted file mode 100644 index f295768c98..0000000000 --- a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/deploy.bicep +++ /dev/null @@ -1,312 +0,0 @@ -targetScope = 'subscription' - -@description('Required. Name of the Resource Group.') -param resourceGroupName string - -@description('Optional. Tags to be applied on all resources/resource groups in this deployment.') -param tags object = {} - -@description('Optional. Name of the Azure Bastion Service.') -param bastionName string = '' - -@description('Optional. Azure Firewall Name') -param azureFirewallName string - -@description('Optional. Resource Group location') -param location string = deployment().location - -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock for all resources/resource group defined in this template.') -param lock string = '' - -@description('Optional. Name of the network security group for the Azure Bastion Host subnet.') -param nsgBastionSubnetName string = '' - -@description('Optional. NSG security rules for the Azure Bastion Host subnet.') -param bastion_nsg_rules array = [] - -@description('Optional. Name of the hub virtual network.') -param vnet_hub string = 'vnet-hub' - -@description('Optional. Name of the spoke virtual network.') -param vnetName2 string = 'vnet-spoke' - -@description('Optional. Resource ID of the storage account to be used for diagnostic logs.') -param diagnosticStorageAccountId string = '' - -@description('Optional. Resource ID of the Log Analytics workspace to be used for diagnostic logs.') -param workspaceId string = '' - -@description('Optional. Authorization ID of the Event Hub Namespace to be used for diagnostic logs.') -param eventHubAuthorizationRuleId string = '' - -@description('Optional. Name of the Event Hub to be used for diagnostic logs.') -param eventHubName string = '' -module Resource_Groups '../../../../modules/Microsoft.Resources/resourceGroups/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-rg' - params: { - name: resourceGroupName - location: location - tags: tags - } -} - -module NSG_bastion_subnet '../../../../modules/Microsoft.Network/networkSecurityGroups/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-bastion-subnet' - scope: resourceGroup(resourceGroupName) - params: { - name: !empty(nsgBastionSubnetName) ? nsgBastionSubnetName : 'nsg-bas-${location}' - securityRules: bastion_nsg_rules - tags: tags - lock: lock - diagnosticWorkspaceId: workspaceId - diagnosticStorageAccountId: diagnosticStorageAccountId - diagnosticEventHubAuthorizationRuleId: eventHubAuthorizationRuleId - diagnosticEventHubName: eventHubName - } - dependsOn: [ - Resource_Groups - ] -} -module Virtual_Network_Hub '../../../../modules/Microsoft.Network/virtualNetworks/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-VirtualNetwork_Hub' - scope: resourceGroup(resourceGroupName) - params: { - name: vnet_hub - addressPrefixes: [ - '192.168.100.0/24' - ] - subnets: [ - // { - // addressPrefix: '192.168.100.0/26' - // name: 'Subnet-Hub' - // // networkSecurityGroupId: '' - // // routeTableId: '' - // } - { - addressPrefix: '192.168.100.64/26' - name: 'AzureBastionSubnet' - networkSecurityGroupId: NSG_bastion_subnet.outputs.resourceId - // routeTableId: '' - } - { - addressPrefix: '192.168.100.128/26' - name: 'GatewaySubnet' - } - { - addressPrefix: '192.168.100.192/26' - name: 'AzureFirewallSubnet' - } - ] - tags: tags - lock: lock - diagnosticWorkspaceId: workspaceId - diagnosticStorageAccountId: diagnosticStorageAccountId - diagnosticEventHubAuthorizationRuleId: eventHubAuthorizationRuleId - diagnosticEventHubName: eventHubName - } -} -module Virtual_Network_Spoke '../../../../modules/Microsoft.Network/virtualNetworks/deploy.bicep' = { - name: 'VirtualNetwork_Spoke' - scope: resourceGroup(resourceGroupName) - params: { - name: vnetName2 - addressPrefixes: [ - '192.168.101.0/24' - ] - subnets: [ - { - addressPrefix: '192.168.101.0/26' - name: 'DefaultSubnet' - } - ] - tags: tags - lock: lock - diagnosticWorkspaceId: workspaceId - diagnosticStorageAccountId: diagnosticStorageAccountId - diagnosticEventHubAuthorizationRuleId: eventHubAuthorizationRuleId - diagnosticEventHubName: eventHubName - } - dependsOn: [ - Resource_Groups - ] -} - -module Virtual_Network_Peering_Hub_to_Spoke '../../../../modules/Microsoft.Network/virtualNetworks/virtualNetworkPeerings/deploy.bicep' = { - name: 'VirtualNetwork_Peering_Hub_to_Spoke' - scope: resourceGroup(resourceGroupName) - params: { - name: 'Peering-Hub-to-Spoke' - remoteVirtualNetworkId: Virtual_Network_Spoke.outputs.resourceId - allowVirtualNetworkAccess: true - allowForwardedTraffic: true - allowGatewayTransit: true - useRemoteGateways: false - localVnetName: vnet_hub - } - dependsOn: [ - Resource_Groups - Virtual_Network_Hub - Virtual_Network_Spoke - ] -} - -module Virtual_Network_Peering_Spoke_to_Hub '../../../../modules/Microsoft.Network/virtualNetworks/virtualNetworkPeerings/deploy.bicep' = { - name: 'VirtualNetwork_Peering_Spoke_to_Hub' - scope: resourceGroup(resourceGroupName) - params: { - name: 'Peering-Spoke-to-Hub' - remoteVirtualNetworkId: Virtual_Network_Hub.outputs.resourceId - allowVirtualNetworkAccess: true - allowForwardedTraffic: true - allowGatewayTransit: true - useRemoteGateways: false - localVnetName: vnetName2 - } - dependsOn: [ - Resource_Groups - Virtual_Network_Spoke - Virtual_Network_Hub - ] -} -module virtualMachines '../../../../modules/Microsoft.Compute/virtualMachines/deploy.bicep' = { - scope: resourceGroup(resourceGroupName) - name: '${uniqueString(deployment().name)}-VirtualMachines' - params: { - location: location - // Required parameters - adminUsername: 'azureadmin' - imageReference: { - offer: 'WindowsServer' - publisher: 'MicrosoftWindowsServer' - sku: '2019-Datacenter' - version: 'latest' - } - nicConfigurations: [ - { - ipConfigurations: [ - { - name: 'ipconfig01' - subnetResourceId: Virtual_Network_Spoke.outputs.subnetResourceIds[0] - // subnetId: '/subscriptions/d3696aa4-85af-44e1-a83f-5c1516a22fff/resourceGroups/solutions-ne-rg/providers/Microsoft.Network/virtualNetworks/vnet-spoke/subnets/DefaultSubnet' - } - ] - nicSuffix: '-nic-01' - enableAcceleratedNetworking: false - } - ] - encryptionAtHost: false - osDisk: { - diskSizeGB: '128' - managedDisk: { - storageAccountType: 'StandardSSD_LRS' - } - } - osType: 'Windows' - vmSize: 'Standard_B2s' - // Non-required parameters - adminPassword: 'Class123!' - name: 'spoke-vm-win-01' - } - dependsOn: [ - Virtual_Network_Spoke - ] -} - -// add Azure Firewall module - -module Azure_Firewall '../../../../modules/Microsoft.Network/azureFirewalls/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-AzureFirewall' - scope: resourceGroup(resourceGroupName) - params: { - name: !empty(azureFirewallName) ? azureFirewallName : 'azfw-${Virtual_Network_Hub.outputs.name}' - location: location - firewallPolicyId: '' - vNetId: Virtual_Network_Hub.outputs.resourceId - tags: tags - lock: lock - diagnosticWorkspaceId: workspaceId - diagnosticStorageAccountId: diagnosticStorageAccountId - diagnosticEventHubAuthorizationRuleId: eventHubAuthorizationRuleId - diagnosticEventHubName: eventHubName - } - dependsOn: [ - Resource_Groups - Virtual_Network_Hub - ] -} - -// deploying a route table for the spoke vnet -//TODO: Paramertise the below values - -module Route_Table_Hub '../../../../modules/Microsoft.Network/routeTables/deploy.bicep' = { - - name: '${uniqueString(deployment().name)}-RouteTable-Hub' - scope: resourceGroup(resourceGroupName) - params: { - name: 'subnet-to-AFW-udr-x-001' - // lock: 'CanNotDelete' - - routes: [ - { - name: 'default' - properties: { - addressPrefix: '0.0.0.0/0' - nextHopIpAddress: Azure_Firewall.outputs.privateIp - nextHopType: 'VirtualAppliance' - } - } - ] - } - dependsOn: [ - Azure_Firewall - ] -} - -module Hub_Subnet '../../../../modules/Microsoft.Network/virtualNetworks/subnets/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-Subnet-Hub' - scope: resourceGroup(resourceGroupName) - params: { - name: 'Subnet-Hub' - addressPrefix: '192.168.100.0/26' - routeTableId: Route_Table_Hub.outputs.resourceId - virtualNetworkName: Virtual_Network_Hub.outputs.name - } - dependsOn: [ - Route_Table_Hub - ] -} - -//TODO: Paramertise the below values -module publicIPAddresses '../../../../modules/Microsoft.Network/publicIPAddresses/deploy.bicep' = { - scope: resourceGroup(resourceGroupName) - name: '${uniqueString(deployment().name)}-bastion-pip' - params: { - location: location - name: 'az-pip-bastion-001' - skuName: 'Standard' - publicIPAllocationMethod: 'Static' - } - dependsOn: [ - Resource_Groups - ] -} - -module bastionHosts '../../../../modules/Microsoft.Network/bastionHosts/deploy.bicep' = { - scope: resourceGroup(resourceGroupName) - name: '${uniqueString(deployment().name)}-bastionHosts' - params: { - location: location - name: !empty(bastionName) ? bastionName : 'bas-${Virtual_Network_Hub.outputs.name}' - vNetId: Virtual_Network_Hub.outputs.resourceId - azureBastionSubnetPublicIpId: publicIPAddresses.outputs.resourceId - } - dependsOn: [ - Virtual_Network_Hub - publicIPAddresses - ] -} diff --git a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml deleted file mode 100644 index 2a61cac862..0000000000 --- a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml +++ /dev/null @@ -1,9 +0,0 @@ -variables: - resourceGroupName: "" - environmentPath: "solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated" - location: "northeurope" - vmImage: "ubuntu-latest" - poolName: "" - serviceConnection: "vsent-azure" - subscriptionId: "188438bd-4e39-4b0f-b3cf-4edf0ca5c6b0" - managementGroupId: "" diff --git a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/solution.hubnetwork.yml b/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/solution.hubnetwork.yml deleted file mode 100644 index bcd5ea1f2f..0000000000 --- a/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/solution.hubnetwork.yml +++ /dev/null @@ -1,50 +0,0 @@ -name: 'Solutions - HUb & Spoke' - -pr: none - -trigger: - batch: true - branches: - include: - - main -# paths: -# include: -# - root (b3b845c6-2a30-6f4c-62d3-a8b417cb9173)/prfx-connectivity-ae (3e51c849-d082-4b01-9385-455f253a5729)/prfx-conn-ae-monitoring-rg/* - -variables: - - template: /settings.yml - - template: pipeline.variables.yml - -# resources: -# repositories: -# - repository: modules -# name: $(modulesRepository) -# ref: $(ref) -# endpoint: segraef -# type: github - -stages: - - stage: - displayName: WhatIf - jobs: - - template: /.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml - parameters: - jobName: resourceGroups - displayName: 'Hub & Spoke' - modulePath: '/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/deploy.bicep' - moduleTestFilePath: '.test/parameters.json' - whatif: true - checkoutRepositories: - - self - - - stage: - displayName: Deploy - jobs: - - template: /.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml - parameters: - jobName: resourceGroups - displayName: 'Hub & Spoke' - modulePath: '/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/deploy.bicep' - moduleTestFilePath: '.test/parameters.json' - checkoutRepositories: - - self diff --git a/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/.test/parameters.json b/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/.test/parameters.json deleted file mode 100644 index ac9d91adf8..0000000000 --- a/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/.test/parameters.json +++ /dev/null @@ -1,155 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "resourceGroupName": { - "value": "solutions-ne-rg" - }, - "location": { - "value": "westeurope" - }, - "lock": { - "value": "" - }, - "tags": { - "value": {} - }, - "nsgBastionSubnetName": { - "value": "nsg-hub-bastion-subnet" - }, - "vnet_hub": { - "value": "vnet-hub" - }, - "bastionName": { - "value": "az-bastion-001" - }, - "azureFirewallName": { - "value": "az-fw-001" - }, - "bastion_nsg_rules": { - "value": [ - { - "name": "AllowhttpsInbound", - "properties": { - "description": "Allow inbound TCP 443 connections from the Internet", - "protocol": "Tcp", - "sourcePortRange": "*", - "destinationPortRange": "443", - "sourceAddressPrefix": "Internet", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": 120, - "direction": "Inbound" - } - }, - { - "name": "AllowGatewayManagerInbound", - "properties": { - "description": "Allow inbound TCP 443 connections from the Gateway Manager", - "protocol": "Tcp", - "sourcePortRange": "*", - "destinationPortRange": "443", - "sourceAddressPrefix": "GatewayManager", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": 130, - "direction": "Inbound" - } - }, - { - "name": "AllowAzureLoadBalancerInbound", - "properties": { - "description": "Allow inbound TCP 443 connections from the Azure Load Balancer", - "protocol": "Tcp", - "sourcePortRange": "*", - "destinationPortRange": "443", - "sourceAddressPrefix": "AzureLoadBalancer", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": 140, - "direction": "Inbound" - } - }, - { - "name": "AllowBastionHostCommunication", - "properties": { - "description": "Allow inbound 8080 and 5701 connections from the Virtual Network", - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRanges": [ - "8080", - "5701" - ], - "sourceAddressPrefix": "VirtualNetwork", - "destinationAddressPrefix": "VirtualNetwork", - "access": "Allow", - "priority": 150, - "direction": "Inbound" - } - }, - { - "name": "AllowSshRdpOutbound", - "properties": { - "description": "Allow outbound SSH and RDP connections to Virtual Network", - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRanges": [ - "22", - "3389" - ], - "sourceAddressPrefix": "*", - "destinationAddressPrefix": "VirtualNetwork", - "access": "Allow", - "priority": 100, - "direction": "Outbound" - } - }, - { - "name": "AllowAzureCloudOutbound", - "properties": { - "description": "Allow outbound 443 connections to Azure cloud", - "protocol": "Tcp", - "sourcePortRange": "*", - "destinationPortRange": "443", - "sourceAddressPrefix": "*", - "destinationAddressPrefix": "AzureCloud", - "access": "Allow", - "priority": 110, - "direction": "Outbound" - } - }, - { - "name": "AllowBastionCommunication", - "properties": { - "description": "Allow outbound 8080 and 5701 connections to Virtual Network", - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRanges": [ - "8080", - "5701" - ], - "sourceAddressPrefix": "VirtualNetwork", - "destinationAddressPrefix": "VirtualNetwork", - "access": "Allow", - "priority": 120, - "direction": "Outbound" - } - }, - { - "name": "AllowGetSessionInformation", - "properties": { - "description": "Allow outbound 80 connections to Internet", - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRange": "80", - "sourceAddressPrefix": "*", - "destinationAddressPrefix": "Internet", - "access": "Allow", - "priority": 130, - "direction": "Outbound" - } - } - ] - } - } -} diff --git a/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/deploy.bicep b/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/deploy.bicep deleted file mode 100644 index 18da5dea67..0000000000 --- a/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/deploy.bicep +++ /dev/null @@ -1,203 +0,0 @@ -targetScope = 'subscription' - -@description('Required. Name of the Resource Group.') -param resourceGroupName string - -@description('Optional. Tags to be applied on all resources/resource groups in this deployment.') -param tags object - -@description('Resource Group location') -param location string - -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock for all resources/resource group defined in this template.') -param lock string - -@description('Required. Name of the network security group for the Azure Bastion Host subnet.') -param nsgBastionSubnetName string - -@description('Required. NSG security rules for the Azure Bastion Host subnet.') -param bastion_nsg_rules array - -@description('Required. Name of the virtual network.') -param vnet_hub string - -@description('Required. Name of Azure Bastion.') -param bastionName string - -@description('Required. Name of Azure Firewall.') -param azureFirewallName string - -/* -@description('Optional. Resource ID of the storage account to be used for diagnostic logs.') -param diagnosticStorageAccountId string - -@description('Optional. Resource ID of the Log Analytics workspace to be used for diagnostic logs.') -param workspaceId string - -@description('Optional. Authorization ID of the Event Hub Namespace to be used for diagnostic logs.') -param eventHubAuthorizationRuleId string - -@description('Optional. Name of the Event Hub to be used for diagnostic logs.') -param eventHubName string -*/ - -module resourceGroups '../../../../modules/Microsoft.Resources/resourceGroups/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-rg' - params: { - name: resourceGroupName - location: location - tags: tags - } -} - -module NSG_bastion_subnet '../../../../modules/Microsoft.Network/networkSecurityGroups/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-bastion-subnet' - scope: resourceGroup(resourceGroupName) - params: { - name: nsgBastionSubnetName - securityRules: bastion_nsg_rules - tags: tags - lock: lock - /* - diagnosticWorkspaceId: workspaceId - diagnosticStorageAccountId: diagnosticStorageAccountId - diagnosticEventHubAuthorizationRuleId: eventHubAuthorizationRuleId - diagnosticEventHubName: eventHubName - */ - } - dependsOn: [ - resourceGroups - ] -} -module VirtualNetwork '../../../../modules/Microsoft.Network/virtualNetworks/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-VirtualNetwork_Hub' - scope: resourceGroup(resourceGroupName) - params: { - name: vnet_hub - addressPrefixes: [ - '192.168.100.0/24' - ] - subnets: [ - // { - // addressPrefix: '192.168.100.0/26' - // name: 'Subnet-Hub' - // // networkSecurityGroupId: '' - // // routeTableId: '' - // } - { - addressPrefix: '192.168.100.64/26' - name: 'AzureBastionSubnet' - networkSecurityGroupId: NSG_bastion_subnet.outputs.resourceId - // routeTableId: '' - } - { - addressPrefix: '192.168.100.128/26' - name: 'GatewaySubnet' - } - { - addressPrefix: '192.168.100.192/26' - name: 'AzureFirewallSubnet' - } - ] - tags: tags - lock: lock - /* - diagnosticWorkspaceId: workspaceId - diagnosticStorageAccountId: diagnosticStorageAccountId - diagnosticEventHubAuthorizationRuleId: eventHubAuthorizationRuleId - diagnosticEventHubName: eventHubName - */ - } -} -module publicIPAddresses '../../../../modules/Microsoft.Network/publicIPAddresses/deploy.bicep' = { - scope: resourceGroup(resourceGroupName) - name: '${uniqueString(deployment().name)}-bastion-pip' - params: { - location: location - name: 'az-pip-bastion-001' - skuName: 'Standard' - publicIPAllocationMethod: 'Static' - } - dependsOn: [ - resourceGroups - ] -} - -module bastionHosts '../../../../modules/Microsoft.Network/bastionHosts/deploy.bicep' = { - scope: resourceGroup(resourceGroupName) - name: '${uniqueString(deployment().name)}-bastionHosts' - params: { - location: location - name: bastionName - vNetId: VirtualNetwork.outputs.resourceId - azureBastionSubnetPublicIpId: publicIPAddresses.outputs.resourceId - } - dependsOn: [ - VirtualNetwork - publicIPAddresses - ] -} - -module Azure_Firewall '../../../../modules/Microsoft.Network/azureFirewalls/deploy.bicep' = { - - name: '${uniqueString(deployment().name)}-AzureFirewall' - scope: resourceGroup(resourceGroupName) - params: { - name: azureFirewallName - location: location - firewallPolicyId: '' - vNetId: VirtualNetwork.outputs.resourceId - tags: tags - lock: lock - // diagnosticWorkspaceId: workspaceId - // diagnosticStorageAccountId: diagnosticStorageAccountId - // diagnosticEventHubAuthorizationRuleId: eventHubAuthorizationRuleId - // diagnosticEventHubName: eventHubName - } - dependsOn: [ - VirtualNetwork - ] -} - -module Route_Table_Hub '../../../../modules/Microsoft.Network/routeTables/deploy.bicep' = { - - name: '${uniqueString(deployment().name)}-RouteTable-Hub' - scope: resourceGroup(resourceGroupName) - params: { - name: 'subnet-to-AFW-udr-x-001' - // lock: 'CanNotDelete' - - routes: [ - { - name: 'default' - properties: { - addressPrefix: '0.0.0.0/0' - nextHopIpAddress: Azure_Firewall.outputs.privateIp - nextHopType: 'VirtualAppliance' - } - } - ] - } - dependsOn: [ - Azure_Firewall - ] -} - -module Hub_Subnet '../../../../modules/Microsoft.Network/virtualNetworks/subnets/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-Subnet-Hub' - scope: resourceGroup(resourceGroupName) - params: { - name: 'Subnet-Hub' - addressPrefix: '192.168.100.0/26' - routeTableId: Route_Table_Hub.outputs.resourceId - virtualNetworkName: VirtualNetwork.outputs.name - } - dependsOn: [ - Route_Table_Hub - ] -} diff --git a/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/pipeline.variables.yml b/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/pipeline.variables.yml deleted file mode 100644 index dc08b984a8..0000000000 --- a/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/pipeline.variables.yml +++ /dev/null @@ -1,9 +0,0 @@ -variables: - resourceGroupName: 'solutions-ne-rg' - environmentPath: 'solutions/CoreInfra/HubNetwork/TemplateOrchestrated' - location: 'northeurope' - vmImage: 'ubuntu-latest' - poolName: '' - serviceConnection: 'CARML-Hack5' - subscriptionId: 'be5ec5d6-8bcf-4049-8a47-1beb59796b15' - managementGroupId: '' diff --git a/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/solution.hubnetwork.yml b/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/solution.hubnetwork.yml deleted file mode 100644 index d8c4ba3c15..0000000000 --- a/solutions/CoreInfra/HubNetwork/TemplateOrchestrated/solution.hubnetwork.yml +++ /dev/null @@ -1,50 +0,0 @@ -name: 'Solutions - Vnet' - -pr: none - -trigger: - batch: true - branches: - include: - - main -# paths: -# include: -# - root (b3b845c6-2a30-6f4c-62d3-a8b417cb9173)/prfx-connectivity-ae (3e51c849-d082-4b01-9385-455f253a5729)/prfx-conn-ae-monitoring-rg/* - -variables: - - template: /settings.yml - - template: pipeline.variables.yml - -# resources: -# repositories: -# - repository: modules -# name: $(modulesRepository) -# ref: $(ref) -# endpoint: segraef -# type: github - -stages: - - stage: - displayName: WhatIf - jobs: - - template: /.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml - parameters: - jobName: resourceGroups - displayName: 'Resource Group' - modulePath: '/modules/Microsoft.Resources/resourceGroups/deploy.bicep' - moduleTestFilePath: 'rg.parameters.json' - whatif: true - checkoutRepositories: - - self - - - stage: - displayName: Deploy - jobs: - - template: /.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml - parameters: - jobName: resourceGroups - displayName: 'Resource Group' - modulePath: '/modules/Microsoft.Resources/resourceGroups/deploy.bicep' - moduleTestFilePath: 'rg.parameters.json' - checkoutRepositories: - - self diff --git a/solutions/CoreInfra/Spoke/TemplateOrchestrated/.test/parameters.json b/solutions/CoreInfra/Spoke/TemplateOrchestrated/.test/parameters.json deleted file mode 100644 index bfc8f0d37d..0000000000 --- a/solutions/CoreInfra/Spoke/TemplateOrchestrated/.test/parameters.json +++ /dev/null @@ -1,149 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "resourceGroupName": { - "value": "solutions-ne-rg" - }, - "location": { - "value": "westeurope" - }, - "lock": { - "value": "" - }, - "tags": { - "value": {} - }, - "nsgBastionSubnetName": { - "value": "nsg-hub-bastion-subnet" - }, - "vnet_hub": { - "value": "vnet-hub" - }, - "bastion_nsg_rules": { - "value": [ - { - "name": "AllowhttpsInbound", - "properties": { - "description": "Allow inbound TCP 443 connections from the Internet", - "protocol": "Tcp", - "sourcePortRange": "*", - "destinationPortRange": "443", - "sourceAddressPrefix": "Internet", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": 120, - "direction": "Inbound" - } - }, - { - "name": "AllowGatewayManagerInbound", - "properties": { - "description": "Allow inbound TCP 443 connections from the Gateway Manager", - "protocol": "Tcp", - "sourcePortRange": "*", - "destinationPortRange": "443", - "sourceAddressPrefix": "GatewayManager", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": 130, - "direction": "Inbound" - } - }, - { - "name": "AllowAzureLoadBalancerInbound", - "properties": { - "description": "Allow inbound TCP 443 connections from the Azure Load Balancer", - "protocol": "Tcp", - "sourcePortRange": "*", - "destinationPortRange": "443", - "sourceAddressPrefix": "AzureLoadBalancer", - "destinationAddressPrefix": "*", - "access": "Allow", - "priority": 140, - "direction": "Inbound" - } - }, - { - "name": "AllowBastionHostCommunication", - "properties": { - "description": "Allow inbound 8080 and 5701 connections from the Virtual Network", - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRanges": [ - "8080", - "5701" - ], - "sourceAddressPrefix": "VirtualNetwork", - "destinationAddressPrefix": "VirtualNetwork", - "access": "Allow", - "priority": 150, - "direction": "Inbound" - } - }, - { - "name": "AllowSshRdpOutbound", - "properties": { - "description": "Allow outbound SSH and RDP connections to Virtual Network", - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRanges": [ - "22", - "3389" - ], - "sourceAddressPrefix": "*", - "destinationAddressPrefix": "VirtualNetwork", - "access": "Allow", - "priority": 100, - "direction": "Outbound" - } - }, - { - "name": "AllowAzureCloudOutbound", - "properties": { - "description": "Allow outbound 443 connections to Azure cloud", - "protocol": "Tcp", - "sourcePortRange": "*", - "destinationPortRange": "443", - "sourceAddressPrefix": "*", - "destinationAddressPrefix": "AzureCloud", - "access": "Allow", - "priority": 110, - "direction": "Outbound" - } - }, - { - "name": "AllowBastionCommunication", - "properties": { - "description": "Allow outbound 8080 and 5701 connections to Virtual Network", - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRanges": [ - "8080", - "5701" - ], - "sourceAddressPrefix": "VirtualNetwork", - "destinationAddressPrefix": "VirtualNetwork", - "access": "Allow", - "priority": 120, - "direction": "Outbound" - } - }, - { - "name": "AllowGetSessionInformation", - "properties": { - "description": "Allow outbound 80 connections to Internet", - "protocol": "*", - "sourcePortRange": "*", - "destinationPortRange": "80", - "sourceAddressPrefix": "*", - "destinationAddressPrefix": "Internet", - "access": "Allow", - "priority": 130, - "direction": "Outbound" - } - } - ] - } - } -} diff --git a/solutions/CoreInfra/Spoke/TemplateOrchestrated/deploy.bicep b/solutions/CoreInfra/Spoke/TemplateOrchestrated/deploy.bicep deleted file mode 100644 index a12a60db8c..0000000000 --- a/solutions/CoreInfra/Spoke/TemplateOrchestrated/deploy.bicep +++ /dev/null @@ -1,75 +0,0 @@ -targetScope = 'subscription' - -@description('Required. Name of the Resource Group.') -param resourceGroupName string - -@description('Optional. Tags to be applied on all resources/resource groups in this deployment.') -param tags object - -@description('Resource Group location') -param location string - -@allowed([ - '' - 'CanNotDelete' - 'ReadOnly' -]) -@description('Optional. Specify the type of lock for all resources/resource group defined in this template.') -param lock string - -@description('Required. Name of the network security group for the Azure Bastion Host subnet.') -param nsgBastionSubnetName string - -@description('Required. NSG security rules for the Azure Bastion Host subnet.') -param bastion_nsg_rules array - -@description('Required. Name of the virtual network.') -param vnet_hub string - -@description('Required. Name of the virtual network.') -param vnetName2 string = 'vnet-spoke' - -@description('Optional. Resource ID of the storage account to be used for diagnostic logs.') -param diagnosticStorageAccountId string - -@description('Optional. Resource ID of the Log Analytics workspace to be used for diagnostic logs.') -param workspaceId string - -@description('Optional. Authorization ID of the Event Hub Namespace to be used for diagnostic logs.') -param eventHubAuthorizationRuleId string - -@description('Optional. Name of the Event Hub to be used for diagnostic logs.') -param eventHubName string -module resourceGroups '../../../../modules/Microsoft.Resources/resourceGroups/deploy.bicep' = { - name: '${uniqueString(deployment().name)}-rg' - params: { - name: resourceGroupName - location: location - tags: tags - } -} -module VirtualNetworkSpoke '../../../../modules/Microsoft.Network/virtualNetworks/deploy.bicep' = { - name: 'VirtualNetwork_Spoke' - scope: resourceGroup(resourceGroupName) - params: { - name: vnetName2 - addressPrefixes: [ - '192.168.101.0/24' - ] - subnets: [ - { - addressPrefix: '192.168.101.0/26' - name: 'DefaultSubnet' - } - ] - tags: tags - lock: lock - diagnosticWorkspaceId: workspaceId - diagnosticStorageAccountId: diagnosticStorageAccountId - diagnosticEventHubAuthorizationRuleId: eventHubAuthorizationRuleId - diagnosticEventHubName: eventHubName - } - dependsOn: [ - resourceGroups - ] -} diff --git a/solutions/CoreInfra/Spoke/TemplateOrchestrated/pipeline.variables.yml b/solutions/CoreInfra/Spoke/TemplateOrchestrated/pipeline.variables.yml deleted file mode 100644 index dc08b984a8..0000000000 --- a/solutions/CoreInfra/Spoke/TemplateOrchestrated/pipeline.variables.yml +++ /dev/null @@ -1,9 +0,0 @@ -variables: - resourceGroupName: 'solutions-ne-rg' - environmentPath: 'solutions/CoreInfra/HubNetwork/TemplateOrchestrated' - location: 'northeurope' - vmImage: 'ubuntu-latest' - poolName: '' - serviceConnection: 'CARML-Hack5' - subscriptionId: 'be5ec5d6-8bcf-4049-8a47-1beb59796b15' - managementGroupId: '' diff --git a/solutions/CoreInfra/Spoke/TemplateOrchestrated/solution.hubnetwork.yml b/solutions/CoreInfra/Spoke/TemplateOrchestrated/solution.hubnetwork.yml deleted file mode 100644 index d8c4ba3c15..0000000000 --- a/solutions/CoreInfra/Spoke/TemplateOrchestrated/solution.hubnetwork.yml +++ /dev/null @@ -1,50 +0,0 @@ -name: 'Solutions - Vnet' - -pr: none - -trigger: - batch: true - branches: - include: - - main -# paths: -# include: -# - root (b3b845c6-2a30-6f4c-62d3-a8b417cb9173)/prfx-connectivity-ae (3e51c849-d082-4b01-9385-455f253a5729)/prfx-conn-ae-monitoring-rg/* - -variables: - - template: /settings.yml - - template: pipeline.variables.yml - -# resources: -# repositories: -# - repository: modules -# name: $(modulesRepository) -# ref: $(ref) -# endpoint: segraef -# type: github - -stages: - - stage: - displayName: WhatIf - jobs: - - template: /.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml - parameters: - jobName: resourceGroups - displayName: 'Resource Group' - modulePath: '/modules/Microsoft.Resources/resourceGroups/deploy.bicep' - moduleTestFilePath: 'rg.parameters.json' - whatif: true - checkoutRepositories: - - self - - - stage: - displayName: Deploy - jobs: - - template: /.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml - parameters: - jobName: resourceGroups - displayName: 'Resource Group' - modulePath: '/modules/Microsoft.Resources/resourceGroups/deploy.bicep' - moduleTestFilePath: 'rg.parameters.json' - checkoutRepositories: - - self diff --git a/solutions/ResourceGroup/.test/deploy.parameters.json b/solutions/ResourceGroup/.test/deploy.parameters.json deleted file mode 100644 index 26e59bd8bc..0000000000 --- a/solutions/ResourceGroup/.test/deploy.parameters.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "resourceGroupName": { - "value": "chirss-test-rg" - } - } -} diff --git a/solutions/ResourceGroup/TemplateOrchestrated/.github/actions.variables.yml b/solutions/ResourceGroup/TemplateOrchestrated/.github/actions.variables.yml deleted file mode 100644 index ce8081045f..0000000000 --- a/solutions/ResourceGroup/TemplateOrchestrated/.github/actions.variables.yml +++ /dev/null @@ -1,8 +0,0 @@ -variables: - resourceGroupName: 'solutions-ne-rg' - environmentPath: 'solutions\ResourceGroup' - location: 'northeurope' - vmImage: 'ubuntu-latest' - poolName: '' - tokenPrefix: '<<' - tokenSuffix: '>>' diff --git a/solutions/ResourceGroup/TemplateOrchestrated/.github/solutions.test.yml b/solutions/ResourceGroup/TemplateOrchestrated/.github/solutions.test.yml deleted file mode 100644 index e7a564ee04..0000000000 --- a/solutions/ResourceGroup/TemplateOrchestrated/.github/solutions.test.yml +++ /dev/null @@ -1,115 +0,0 @@ -name: 'Solutions: Test' - -on: - workflow_dispatch: - inputs: - removeDeployment: - type: boolean - description: 'Remove deployed module' - required: false - default: true - prerelease: - type: boolean - description: 'Publish prerelease module' - required: false - default: false - push: - branches: - - main - paths: - - '.github/actions/templates/**' - - '.github/workflows/ms.resources.resourcegroups.yml' - - 'modules/Microsoft.AAD/DomainServices/**' - - 'utilities/pipelines/**' - - '!utilities/pipelines/dependencies/**' - - '!*/**/readme.md' - -env: - variablesPath: 'actions.variables.yml' - modulePath: 'solutions/ResourceGroup' - workflowPath: 'solutions/ResourceGroup/TemplateOrchestrated/.github/solutions.test.yml' - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - ARM_SUBSCRIPTION_ID: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - ARM_MGMTGROUP_ID: '${{ secrets.ARM_MGMTGROUP_ID }}' - ARM_TENANT_ID: '${{ secrets.ARM_TENANT_ID }}' - TOKEN_NAMEPREFIX: '${{ secrets.TOKEN_NAMEPREFIX }}' - -jobs: - ########################### - # Initialize pipeline # - ########################### - job_initialize_pipeline: - runs-on: ubuntu-20.04 - name: 'Initialize pipeline' - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Set input parameters to output variables' - id: get-workflow-param - uses: ./.github/actions/templates/getWorkflowInput - with: - workflowPath: '${{ env.workflowPath}}' - - name: 'Get parameter file paths' - id: get-module-test-file-paths - uses: ./.github/actions/templates/getModuleTestFiles - with: - modulePath: '${{ env.modulePath }}' - outputs: - removeDeployment: ${{ steps.get-workflow-param.outputs.removeDeployment }} - moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} - - ######################### - # Static validation # - ######################### - job_module_pester_validation: - runs-on: ubuntu-20.04 - name: 'Static validation' - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: Set environment variables - uses: ./.github/actions/templates/setEnvironmentVariables - with: - variablesPath: ${{ env.variablesPath }} - - name: 'Run tests' - uses: ./.github/actions/templates/validateModulePester - with: - modulePath: '${{ env.modulePath }}' - moduleTestFilePath: '${{ env.moduleTestFilePath }}' - - ############################# - # Deployment validation # - ############################# - job_module_deploy_validation: - runs-on: ubuntu-20.04 - name: 'Deployment validation' - needs: - - job_initialize_pipeline - - job_module_pester_validation - strategy: - fail-fast: false - matrix: - moduleTestFilePaths: ${{ fromJSON(needs.job_initialize_pipeline.outputs.moduleTestFilePaths) }} - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: Set environment variables - uses: ./.github/actions/templates/setEnvironmentVariables - with: - variablesPath: ${{ env.variablesPath }} - - name: 'Using test file [${{ matrix.moduleTestFilePaths }}]' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: '${{ env.modulePath }}/deploy.bicep' - parameterFilePath: '${{ env.modulePath }}/${{ matrix.moduleTestFilePaths }}' - location: '${{ env.location }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ needs.job_initialize_pipeline.outputs.removeDeployment }}' diff --git a/solutions/ResourceGroup/deploy.bicep b/solutions/ResourceGroup/deploy.bicep deleted file mode 100644 index 816e632728..0000000000 --- a/solutions/ResourceGroup/deploy.bicep +++ /dev/null @@ -1,12 +0,0 @@ - -targetScope = 'subscription' - -@description('Required. Resource Group Name.') -param resourceGroupName string - -module resourceGroup '../../modules/Microsoft.Resources/resourceGroups/deploy.bicep' = { - name: 'resourceGroup_Test' - params: { - name: resourceGroupName - } -} From 362bc4b283c40250b5f576c6ce16dd5c83898146 Mon Sep 17 00:00:00 2001 From: oliverlabs <70239916+oliverlabs@users.noreply.github.com> Date: Fri, 23 Sep 2022 17:22:07 +0100 Subject: [PATCH 12/15] removed extra files modified during the day --- .vscode/settings.json | 10 +++++++-- azure-pipelines.yml | 50 ------------------------------------------- 2 files changed, 8 insertions(+), 52 deletions(-) delete mode 100644 azure-pipelines.yml diff --git a/.vscode/settings.json b/.vscode/settings.json index cb26dfb404..6d7c185e9f 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -42,8 +42,14 @@ "powershell.codeFormatting.useConstantStrings": true, "powershell.codeFormatting.useCorrectCasing": true, "powershell.codeFormatting.whitespaceBetweenParameters": true, - "spellright.documentTypes": ["markdown", "latex", "plaintext"], - "spellright.language": ["en"], + "spellright.documentTypes": [ + "markdown", + "latex", + "plaintext" + ], + "spellright.language": [ + "en" + ], "yaml.format.singleQuote": true, "githubPullRequests.ignoredPullRequestBranches": ["main"] } diff --git a/azure-pipelines.yml b/azure-pipelines.yml deleted file mode 100644 index 29cf3a4dab..0000000000 --- a/azure-pipelines.yml +++ /dev/null @@ -1,50 +0,0 @@ -name: 'Solutions - HUb & Spoke' - -pr: none - -trigger: - batch: true - branches: - include: - - main -# paths: -# include: -# - root (b3b845c6-2a30-6f4c-62d3-a8b417cb9173)/prfx-connectivity-ae (3e51c849-d082-4b01-9385-455f253a5729)/prfx-conn-ae-monitoring-rg/* - -variables: - - template: /settings.yml - - template: /solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/pipeline.variables.yml - -# resources: -# repositories: -# - repository: modules -# name: $(modulesRepository) -# ref: $(ref) -# endpoint: segraef -# type: github - -stages: - - stage: - displayName: WhatIf - jobs: - - template: /.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml - parameters: - jobName: resourceGroups - displayName: 'Hub & Spoke' - modulePath: '/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/deploy.bicep' - moduleTestFilePath: '.test/parameters.json' - whatif: true - checkoutRepositories: - - self - - - stage: - displayName: Deploy - jobs: - - template: /.azuredevops/pipelineTemplates/jobs.solutionDeployment.yml - parameters: - jobName: resourceGroups - displayName: 'Hub & Spoke' - modulePath: '/solutions/CoreInfra/HubAndSpoke/TemplateOrchestrated/deploy.bicep' - moduleTestFilePath: '.test/parameters.json' - checkoutRepositories: - - self From d0e5935ae959dda4e35936d972d5d8ff6f92a736 Mon Sep 17 00:00:00 2001 From: Oliver Gulich <70239916+oliverlabs@users.noreply.github.com> Date: Sun, 25 Sep 2022 16:06:20 +0100 Subject: [PATCH 13/15] Update .vscode/settings.json This change was not intentional. Co-authored-by: Marius Storhaug --- .vscode/settings.json | 1 - 1 file changed, 1 deletion(-) diff --git a/.vscode/settings.json b/.vscode/settings.json index 6d7c185e9f..54d1b5223f 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -51,5 +51,4 @@ "en" ], "yaml.format.singleQuote": true, - "githubPullRequests.ignoredPullRequestBranches": ["main"] } From 47c2237730e32f2d42c24fda09a8d20593ea73fd Mon Sep 17 00:00:00 2001 From: oliverlabs <70239916+oliverlabs@users.noreply.github.com> Date: Sun, 25 Sep 2022 16:21:58 +0100 Subject: [PATCH 14/15] regenerated readme.md and avoided auto LF to CRLF --- .../virtualMachines/readme.md | 211 ++++++++++-------- 1 file changed, 112 insertions(+), 99 deletions(-) diff --git a/modules/Microsoft.Compute/virtualMachines/readme.md b/modules/Microsoft.Compute/virtualMachines/readme.md index 2954587c3f..192fa46295 100644 --- a/modules/Microsoft.Compute/virtualMachines/readme.md +++ b/modules/Microsoft.Compute/virtualMachines/readme.md @@ -13,104 +13,108 @@ This module deploys one Virtual Machine with one or multiple nics and optionally ## Resource Types -| Resource Type | API Version | -| :------------------------------------------------------------------------------------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | -| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Automanage/configurationProfileAssignments` | [2021-04-30-preview](https://docs.microsoft.com/en-us/azure/templates) | -| `Microsoft.Compute/virtualMachines` | [2021-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-07-01/virtualMachines) | -| `Microsoft.Compute/virtualMachines/extensions` | [2021-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-07-01/virtualMachines/extensions) | -| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/networkInterfaces` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-08-01/networkInterfaces) | -| `Microsoft.Network/publicIPAddresses` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-08-01/publicIPAddresses) | +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | +| `Microsoft.Automanage/configurationProfileAssignments` | [2021-04-30-preview](https://docs.microsoft.com/en-us/azure/templates) | +| `Microsoft.Compute/virtualMachines` | [2021-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-07-01/virtualMachines) | +| `Microsoft.Compute/virtualMachines/extensions` | [2021-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-07-01/virtualMachines/extensions) | +| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | +| `Microsoft.Network/networkInterfaces` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-08-01/networkInterfaces) | +| `Microsoft.Network/publicIPAddresses` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-08-01/publicIPAddresses) | | `Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems` | [2022-02-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.RecoveryServices/2022-02-01/vaults/backupFabrics/protectionContainers/protectedItems) | ## Parameters **Required parameters** + | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `adminUsername` | secureString | | | Administrator username. | +| `adminUsername` | secureString | | | Administrator username. | | `configurationProfile` | string | `''` | `['', /providers/Microsoft.Automanage/bestPractices/AzureBestPracticesDevTest, /providers/Microsoft.Automanage/bestPractices/AzureBestPracticesProduction]` | The configuration profile of automanage. | -| `imageReference` | object | | | OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. | -| `nicConfigurations` | array | | | Configures NICs and PIPs. | -| `osDisk` | object | | | Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | -| `osType` | string | | `[Linux, Windows]` | The chosen OS type. | -| `vmSize` | string | | | Specifies the size for the VMs. | +| `imageReference` | object | | | OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. | +| `nicConfigurations` | array | | | Configures NICs and PIPs. | +| `osDisk` | object | | | Specifies the OS disk. For security reasons, it is recommended to specify DiskEncryptionSet into the osDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | +| `osType` | string | | `[Linux, Windows]` | The chosen OS type. | +| `vmSize` | string | | | Specifies the size for the VMs. | **Optional parameters** + | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | -| `additionalUnattendContent` | array | `[]` | | Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object. | -| `adminPassword` | secureString | `''` | | When specifying a Windows Virtual Machine, this value should be passed. | -| `allowExtensionOperations` | bool | `True` | | Specifies whether extension operations should be allowed on the virtual machine. This may only be set to False when no extensions are present on the virtual machine. | -| `availabilitySetResourceId` | string | `''` | | Resource ID of an availability set. Cannot be used in combination with availability zone nor scale set. | +| `additionalUnattendContent` | array | `[]` | | Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object. | +| `adminPassword` | secureString | `''` | | When specifying a Windows Virtual Machine, this value should be passed. | +| `allowExtensionOperations` | bool | `True` | | Specifies whether extension operations should be allowed on the virtual machine. This may only be set to False when no extensions are present on the virtual machine. | +| `availabilitySetResourceId` | string | `''` | | Resource ID of an availability set. Cannot be used in combination with availability zone nor scale set. | | `availabilityZone` | int | `0` | `[0, 1, 2, 3]` | If set to 1, 2 or 3, the availability zone for all VMs is hardcoded to that value. If zero, then availability zones is not used. Cannot be used in combination with availability set nor scale set. | -| `backupPolicyName` | string | `'DefaultPolicy'` | | Backup policy the VMs should be using for backup. If not provided, it will use the DefaultPolicy from the backup recovery service vault. | -| `backupVaultName` | string | `''` | | Recovery service vault name to add VMs to backup. | -| `backupVaultResourceGroup` | string | `[resourceGroup().name]` | | Resource group of the backup recovery service vault. If not provided the current resource group name is considered by default. | -| `bootDiagnostics` | bool | `False` | | Whether boot diagnostics should be enabled on the Virtual Machine. Boot diagnostics will be enabled with a managed storage account if no bootDiagnosticsStorageAccountName value is provided. If bootDiagnostics and bootDiagnosticsStorageAccountName values are not provided, boot diagnostics will be disabled. | -| `bootDiagnosticStorageAccountName` | string | `''` | | Custom storage account used to store boot diagnostic information. Boot diagnostics will be enabled with a custom storage account if a value is provided. | -| `bootDiagnosticStorageAccountUri` | string | `[format('.blob.{0}/', environment().suffixes.storage)]` | | Storage account boot diagnostic base URI. | -| `certificatesToBeInstalled` | array | `[]` | | Specifies set of certificates that should be installed onto the virtual machine. | -| `customData` | string | `''` | | Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. | -| `dataDisks` | array | `[]` | | Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | -| `dedicatedHostId` | string | `''` | | Specifies resource ID about the dedicated host that the virtual machine resides in. | -| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | -| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | -| `diagnosticLogsRetentionInDays` | int | `365` | | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | -| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | -| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | -| `disablePasswordAuthentication` | bool | `False` | | Specifies whether password authentication should be disabled. | -| `enableAutomaticUpdates` | bool | `True` | | Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. | -| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | -| `enableEvictionPolicy` | bool | `False` | | Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | -| `enableServerSideEncryption` | bool | `False` | | Specifies if Windows VM disks should be encrypted with Server-side encryption + Customer managed Key. | -| `encryptionAtHost` | bool | `True` | | This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | -| `extensionAntiMalwareConfig` | object | `{object}` | | The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionCustomScriptConfig` | object | `{object}` | | The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionCustomScriptProtectedSetting` | secureObject | `{object}` | | Any object that contains the extension specific protected settings. | -| `extensionDependencyAgentConfig` | object | `{object}` | | The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionDiskEncryptionConfig` | object | `{object}` | | The configuration for the [Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionDomainJoinConfig` | object | `{object}` | | The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionDomainJoinPassword` | secureString | `''` | | Required if name is specified. Password of the user specified in user parameter. | -| `extensionDSCConfig` | object | `{object}` | | The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionMonitoringAgentConfig` | object | `{object}` | | The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionNetworkWatcherAgentConfig` | object | `{object}` | | The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed. | +| `backupPolicyName` | string | `'DefaultPolicy'` | | Backup policy the VMs should be using for backup. If not provided, it will use the DefaultPolicy from the backup recovery service vault. | +| `backupVaultName` | string | `''` | | Recovery service vault name to add VMs to backup. | +| `backupVaultResourceGroup` | string | `[resourceGroup().name]` | | Resource group of the backup recovery service vault. If not provided the current resource group name is considered by default. | +| `bootDiagnostics` | bool | `False` | | Whether boot diagnostics should be enabled on the Virtual Machine. Boot diagnostics will be enabled with a managed storage account if no bootDiagnosticsStorageAccountName value is provided. If bootDiagnostics and bootDiagnosticsStorageAccountName values are not provided, boot diagnostics will be disabled. | +| `bootDiagnosticStorageAccountName` | string | `''` | | Custom storage account used to store boot diagnostic information. Boot diagnostics will be enabled with a custom storage account if a value is provided. | +| `bootDiagnosticStorageAccountUri` | string | `[format('.blob.{0}/', environment().suffixes.storage)]` | | Storage account boot diagnostic base URI. | +| `certificatesToBeInstalled` | array | `[]` | | Specifies set of certificates that should be installed onto the virtual machine. | +| `customData` | string | `''` | | Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. | +| `dataDisks` | array | `[]` | | Specifies the data disks. For security reasons, it is recommended to specify DiskEncryptionSet into the dataDisk object. Restrictions: DiskEncryptionSet cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | +| `dedicatedHostId` | string | `''` | | Specifies resource ID about the dedicated host that the virtual machine resides in. | +| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `diagnosticLogsRetentionInDays` | int | `365` | | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. | +| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. | +| `disablePasswordAuthentication` | bool | `False` | | Specifies whether password authentication should be disabled. | +| `enableAutomaticUpdates` | bool | `True` | | Indicates whether Automatic Updates is enabled for the Windows virtual machine. Default value is true. For virtual machine scale sets, this property can be updated and updates will take effect on OS reprovisioning. | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). | +| `enableEvictionPolicy` | bool | `False` | | Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | +| `enableServerSideEncryption` | bool | `False` | | Specifies if Windows VM disks should be encrypted with Server-side encryption + Customer managed Key. | +| `encryptionAtHost` | bool | `True` | | This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | +| `extensionAntiMalwareConfig` | object | `{object}` | | The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. | +| `extensionCustomScriptConfig` | object | `{object}` | | The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. | +| `extensionCustomScriptProtectedSetting` | secureObject | `{object}` | | Any object that contains the extension specific protected settings. | +| `extensionDependencyAgentConfig` | object | `{object}` | | The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed. | +| `extensionDiskEncryptionConfig` | object | `{object}` | | The configuration for the [Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. | +| `extensionDomainJoinConfig` | object | `{object}` | | The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed. | +| `extensionDomainJoinPassword` | secureString | `''` | | Required if name is specified. Password of the user specified in user parameter. | +| `extensionDSCConfig` | object | `{object}` | | The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed. | +| `extensionMonitoringAgentConfig` | object | `{object}` | | The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed. | +| `extensionNetworkWatcherAgentConfig` | object | `{object}` | | The configuration for the [Network Watcher Agent] extension. Must at least contain the ["enabled": true] property to be executed. | | `licenseType` | string | `''` | `['', Windows_Client, Windows_Server]` | Specifies that the image or disk that is being used was licensed on-premises. This element is only used for images that contain the Windows Server operating system. | -| `location` | string | `[resourceGroup().location]` | | Location for all resources. | +| `location` | string | `[resourceGroup().location]` | | Location for all resources. | | `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. | -| `maxPriceForLowPriorityVm` | string | `''` | | Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | -| `monitoringWorkspaceId` | string | `''` | | Resource ID of the monitoring log analytics workspace. Must be set when extensionMonitoringAgentConfig is set to true. | -| `name` | string | `[take(toLower(uniqueString(resourceGroup().name)), 10)]` | | The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. | +| `maxPriceForLowPriorityVm` | string | `''` | | Specifies the maximum price you are willing to pay for a low priority VM/VMSS. This price is in US Dollars. | +| `monitoringWorkspaceId` | string | `''` | | Resource ID of the monitoring log analytics workspace. Must be set when extensionMonitoringAgentConfig is set to true. | +| `name` | string | `[take(toLower(uniqueString(resourceGroup().name)), 10)]` | | The name of the virtual machine to be created. You should use a unique prefix to reduce name collisions in Active Directory. If no value is provided, a 10 character long unique string will be generated based on the Resource Group's name. | | `nicdiagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `nicDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the NIC diagnostic setting, if deployed. | +| `nicDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the NIC diagnostic setting, if deployed. | | `pipdiagnosticLogCategoriesToEnable` | array | `[DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | `[DDoSMitigationFlowLogs, DDoSMitigationReports, DDoSProtectionNotifications]` | The name of logs that will be streamed. | | `pipdiagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. | -| `pipDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the PIP diagnostic setting, if deployed. | -| `plan` | object | `{object}` | | Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. | -| `provisionVMAgent` | bool | `True` | | Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. | -| `proximityPlacementGroupResourceId` | string | `''` | | Resource ID of a proximity placement group. | -| `publicKeys` | array | `[]` | | The list of SSH public keys used to authenticate with linux based VMs. | -| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| `sasTokenValidityLength` | string | `'PT8H'` | | SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | -| `secureBootEnabled` | bool | `False` | | Specifies whether secure boot should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | -| `securityType` | string | `''` | | Specifies the SecurityType of the virtual machine. It is set as TrustedLaunch to enable UefiSettings. | -| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | -| `tags` | object | `{object}` | | Tags of the resource. | -| `timeZone` | string | `''` | | Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`. | -| `ultraSSDEnabled` | bool | `False` | | The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. | -| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | +| `pipDiagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the PIP diagnostic setting, if deployed. | +| `plan` | object | `{object}` | | Specifies information about the marketplace image used to create the virtual machine. This element is only used for marketplace images. Before you can use a marketplace image from an API, you must enable the image for programmatic use. | +| `provisionVMAgent` | bool | `True` | | Indicates whether virtual machine agent should be provisioned on the virtual machine. When this property is not specified in the request body, default behavior is to set it to true. This will ensure that VM Agent is installed on the VM so that extensions can be added to the VM later. | +| `proximityPlacementGroupResourceId` | string | `''` | | Resource ID of a proximity placement group. | +| `publicKeys` | array | `[]` | | The list of SSH public keys used to authenticate with linux based VMs. | +| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `sasTokenValidityLength` | string | `'PT8H'` | | SAS token validity length to use to download files from storage accounts. Usage: 'PT8H' - valid for 8 hours; 'P5D' - valid for 5 days; 'P1Y' - valid for 1 year. When not provided, the SAS token will be valid for 8 hours. | +| `secureBootEnabled` | bool | `False` | | Specifies whether secure boot should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | +| `securityType` | string | `''` | | Specifies the SecurityType of the virtual machine. It is set as TrustedLaunch to enable UefiSettings. | +| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. | +| `tags` | object | `{object}` | | Tags of the resource. | +| `timeZone` | string | `''` | | Specifies the time zone of the virtual machine. e.g. 'Pacific Standard Time'. Possible values can be `TimeZoneInfo.id` value from time zones returned by `TimeZoneInfo.GetSystemTimeZones`. | +| `ultraSSDEnabled` | bool | `False` | | The flag that enables or disables a capability to have one or more managed data disks with UltraSSD_LRS storage account type on the VM or VMSS. Managed disks with storage account type UltraSSD_LRS can be added to a virtual machine or virtual machine scale set only if this property is enabled. | +| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. | | `vmComputerNamesTransformation` | string | `'none'` | `[lowercase, none, uppercase]` | Specifies whether the computer names should be transformed. The transformation is performed on all computer names. Available transformations are 'none' (Default), 'uppercase' and 'lowercase'. | | `vmPriority` | string | `'Regular'` | `[Low, Regular, Spot]` | Specifies the priority for the virtual machine. | -| `vTpmEnabled` | bool | `False` | | Specifies whether vTPM should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | -| `winRM` | object | `{object}` | | Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. | +| `vTpmEnabled` | bool | `False` | | Specifies whether vTPM should be enabled on the virtual machine. This parameter is part of the UefiSettings. SecurityType should be set to TrustedLaunch to enable UefiSettings. | +| `winRM` | object | `{object}` | | Specifies the Windows Remote Management listeners. This enables remote Windows PowerShell. - WinRMConfiguration object. | **Generated parameters** + | Parameter Name | Type | Default Value | Description | | :-- | :-- | :-- | :-- | | `baseTime` | string | `[utcNow('u')]` | Do not provide a value! This date value is used to generate a registration token. | + ### Parameter Usage: `imageReference` #### Marketplace images @@ -318,8 +322,7 @@ dataDisks: [ ### Parameter Usage: `nicConfigurations` Comments: - -- The field `nicSuffix` and `subnetId` are mandatory. +- The field `nicSuffix` and `subnetResourceId` are mandatory. - If `enablePublicIP` is set to true, then `publicIpNameSuffix` is also mandatory. - Each IP config needs to have the mandatory field `name`. - If not disabled, `enableAcceleratedNetworking` is considered `true` by default and requires the VM to be deployed with a supported OS and VM size. @@ -377,7 +380,7 @@ Comments: }, { "name": "ipconfig2", - "subnetId": "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/", + "subnetResourceId": "/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/", "privateIPAllocationMethod": "Static", "privateIPAddress": "10.0.0.9" } @@ -417,7 +420,7 @@ nicConfigurations: { } { name: 'ipconfig2' - subnetId: '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/' + subnetResourceId: '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/' } ] nsgId: '/subscriptions//resourceGroups//providers/Microsoft.Network/networkSecurityGroups/' @@ -442,7 +445,7 @@ nicConfigurations: { } { name: 'ipconfig2' - subnetId: '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/' + subnetResourceId: '/subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks//subnets/' privateIPAllocationMethod: 'Static' privateIPAddress: '10.0.0.9' } @@ -987,38 +990,36 @@ userAssignedIdentities: { ## Considerations Enabling automanage triggers the creation of additional resources outside of the specific virtual machine deployment, such as: - - an `Automanage-Automate-` in the same Virtual Machine Resource Group and linking to the log analytics workspace leveraged by Azure Security Center. - a `DefaultResourceGroup-` rg hosting a recovery services vault `DefaultBackupVault-` where vm backups are stored - For further details on automanage please refer to [Automanage virtual machines](https://docs.microsoft.com/en-us/azure/automanage/automanage-virtual-machines). +For further details on automanage please refer to [Automanage virtual machines](https://docs.microsoft.com/en-us/azure/automanage/automanage-virtual-machines). ## Outputs -| Output Name | Type | Description | -| :-------------------------- | :----- | :---------------------------------------------------- | -| `location` | string | The location the resource was deployed into. | -| `name` | string | The name of the VM. | -| `resourceGroupName` | string | The name of the resource group the VM was created in. | -| `resourceId` | string | The resource ID of the VM. | -| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the VM. | +| `resourceGroupName` | string | The name of the resource group the VM was created in. | +| `resourceId` | string | The resource ID of the VM. | +| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. | ## Cross-referenced modules This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). -| Reference | Type | -| :---------------------------------------------------------------------- | :-------------- | -| `Microsoft.Network/networkInterfaces` | Local reference | -| `Microsoft.Network/publicIPAddresses` | Local reference | +| Reference | Type | +| :-- | :-- | +| `Microsoft.Network/networkInterfaces` | Local reference | +| `Microsoft.Network/publicIPAddresses` | Local reference | | `Microsoft.RecoveryServices/vaults/protectionContainers/protectedItems` | Local reference | ## Deployment examples The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder. + >**Note**: The name of each example is based on the name of the file from which it is taken. -> **Note**: The name of each example is based on the name of the file from which it is taken. - -> **Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + >**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.

Example 1: Linux Autmg

@@ -1491,7 +1492,9 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "publicIpNameSuffix": "-pip-01", "roleAssignments": [ { - "principalIds": ["<>"], + "principalIds": [ + "<>" + ], "roleDefinitionIdOrName": "Reader" } ] @@ -1502,7 +1505,9 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "nicSuffix": "-nic-01", "roleAssignments": [ { - "principalIds": ["<>"], + "principalIds": [ + "<>" + ], "roleDefinitionIdOrName": "Reader" } ] @@ -1653,7 +1658,9 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "roleAssignments": { "value": [ { - "principalIds": ["<>"], + "principalIds": [ + "<>" + ], "roleDefinitionIdOrName": "Reader" } ] @@ -2142,7 +2149,9 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "publicIpNameSuffix": "-pip-01", "roleAssignments": [ { - "principalIds": ["<>"], + "principalIds": [ + "<>" + ], "roleDefinitionIdOrName": "Reader" } ] @@ -2153,7 +2162,9 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "nicSuffix": "-nic-01", "roleAssignments": [ { - "principalIds": ["<>"], + "principalIds": [ + "<>" + ], "roleDefinitionIdOrName": "Reader" } ] @@ -2324,7 +2335,9 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "roleAssignments": { "value": [ { - "principalIds": ["<>"], + "principalIds": [ + "<>" + ], "roleDefinitionIdOrName": "Reader" } ] From 6d4bd589d83596d9238f173712c450dd7538efaf Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sun, 25 Sep 2022 17:23:57 +0200 Subject: [PATCH 15/15] Update .vscode/settings.json --- .vscode/settings.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.vscode/settings.json b/.vscode/settings.json index 54d1b5223f..5f2c554af0 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -50,5 +50,5 @@ "spellright.language": [ "en" ], - "yaml.format.singleQuote": true, + "yaml.format.singleQuote": true }