Possible solution to maintaining backwards compat but simplifying mgm…

…t group customization per Azure#158
rjygraham · Mar 9, 2022 · fcfab6b · fcfab6b
1 parent f49c522
commit fcfab6b
Show file tree

Hide file tree

Showing 15 changed files with 499 additions and 0 deletions.
diff --git a/infra-as-code/bicep/modules/unstable/managementGroups/README.md b/infra-as-code/bicep/modules/unstable/managementGroups/README.md
@@ -0,0 +1,87 @@
+# Module:  Management Groups
+
+The Management Groups module deploys a management group hierarchy in a customer's tenant under the `Tenant Root Group`.  This is accomplished through a tenant-scoped Azure Resource Manager (ARM) deployment.
+
+The default hierarchy can be modifed by assigning the  `parManagementGroupHierarchy` parameter in the parameters file. Each json object in the `parManagementGroupHierarchy` parameter value must have the following properties:
+- `name`
+- `displayName`
+- `children`
+  - Each child is another json object with the same properties as above.
+  - If a management group has no children, then set the `children` property value to an empty array: `[]`
+  - See the default value defined in `managementGroups.bicep` as an example.
+
+The default hierarchy created by the deployment is:
+
+- Tenant Root Group
+  - Top Level Management Group (defined by parameter `parTopLevelManagementGroupDisplayName`)
+    - Platform
+      - Management
+      - Connectivity
+      - Identity
+    - Landing Zones
+      - Corp
+      - Online
+    - Sandbox
+    - Decommissioned
+
+## Parameters
+
+The module requires the following inputs:
+
+| Parameter                             | Type   | Description                                                                                                                                                     | Requirements                      | Example               |
+| ------------------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- | --------------------- |
+| parTopLevelManagementGroupPrefix      | string | Prefix for the management group hierarchy.  This management group will be created as part of the deployment.                                                    | 2-10 characters                   | `alz`                 |
+| parTopLevelManagementGroupDisplayName | string | Display name for top level management group.  This name will be applied to the management group prefix defined in `parTopLevelManagementGroupPrefix` parameter. | Minimum two characters            | `Azure Landing Zones` |
+| parTelemetryOptOut                    | bool   | Set Parameter to true to Opt-out of deployment telemetry                                                                                                        | Mandatory input, default: `false` | `false`               |
+| parManagementGroupHierarchy | array | An array of json objects which can be used to overried the default management group structure. |
+
+## Outputs
+
+TBD
+
+## Deployment
+
+In this example, the management groups are created at the `Tenant Root Group` through a tenant-scoped deployment.
+
+> For the examples below we assume you have downloaded or cloned the Git repo as-is and are in the root of the repository as your selected directory in your terminal of choice.
+
+### Azure CLI
+```bash
+# For Azure global regions
+az deployment tenant create \
+  --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep \
+  --parameters @infra-as-code/bicep/modules/managementGroups/managementGroups.parameters.example.json \
+  --location eastus
+```
+OR
+```bash
+# For Azure China regions
+az deployment tenant create \
+  --template-file infra-as-code/bicep/modules/managementGroups/managementGroups.bicep \
+  --parameters @infra-as-code/bicep/modules/managementGroups/managementGroups.parameters.example.json \
+  --location chinaeast2
+```
+
+### PowerShell
+
+```powershell
+# For Azure global regions
+New-AzTenantDeployment `
+  -TemplateFile infra-as-code/bicep/modules/managementGroups/managementGroups.bicep `
+  -TemplateParameterFile infra-as-code/bicep/modules/managementGroups/managementGroups.parameters.example.json `
+  -Location eastus
+```
+OR
+```powershell
+# For Azure China regions
+New-AzTenantDeployment `
+  -TemplateFile infra-as-code/bicep/modules/managementGroups/managementGroups.bicep `
+  -TemplateParameterFile infra-as-code/bicep/modules/managementGroups/managementGroups.parameters.example.json `
+  -Location chinaeast2  
+```
+
+![Example Deployment Output](../../managementGroups/media/exampleDeploymentOutput.png "Example Deployment Output")
+
+## Bicep Visualizer
+
+![Bicep Visualizer](../../managementGroups/media/bicepVisualizer.png "Bicep Visualizer")
diff --git a/infra-as-code/bicep/modules/unstable/managementGroups/bicepconfig.json b/infra-as-code/bicep/modules/unstable/managementGroups/bicepconfig.json
@@ -0,0 +1,64 @@
+{
+  "analyzers": {
+    "core": {
+      "enabled": true,
+      "verbose": true,
+      "rules": {
+        "adminusername-should-not-be-literal": {
+          "level": "error"
+        },
+        "no-hardcoded-env-urls": {
+          "level": "error"
+        },
+        "no-unnecessary-dependson": {
+          "level": "error"
+        },
+        "no-unused-params": {
+          "level": "error"
+        },
+        "no-unused-vars": {
+          "level": "error"
+        },
+        "outputs-should-not-contain-secrets": {
+          "level": "error"
+        },
+        "prefer-interpolation": {
+          "level": "error"
+        },
+        "secure-parameter-default": {
+          "level": "error"
+        },
+        "simplify-interpolation": {
+          "level": "error"
+        },
+        "protect-commandtoexecute-secrets": {
+          "level": "error"
+        },
+        "use-stable-vm-image": {
+          "level": "error"
+        },
+        "explicit-values-for-loc-params": {
+          "level": "error"
+        },
+        "no-hardcoded-location": {
+          "level": "error"
+        },
+        "no-loc-expr-outside-params": {
+          "level": "error"
+        },
+        "max-outputs": {
+          "level": "error"
+        },
+        "max-params": {
+          "level": "error"
+        },
+        "max-resources": {
+          "level": "error"
+        },
+        "max-variables": {
+          "level": "error"
+        }
+      }
+    }
+  }
+}
diff --git a/infra-as-code/bicep/modules/unstable/managementGroups/children/managementGroupL1.bicep b/infra-as-code/bicep/modules/unstable/managementGroups/children/managementGroupL1.bicep
@@ -0,0 +1,27 @@
+targetScope = 'tenant'
+
+param parParentManagmentGroupId string
+param parManagementGroupName string
+param parManagementGroupDisplayName string
+param parChildrenManagementGroups array = []
+
+resource resParentedManagementGroup 'Microsoft.Management/managementGroups@2021-04-01' = {
+  name: parManagementGroupName
+  properties: {
+    displayName: parManagementGroupDisplayName
+    details: {
+      parent: {
+        id: parParentManagmentGroupId
+      }
+    }
+  }
+}
+
+module modChildrenManagementGroups 'managementGroupsL2.bicep' = if (length(parChildrenManagementGroups) > 0) {
+  name: '${parManagementGroupName}-children'
+  params: {
+    parParentManagmentGroupId: resParentedManagementGroup.id
+    parParentManagmentGroupName: resParentedManagementGroup.name
+    parManagementGroupHierarchy: parChildrenManagementGroups
+  }
+}
diff --git a/infra-as-code/bicep/modules/unstable/managementGroups/children/managementGroupL2.bicep b/infra-as-code/bicep/modules/unstable/managementGroups/children/managementGroupL2.bicep
@@ -0,0 +1,27 @@
+targetScope = 'tenant'
+
+param parParentManagmentGroupId string
+param parManagementGroupName string
+param parManagementGroupDisplayName string
+param parChildrenManagementGroups array = []
+
+resource resParentedManagementGroup 'Microsoft.Management/managementGroups@2021-04-01' = {
+  name: parManagementGroupName
+  properties: {
+    displayName: parManagementGroupDisplayName
+    details: {
+      parent: {
+        id: parParentManagmentGroupId
+      }
+    }
+  }
+}
+
+module modChildrenManagementGroups 'managementGroupsL3.bicep' = if (length(parChildrenManagementGroups) > 0) {
+  name: '${parManagementGroupName}-children'
+  params: {
+    parParentManagmentGroupId: resParentedManagementGroup.id
+    parParentManagmentGroupName: resParentedManagementGroup.name
+    parManagementGroupHierarchy: parChildrenManagementGroups
+  }
+}
diff --git a/infra-as-code/bicep/modules/unstable/managementGroups/children/managementGroupL3.bicep b/infra-as-code/bicep/modules/unstable/managementGroups/children/managementGroupL3.bicep
@@ -0,0 +1,27 @@
+targetScope = 'tenant'
+
+param parParentManagmentGroupId string
+param parManagementGroupName string
+param parManagementGroupDisplayName string
+param parChildrenManagementGroups array = []
+
+resource resParentedManagementGroup 'Microsoft.Management/managementGroups@2021-04-01' = {
+  name: parManagementGroupName
+  properties: {
+    displayName: parManagementGroupDisplayName
+    details: {
+      parent: {
+        id: parParentManagmentGroupId
+      }
+    }
+  }
+}
+
+module modChildrenManagementGroups 'managementGroupsL4.bicep' = if (length(parChildrenManagementGroups) > 0) {
+  name: '${parManagementGroupName}-children'
+  params: {
+    parParentManagmentGroupId: resParentedManagementGroup.id
+    parParentManagmentGroupName: resParentedManagementGroup.name
+    parManagementGroupHierarchy: parChildrenManagementGroups
+  }
+}
diff --git a/infra-as-code/bicep/modules/unstable/managementGroups/children/managementGroupL4.bicep b/infra-as-code/bicep/modules/unstable/managementGroups/children/managementGroupL4.bicep
@@ -0,0 +1,27 @@
+targetScope = 'tenant'
+
+param parParentManagmentGroupId string
+param parManagementGroupName string
+param parManagementGroupDisplayName string
+param parChildrenManagementGroups array = []
+
+resource resParentedManagementGroup 'Microsoft.Management/managementGroups@2021-04-01' = {
+  name: parManagementGroupName
+  properties: {
+    displayName: parManagementGroupDisplayName
+    details: {
+      parent: {
+        id: parParentManagmentGroupId
+      }
+    }
+  }
+}
+
+module modChildrenManagementGroups 'managementGroupsL5.bicep' = if (length(parChildrenManagementGroups) > 0) {
+  name: '${parManagementGroupName}-children'
+  params: {
+    parParentManagmentGroupId: resParentedManagementGroup.id
+    parParentManagmentGroupName: resParentedManagementGroup.name
+    parManagementGroupHierarchy: parChildrenManagementGroups
+  }
+}
diff --git a/infra-as-code/bicep/modules/unstable/managementGroups/children/managementGroupL5.bicep b/infra-as-code/bicep/modules/unstable/managementGroups/children/managementGroupL5.bicep
@@ -0,0 +1,17 @@
+targetScope = 'tenant'
+
+param parParentManagmentGroupId string
+param parManagementGroupName string
+param parManagementGroupDisplayName string
+
+resource resParentedManagementGroup 'Microsoft.Management/managementGroups@2021-04-01' = {
+  name: parManagementGroupName
+  properties: {
+    displayName: parManagementGroupDisplayName
+    details: {
+      parent: {
+        id: parParentManagmentGroupId
+      }
+    }
+  }
+}
diff --git a/infra-as-code/bicep/modules/unstable/managementGroups/children/managementGroupsL1.bicep b/infra-as-code/bicep/modules/unstable/managementGroups/children/managementGroupsL1.bicep
@@ -0,0 +1,20 @@
+targetScope = 'tenant'
+
+@description('Resource ID of the parent Management Group')
+param parParentManagmentGroupId string
+
+@description('Name of the parent Management Group')
+param parParentManagmentGroupName string 
+
+@description('Management group hierarchy to be deployed.')
+param parManagementGroupHierarchy array
+
+module modManagementGroup 'managementGroupL1.bicep' = [for (mg, i) in parManagementGroupHierarchy: {
+  name: '${parParentManagmentGroupName}-${mg.name}'
+  params: {
+    parParentManagmentGroupId: parParentManagmentGroupId
+    parManagementGroupName: '${parParentManagmentGroupName}-${mg.name}'
+    parManagementGroupDisplayName: mg.displayName
+    parChildrenManagementGroups: mg.children
+  }
+}]
diff --git a/infra-as-code/bicep/modules/unstable/managementGroups/children/managementGroupsL2.bicep b/infra-as-code/bicep/modules/unstable/managementGroups/children/managementGroupsL2.bicep
@@ -0,0 +1,20 @@
+targetScope = 'tenant'
+
+@description('Resource ID of the parent Management Group')
+param parParentManagmentGroupId string
+
+@description('Name of the parent Management Group')
+param parParentManagmentGroupName string 
+
+@description('Management group hierarchy to be deployed.')
+param parManagementGroupHierarchy array
+
+module modManagementGroup 'managementGroupL2.bicep' = [for (mg, i) in parManagementGroupHierarchy: {
+  name: '${parParentManagmentGroupName}-${mg.name}'
+  params: {
+    parParentManagmentGroupId: parParentManagmentGroupId
+    parManagementGroupName: '${parParentManagmentGroupName}-${mg.name}'
+    parManagementGroupDisplayName: mg.displayName
+    parChildrenManagementGroups: mg.children
+  }
+}]
diff --git a/infra-as-code/bicep/modules/unstable/managementGroups/children/managementGroupsL3.bicep b/infra-as-code/bicep/modules/unstable/managementGroups/children/managementGroupsL3.bicep
@@ -0,0 +1,20 @@
+targetScope = 'tenant'
+
+@description('Resource ID of the parent Management Group')
+param parParentManagmentGroupId string
+
+@description('Name of the parent Management Group')
+param parParentManagmentGroupName string 
+
+@description('Management group hierarchy to be deployed.')
+param parManagementGroupHierarchy array
+
+module modManagementGroup 'managementGroupL3.bicep' = [for (mg, i) in parManagementGroupHierarchy: {
+  name: '${parParentManagmentGroupName}-${mg.name}'
+  params: {
+    parParentManagmentGroupId: parParentManagmentGroupId
+    parManagementGroupName: '${parParentManagmentGroupName}-${mg.name}'
+    parManagementGroupDisplayName: mg.displayName
+    parChildrenManagementGroups: mg.children
+  }
+}]
diff --git a/infra-as-code/bicep/modules/unstable/managementGroups/children/managementGroupsL4.bicep b/infra-as-code/bicep/modules/unstable/managementGroups/children/managementGroupsL4.bicep
@@ -0,0 +1,20 @@
+targetScope = 'tenant'
+
+@description('Resource ID of the parent Management Group')
+param parParentManagmentGroupId string
+
+@description('Name of the parent Management Group')
+param parParentManagmentGroupName string 
+
+@description('Management group hierarchy to be deployed.')
+param parManagementGroupHierarchy array
+
+module modManagementGroup 'managementGroupL4.bicep' = [for (mg, i) in parManagementGroupHierarchy: {
+  name: '${parParentManagmentGroupName}-${mg.name}'
+  params: {
+    parParentManagmentGroupId: parParentManagmentGroupId
+    parManagementGroupName: '${parParentManagmentGroupName}-${mg.name}'
+    parManagementGroupDisplayName: mg.displayName
+    parChildrenManagementGroups: mg.children
+  }
+}]
diff --git a/infra-as-code/bicep/modules/unstable/managementGroups/children/managementGroupsL5.bicep b/infra-as-code/bicep/modules/unstable/managementGroups/children/managementGroupsL5.bicep
@@ -0,0 +1,19 @@
+targetScope = 'tenant'
+
+@description('Resource ID of the parent Management Group')
+param parParentManagmentGroupId string
+
+@description('Name of the parent Management Group')
+param parParentManagmentGroupName string 
+
+@description('Management group hierarchy to be deployed.')
+param parManagementGroupHierarchy array
+
+module modManagementGroup 'managementGroupL5.bicep' = [for (mg, i) in parManagementGroupHierarchy: {
+  name: '${parParentManagmentGroupName}-${mg.name}'
+  params: {
+    parParentManagmentGroupId: parParentManagmentGroupId
+    parManagementGroupName: '${parParentManagmentGroupName}-${mg.name}'
+    parManagementGroupDisplayName: mg.displayName
+  }
+}]