From e0f233e3427cb1b22c2499d988ea61af16008180 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Mon, 24 Jun 2024 13:58:31 +0100 Subject: [PATCH 01/33] Update configuration to support bootstrap --- .../.config/ALZ-Powershell.config.json | 135 +++++++++++++++++- 1 file changed, 129 insertions(+), 6 deletions(-) diff --git a/accelerator/.config/ALZ-Powershell.config.json b/accelerator/.config/ALZ-Powershell.config.json index 190d35579..493202675 100644 --- a/accelerator/.config/ALZ-Powershell.config.json +++ b/accelerator/.config/ALZ-Powershell.config.json @@ -1,4 +1,100 @@ { + "starter_modules": { + "complete": { + "location": ".", + "short_name": "Complete", + "description": "Complete Azure Landing Zones Deployment" + } + }, + "deployment_files": [ + { + "displayName": "Management Groups Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/managementGroups/managementGroupsScopeEscape.bicep", + "templateParametersFilePath": "./config/custom-parameters/managementGroups.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json", + "deploymentType": "managementGroup" + }, + { + "displayName": "Logging and Sentinel Resource Group Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep", + "templateParametersFilePath": "./config/custom-parameters/resourceGroupLoggingAndSentinel.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json", + "subscriptionType": "management", + "deploymentType": "subscription" + }, + { + "displayName": "Logging and Sentinel Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/logging/logging.bicep", + "templateParametersFilePath": "./config/custom-parameters/logging.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json", + "subscriptionType": "management", + "deploymentType": "subscription" + }, + { + "displayName": "Custom Policy Definitions Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep", + "templateParametersFilePath": "./config/custom-parameters/customPolicyDefinitions.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json", + "deploymentType": "managementGroup" + }, + { + "displayName": "Custom Role Definitions Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep", + "templateParametersFilePath": "./config/custom-parameters/customRoleDefinitions.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json", + "deploymentType": "managementGroup" + }, + { + "displayName": "Custom Management Group Diagnostic Settings", + "templateFilePath": "./infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep", + "templateParametersFilePath": "./config/custom-parameters/mgDiagSettingsAll.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json", + "deploymentType": "managementGroup" + }, + { + "displayName": "Built-in and Custom Policy Assignments Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep", + "templateParametersFilePath": "./config/custom-parameters/alzDefaultPolicyAssignments.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json", + "deploymentType": "managementGroup" + }, + { + "displayName": "Deploy Subscription Placement", + "templateFilePath": "./infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep", + "templateParametersFilePath": "./config/custom-parameters/subPlacementAll.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json", + "deploymentType": "managementGroup" + }, + { + "displayName": "Connectivity Resource Group Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep", + "templateParametersFilePath": "./config/custom-parameters/resourceGroupConnectivity.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json", + "subscriptionType": "connectivity", + "deploymentType": "subscription" + }, + { + "displayName": "Hub (Hub-and-Spoke) Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep", + "templateParametersFilePath": "./config/custom-parameters/hubNetworking.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json", + "subscriptionType": "connectivity", + "resourceGroupType": "connectivity", + "networkType": "hubNetworking", + "deploymentType": "resourceGroup" + }, + { + "displayName": "Hub (VWAN) Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep", + "templateParametersFilePath": "./config/custom-parameters/vwanConnectivity.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json", + "subscriptionType": "connectivity", + "resourceGroupType": "connectivity", + "networkType": "vwanConnectivity", + "deploymentType": "resourceGroup" + } + ], + "config_files": [ { "source": "infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json", @@ -259,6 +355,11 @@ { "name": "TOP_LEVEL_MG_PREFIX", "destination": "Environment" + }, + { + "name": "MANAGEMENT_GROUP_ID", + "destination": "Environment", + "required": true } ], "Value": "", @@ -288,7 +389,8 @@ }, { "Name": "LOCATION", - "Destination": "Environment" + "Destination": "Environment", + "Required": true } ], "AllowedValues": { @@ -391,7 +493,8 @@ "Targets": [ { "Name": "IDENTITY_SUBSCRIPTION_ID", - "Destination": "Environment" + "Destination": "Environment", + "Required": true } ], "Value": "" @@ -403,7 +506,8 @@ "Targets": [ { "Name": "CONNECTIVITY_SUBSCRIPTION_ID", - "Destination": "Environment" + "Destination": "Environment", + "Required": true } ], "Value": "" @@ -415,7 +519,8 @@ "Targets": [ { "Name": "MANAGEMENT_SUBSCRIPTION_ID", - "Destination": "Environment" + "Destination": "Environment", + "Required": true } ], "Value": "" @@ -659,7 +764,8 @@ "Targets": [ { "Name": "CONNECTIVITY_RESOURCE_GROUP", - "Destination": "Environment" + "Destination": "Environment", + "Required": true }, { "File": "resourceGroupConnectivity.parameters.all.json", @@ -674,7 +780,8 @@ "Targets": [ { "Name": "LOGGING_RESOURCE_GROUP", - "Destination": "Environment" + "Destination": "Environment", + "Required": true }, { "File": "resourceGroupLoggingAndSentinel.parameters.all.json", @@ -682,6 +789,22 @@ "Destination": "Parameters" } ] + }, + "RootParentManagementGroupId": { + "Type": "Computed", + "Value": "", + "Targets": [ + { + "Name": "ROOT_PARENT_MANAGEMENT_GROUP_ID", + "Destination": "Environment", + "Required": true + }, + { + "File": "managementGroups.parameters.all.json", + "Name": "parTopLevelManagementGroupParentId.value", + "Destination": "Parameters" + } + ] } } } From f317be7d8767c8003ee844168aa3de31a6464643 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Mon, 24 Jun 2024 14:09:13 +0100 Subject: [PATCH 02/33] Add networking type option --- .../.config/ALZ-Powershell.config.json | 43 +++++++++++++++---- 1 file changed, 35 insertions(+), 8 deletions(-) diff --git a/accelerator/.config/ALZ-Powershell.config.json b/accelerator/.config/ALZ-Powershell.config.json index 493202675..ca364daf9 100644 --- a/accelerator/.config/ALZ-Powershell.config.json +++ b/accelerator/.config/ALZ-Powershell.config.json @@ -12,6 +12,7 @@ "templateFilePath": "./infra-as-code/bicep/modules/managementGroups/managementGroupsScopeEscape.bicep", "templateParametersFilePath": "./config/custom-parameters/managementGroups.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json", + "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup" }, { @@ -19,7 +20,7 @@ "templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep", "templateParametersFilePath": "./config/custom-parameters/resourceGroupLoggingAndSentinel.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json", - "subscriptionType": "management", + "subscriptionId": "MANAGEMENT_SUBSCRIPTION_ID", "deploymentType": "subscription" }, { @@ -27,14 +28,16 @@ "templateFilePath": "./infra-as-code/bicep/modules/logging/logging.bicep", "templateParametersFilePath": "./config/custom-parameters/logging.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json", - "subscriptionType": "management", - "deploymentType": "subscription" + "subscriptionId": "MANAGEMENT_SUBSCRIPTION_ID", + "resourceGroupName": "CONNECTIVITY_RESOURCE_GROUP", + "deploymentType": "resourceGroup" }, { "displayName": "Custom Policy Definitions Deployment", "templateFilePath": "./infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep", "templateParametersFilePath": "./config/custom-parameters/customPolicyDefinitions.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json", + "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup" }, { @@ -42,6 +45,7 @@ "templateFilePath": "./infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep", "templateParametersFilePath": "./config/custom-parameters/customRoleDefinitions.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json", + "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup" }, { @@ -49,6 +53,7 @@ "templateFilePath": "./infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep", "templateParametersFilePath": "./config/custom-parameters/mgDiagSettingsAll.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json", + "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup" }, { @@ -56,6 +61,7 @@ "templateFilePath": "./infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep", "templateParametersFilePath": "./config/custom-parameters/alzDefaultPolicyAssignments.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json", + "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup" }, { @@ -63,6 +69,7 @@ "templateFilePath": "./infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep", "templateParametersFilePath": "./config/custom-parameters/subPlacementAll.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json", + "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup" }, { @@ -70,7 +77,7 @@ "templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep", "templateParametersFilePath": "./config/custom-parameters/resourceGroupConnectivity.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json", - "subscriptionType": "connectivity", + "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", "deploymentType": "subscription" }, { @@ -78,8 +85,8 @@ "templateFilePath": "./infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep", "templateParametersFilePath": "./config/custom-parameters/hubNetworking.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json", - "subscriptionType": "connectivity", - "resourceGroupType": "connectivity", + "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", + "resourceGroupName": "CONNECTIVITY_RESOURCE_GROUP", "networkType": "hubNetworking", "deploymentType": "resourceGroup" }, @@ -88,8 +95,8 @@ "templateFilePath": "./infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep", "templateParametersFilePath": "./config/custom-parameters/vwanConnectivity.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json", - "subscriptionType": "connectivity", - "resourceGroupType": "connectivity", + "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", + "resourceGroupName": "CONNECTIVITY_RESOURCE_GROUP", "networkType": "vwanConnectivity", "deploymentType": "resourceGroup" } @@ -486,6 +493,26 @@ "DefaultValue": "live", "Valid": "^[a-zA-Z0-9]{2,10}$" }, + "networkType": { + "Type": "UserInput", + "Description": "The type of networking to deploy. (e.g. 'hubNetworking', 'vwanConnectivity')", + "Value": "", + "DefaultValue": "hubNetworking", + "Targets": [ + { + "Name": "NETWORK_TYPE", + "Destination": "Environment", + "Required": true + } + ], + "AllowedValues": { + "Display": true, + "Values": [ + "hubNetworking", + "vwanConnectivity" + ] + } + }, "IdentitySubscriptionId": { "Type": "UserInput", "Description": "The identifier of the Identity Subscription. (e.g '00000000-0000-0000-0000-000000000000')", From c2b0b84a4079e9122d4c5149ed3bef164d359942 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Mon, 24 Jun 2024 15:53:22 +0100 Subject: [PATCH 03/33] Latest updates for bootstrap --- .../.config/ALZ-Powershell.config.json | 33 ++++++++++++------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/accelerator/.config/ALZ-Powershell.config.json b/accelerator/.config/ALZ-Powershell.config.json index ca364daf9..c30e53df7 100644 --- a/accelerator/.config/ALZ-Powershell.config.json +++ b/accelerator/.config/ALZ-Powershell.config.json @@ -13,7 +13,8 @@ "templateParametersFilePath": "./config/custom-parameters/managementGroups.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json", "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", - "deploymentType": "managementGroup" + "deploymentType": "managementGroup", + "order": 1 }, { "displayName": "Logging and Sentinel Resource Group Deployment", @@ -21,7 +22,8 @@ "templateParametersFilePath": "./config/custom-parameters/resourceGroupLoggingAndSentinel.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json", "subscriptionId": "MANAGEMENT_SUBSCRIPTION_ID", - "deploymentType": "subscription" + "deploymentType": "subscription", + "order": 2 }, { "displayName": "Logging and Sentinel Deployment", @@ -30,7 +32,8 @@ "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json", "subscriptionId": "MANAGEMENT_SUBSCRIPTION_ID", "resourceGroupName": "CONNECTIVITY_RESOURCE_GROUP", - "deploymentType": "resourceGroup" + "deploymentType": "resourceGroup", + "order": 3 }, { "displayName": "Custom Policy Definitions Deployment", @@ -38,7 +41,8 @@ "templateParametersFilePath": "./config/custom-parameters/customPolicyDefinitions.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json", "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", - "deploymentType": "managementGroup" + "deploymentType": "managementGroup", + "order": 4 }, { "displayName": "Custom Role Definitions Deployment", @@ -46,7 +50,8 @@ "templateParametersFilePath": "./config/custom-parameters/customRoleDefinitions.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json", "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", - "deploymentType": "managementGroup" + "deploymentType": "managementGroup", + "order": 5 }, { "displayName": "Custom Management Group Diagnostic Settings", @@ -54,7 +59,8 @@ "templateParametersFilePath": "./config/custom-parameters/mgDiagSettingsAll.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json", "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", - "deploymentType": "managementGroup" + "deploymentType": "managementGroup", + "order": 6 }, { "displayName": "Built-in and Custom Policy Assignments Deployment", @@ -62,7 +68,8 @@ "templateParametersFilePath": "./config/custom-parameters/alzDefaultPolicyAssignments.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json", "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", - "deploymentType": "managementGroup" + "deploymentType": "managementGroup", + "order": 7 }, { "displayName": "Deploy Subscription Placement", @@ -70,7 +77,8 @@ "templateParametersFilePath": "./config/custom-parameters/subPlacementAll.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json", "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", - "deploymentType": "managementGroup" + "deploymentType": "managementGroup", + "order": 8 }, { "displayName": "Connectivity Resource Group Deployment", @@ -78,7 +86,8 @@ "templateParametersFilePath": "./config/custom-parameters/resourceGroupConnectivity.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json", "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", - "deploymentType": "subscription" + "deploymentType": "subscription", + "order": 9 }, { "displayName": "Hub (Hub-and-Spoke) Deployment", @@ -88,7 +97,8 @@ "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", "resourceGroupName": "CONNECTIVITY_RESOURCE_GROUP", "networkType": "hubNetworking", - "deploymentType": "resourceGroup" + "deploymentType": "resourceGroup", + "order": 10 }, { "displayName": "Hub (VWAN) Deployment", @@ -98,7 +108,8 @@ "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", "resourceGroupName": "CONNECTIVITY_RESOURCE_GROUP", "networkType": "vwanConnectivity", - "deploymentType": "resourceGroup" + "deploymentType": "resourceGroup", + "order": 10 } ], From 2cae6c3bdd2c4579dc660465e57064af08d190c8 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Tue, 25 Jun 2024 15:18:11 +0100 Subject: [PATCH 04/33] Fix RG name --- accelerator/.config/ALZ-Powershell.config.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/accelerator/.config/ALZ-Powershell.config.json b/accelerator/.config/ALZ-Powershell.config.json index c30e53df7..c9896a095 100644 --- a/accelerator/.config/ALZ-Powershell.config.json +++ b/accelerator/.config/ALZ-Powershell.config.json @@ -31,7 +31,7 @@ "templateParametersFilePath": "./config/custom-parameters/logging.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json", "subscriptionId": "MANAGEMENT_SUBSCRIPTION_ID", - "resourceGroupName": "CONNECTIVITY_RESOURCE_GROUP", + "resourceGroupName": "LOGGING_RESOURCE_GROUP", "deploymentType": "resourceGroup", "order": 3 }, From 533c9fcaa6a8b019d514d47b93ab7a0b9467bdbc Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Tue, 25 Jun 2024 16:59:37 +0100 Subject: [PATCH 05/33] Add manual whatif overrides --- accelerator/.config/ALZ-Powershell.config.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/accelerator/.config/ALZ-Powershell.config.json b/accelerator/.config/ALZ-Powershell.config.json index c9896a095..f2dda458e 100644 --- a/accelerator/.config/ALZ-Powershell.config.json +++ b/accelerator/.config/ALZ-Powershell.config.json @@ -14,6 +14,7 @@ "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json", "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", + "firstRunWhatIf": true, "order": 1 }, { @@ -23,6 +24,7 @@ "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json", "subscriptionId": "MANAGEMENT_SUBSCRIPTION_ID", "deploymentType": "subscription", + "firstRunWhatIf": true, "order": 2 }, { @@ -33,6 +35,7 @@ "subscriptionId": "MANAGEMENT_SUBSCRIPTION_ID", "resourceGroupName": "LOGGING_RESOURCE_GROUP", "deploymentType": "resourceGroup", + "firstRunWhatIf": false, "order": 3 }, { @@ -42,6 +45,7 @@ "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json", "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", + "firstRunWhatIf": true, "order": 4 }, { @@ -51,6 +55,7 @@ "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json", "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", + "firstRunWhatIf": true, "order": 5 }, { @@ -60,6 +65,7 @@ "templateParametersSourceFilePath": "./infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json", "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", + "firstRunWhatIf": false, "order": 6 }, { @@ -69,6 +75,7 @@ "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json", "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", + "firstRunWhatIf": false, "order": 7 }, { @@ -78,6 +85,7 @@ "templateParametersSourceFilePath": "./infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json", "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", + "firstRunWhatIf": false, "order": 8 }, { @@ -87,6 +95,7 @@ "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json", "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", "deploymentType": "subscription", + "firstRunWhatIf": true, "order": 9 }, { @@ -98,6 +107,7 @@ "resourceGroupName": "CONNECTIVITY_RESOURCE_GROUP", "networkType": "hubNetworking", "deploymentType": "resourceGroup", + "firstRunWhatIf": false, "order": 10 }, { @@ -109,10 +119,10 @@ "resourceGroupName": "CONNECTIVITY_RESOURCE_GROUP", "networkType": "vwanConnectivity", "deploymentType": "resourceGroup", + "firstRunWhatIf": false, "order": 10 } ], - "config_files": [ { "source": "infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json", From ca95ffc8692a52fc3b6ddc266fd31fa1026eaffc Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Tue, 25 Jun 2024 19:00:20 +0100 Subject: [PATCH 06/33] Fix MG id --- accelerator/.config/ALZ-Powershell.config.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/accelerator/.config/ALZ-Powershell.config.json b/accelerator/.config/ALZ-Powershell.config.json index f2dda458e..33ae37721 100644 --- a/accelerator/.config/ALZ-Powershell.config.json +++ b/accelerator/.config/ALZ-Powershell.config.json @@ -43,7 +43,7 @@ "templateFilePath": "./infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep", "templateParametersFilePath": "./config/custom-parameters/customPolicyDefinitions.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json", - "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", + "managementGroupId": "MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", "firstRunWhatIf": true, "order": 4 @@ -53,7 +53,7 @@ "templateFilePath": "./infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep", "templateParametersFilePath": "./config/custom-parameters/customRoleDefinitions.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json", - "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", + "managementGroupId": "MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", "firstRunWhatIf": true, "order": 5 @@ -63,7 +63,7 @@ "templateFilePath": "./infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep", "templateParametersFilePath": "./config/custom-parameters/mgDiagSettingsAll.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json", - "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", + "managementGroupId": "MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", "firstRunWhatIf": false, "order": 6 @@ -73,7 +73,7 @@ "templateFilePath": "./infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep", "templateParametersFilePath": "./config/custom-parameters/alzDefaultPolicyAssignments.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json", - "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", + "managementGroupId": "MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", "firstRunWhatIf": false, "order": 7 @@ -83,7 +83,7 @@ "templateFilePath": "./infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep", "templateParametersFilePath": "./config/custom-parameters/subPlacementAll.parameters.all.json", "templateParametersSourceFilePath": "./infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json", - "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", + "managementGroupId": "MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", "firstRunWhatIf": false, "order": 8 From 69771b7ab980a08867f26566101c641938049706 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Wed, 26 Jun 2024 15:44:54 +0100 Subject: [PATCH 07/33] Revert and add new config --- .../.config/ALZ-Powershell-Auto.config.json | 577 ++++++++++++++++++ .../.config/ALZ-Powershell.config.json | 183 +----- 2 files changed, 583 insertions(+), 177 deletions(-) create mode 100644 accelerator/.config/ALZ-Powershell-Auto.config.json diff --git a/accelerator/.config/ALZ-Powershell-Auto.config.json b/accelerator/.config/ALZ-Powershell-Auto.config.json new file mode 100644 index 000000000..06aa88447 --- /dev/null +++ b/accelerator/.config/ALZ-Powershell-Auto.config.json @@ -0,0 +1,577 @@ +{ + "starter_modules": { + "complete": { + "location": ".", + "short_name": "Complete", + "description": "Complete Azure Landing Zones Deployment", + "deployment_files": [ + { + "displayName": "Management Groups Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/managementGroups/managementGroupsScopeEscape.bicep", + "templateParametersFilePath": "./config/custom-parameters/managementGroups.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json", + "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", + "deploymentType": "managementGroup", + "firstRunWhatIf": true, + "order": 1 + }, + { + "displayName": "Logging and Sentinel Resource Group Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep", + "templateParametersFilePath": "./config/custom-parameters/resourceGroupLoggingAndSentinel.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json", + "subscriptionId": "MANAGEMENT_SUBSCRIPTION_ID", + "deploymentType": "subscription", + "firstRunWhatIf": true, + "order": 2 + }, + { + "displayName": "Logging and Sentinel Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/logging/logging.bicep", + "templateParametersFilePath": "./config/custom-parameters/logging.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json", + "subscriptionId": "MANAGEMENT_SUBSCRIPTION_ID", + "resourceGroupName": "LOGGING_RESOURCE_GROUP", + "deploymentType": "resourceGroup", + "firstRunWhatIf": false, + "order": 3 + }, + { + "displayName": "Custom Policy Definitions Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep", + "templateParametersFilePath": "./config/custom-parameters/customPolicyDefinitions.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json", + "managementGroupId": "MANAGEMENT_GROUP_ID", + "deploymentType": "managementGroup", + "firstRunWhatIf": true, + "order": 4 + }, + { + "displayName": "Custom Role Definitions Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep", + "templateParametersFilePath": "./config/custom-parameters/customRoleDefinitions.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json", + "managementGroupId": "MANAGEMENT_GROUP_ID", + "deploymentType": "managementGroup", + "firstRunWhatIf": true, + "order": 5 + }, + { + "displayName": "Custom Management Group Diagnostic Settings", + "templateFilePath": "./infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep", + "templateParametersFilePath": "./config/custom-parameters/mgDiagSettingsAll.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json", + "managementGroupId": "MANAGEMENT_GROUP_ID", + "deploymentType": "managementGroup", + "firstRunWhatIf": false, + "order": 6 + }, + { + "displayName": "Built-in and Custom Policy Assignments Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep", + "templateParametersFilePath": "./config/custom-parameters/alzDefaultPolicyAssignments.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json", + "managementGroupId": "MANAGEMENT_GROUP_ID", + "deploymentType": "managementGroup", + "firstRunWhatIf": false, + "order": 7 + }, + { + "displayName": "Deploy Subscription Placement", + "templateFilePath": "./infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep", + "templateParametersFilePath": "./config/custom-parameters/subPlacementAll.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json", + "managementGroupId": "MANAGEMENT_GROUP_ID", + "deploymentType": "managementGroup", + "firstRunWhatIf": false, + "order": 8 + }, + { + "displayName": "Connectivity Resource Group Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep", + "templateParametersFilePath": "./config/custom-parameters/resourceGroupConnectivity.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json", + "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", + "deploymentType": "subscription", + "firstRunWhatIf": true, + "order": 9 + }, + { + "displayName": "Hub (Hub-and-Spoke) Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep", + "templateParametersFilePath": "./config/custom-parameters/hubNetworking.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json", + "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", + "resourceGroupName": "CONNECTIVITY_RESOURCE_GROUP", + "networkType": "hubNetworking", + "deploymentType": "resourceGroup", + "firstRunWhatIf": false, + "order": 10 + }, + { + "displayName": "Hub (VWAN) Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep", + "templateParametersFilePath": "./config/custom-parameters/vwanConnectivity.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json", + "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", + "resourceGroupName": "CONNECTIVITY_RESOURCE_GROUP", + "networkType": "vwanConnectivity", + "deploymentType": "resourceGroup", + "firstRunWhatIf": false, + "order": 10 + } + ], + "inputs": { + "Prefix": { + "source": "input", + "type": "string", + "description": "The prefix that will be added to all resources created by this deployment. (e.g. 'alz')", + "Targets": [ + { + "Name": "parTopLevelManagementGroupPrefix.value", + "Destination": "Parameters" + }, + { + "Name": "parCompanyPrefix.value", + "Destination": "Parameters" + }, + { + "Name": "parTargetManagementGroupId.value", + "Destination": "Parameters" + }, + { + "Name": "parAssignableScopeManagementGroupId.value", + "Destination": "Parameters" + }, + { + "name": "MANAGEMENT_GROUP_ID", + "destination": "Environment" + } + ], + "default": "alz", + "validation": "azure_name" + }, + "Location": { + "source": "input", + "type": "string", + "description": "Deployment location. (e.g. 'uksouth')", + "Targets": [ + { + "Name": "parLocation.value", + "Destination": "Parameters" + }, + { + "Name": "parAutomationAccountLocation.value", + "Destination": "Parameters" + }, + { + "Name": "parPolicyAssignmentParameters.value.ascExportResourceGroupLocation.value", + "Destination": "Parameters" + }, + { + "Name": "parVirtualWanHubs.value.[0].parHubLocation", + "Destination": "Parameters" + }, + { + "Name": "LOCATION", + "Destination": "Environment" + } + ], + "validation": "azure_location" + }, + "Environment": { + "source": "input", + "type": "string", + "description": "The Type of environment that will be created. (e.g. 'live', 'canary')", + "Targets": [ + { + "Name": "parEnvironment.value", + "Destination": "Parameters" + }, + { + "Name": "parTags.value.Environment", + "Destination": "Parameters" + } + ], + "default": "live", + "validation": "azure_name_section" + }, + "networkType": { + "source": "input", + "type": "string", + "description": "The type of networking to deploy. (e.g. 'hubNetworking', 'vwanConnectivity')", + "default": "hubNetworking", + "Targets": [ + { + "Name": "NETWORK_TYPE", + "Destination": "Environment" + } + ], + "validation": "network_type" + }, + "IdentitySubscriptionId": { + "source": "input", + "type": "string", + "description": "The identifier of the Identity Subscription. (e.g '00000000-0000-0000-0000-000000000000')", + "validation": "azure_subscription_id", + "Targets": [ + { + "Name": "IDENTITY_SUBSCRIPTION_ID", + "Destination": "Environment" + } + ] + }, + "ConnectivitySubscriptionId": { + "source": "input", + "type": "string", + "description": "The identifier of the Connectivity Subscription. (e.g '00000000-0000-0000-0000-000000000000')", + "validation": "azure_subscription_id", + "Targets": [ + { + "Name": "CONNECTIVITY_SUBSCRIPTION_ID", + "Destination": "Environment" + } + ] + }, + "ManagementSubscriptionId": { + "source": "input", + "type": "string", + "description": "The identifier of the Management Subscription. (e.g 00000000-0000-0000-0000-000000000000)", + "validation": "azure_subscription_id", + "Targets": [ + { + "Name": "MANAGEMENT_SUBSCRIPTION_ID", + "Destination": "Environment" + } + ] + }, + "SecurityContact": { + "source": "input", + "type": "string", + "description": "The email address of the contact for security issues. (e.g. security@contactme.com)", + "validation": "email", + "Targets": [ + { + "Name": "parMsDefenderForCloudEmailSecurityContact.value", + "Destination": "Parameters" + } + ] + }, + "LogAnalyticsWorkspaceLocation": { + "source": "powershell", + "type": "string", + "Value": "{%Location%}", + "Process": "($args[0] -eq \"eastus\") ? \"eastus2\" : ($args[0] -eq \"eastus2\") ? \"eastus\" : $args[0]", + "Targets": [ + { + "Name": "parLogAnalyticsWorkspaceLocation.value", + "Destination": "Parameters" + }, + { + "Name": "parLogAnalyticsWorkSpaceAndAutomationAccountLocation.value", + "Destination": "Parameters" + } + ] + }, + "LogAnalyticsResourceId": { + "source": "powershell", + "type": "string", + "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/microsoft.operationalinsights/workspaces/alz-log-analytics", + "Targets": [ + { + "Name": "parLogAnalyticsWorkspaceResourceId.value", + "Destination": "Parameters" + } + ] + }, + "DataCollectionRuleVMInsightsResourceId": { + "source": "powershell", + "type": "string", + "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr", + "Targets": [ + { + "Name": "parDataCollectionRuleVMInsightsResourceId.value", + "Destination": "Parameters" + } + ] + }, + "DataCollectionRuleChangeTrackingResourceId": { + "source": "powershell", + "type": "string", + "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-ct-dcr", + "Targets": [ + { + "Name": "parDataCollectionRuleChangeTrackingResourceId.value", + "Destination": "Parameters" + } + ] + }, + "DataCollectionRuleMDFCSQLResourceId": { + "source": "powershell", + "type": "string", + "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.Insights/dataCollectionRules/ama-mdfcsql-default-dcr", + "Targets": [ + { + "Name": "parDataCollectionRuleMDFCSQLResourceId.value", + "Destination": "Parameters" + } + ] + }, + "UserAssignedManagedIdentityResourceId": { + "source": "powershell", + "type": "string", + "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/alz-umi-identity", + "Targets": [ + { + "Name": "parUserAssignedManagedIdentityResourceId.value", + "Destination": "Parameters" + } + ] + }, + "DdosPretectionPlanId": { + "source": "powershell", + "type": "string", + "Value": "/subscriptions/{%ConnectivitySubscriptionId%}/resourceGroups/rg-{%Prefix%}-connectivity/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan", + "Targets": [ + { + "Name": "parDdosProtectionPlanId.value", + "Destination": "Parameters" + } + ] + }, + "PrivateDnsResourceGroupId": { + "source": "powershell", + "type": "string", + "Value": "/subscriptions/{%ConnectivitySubscriptionId%}/resourceGroups/rg-{%Prefix%}-connectivity", + "Targets": [ + { + "Name": "parPrivateDnsResourceGroupId.value", + "Destination": "Parameters" + } + ] + }, + "ManagementSubscriptionGroup": { + "source": "powershell", + "type": "string", + "Value": [ + "{%ManagementSubscriptionId%}" + ], + "Targets": [ + { + "Name": "parPlatformManagementMgSubs.value", + "Destination": "Parameters" + } + ] + }, + "ConnectivitySubscriptionGroup": { + "source": "powershell", + "type": "string", + "Value": [ + "{%ConnectivitySubscriptionId%}" + ], + "Targets": [ + { + "Name": "parPlatformConnectivityMgSubs.value", + "Destination": "Parameters" + } + ] + }, + "IdentitySubscriptionGroup": { + "source": "powershell", + "type": "string", + "Value": [ + "{%IdentitySubscriptionId%}" + ], + "Targets": [ + { + "Name": "parPlatformIdentityMgSubs.value", + "Destination": "Parameters" + } + ] + }, + "HubNetworkName": { + "source": "powershell", + "type": "string", + "Value": "alz-hub-{%Location%}", + "Targets": [ + { + "Name": "parHubNetworkName.value", + "Destination": "Parameters" + } + ] + }, + "VirtualIdToLink": { + "source": "powershell", + "type": "string", + "Value": "", + "Targets": [ + { + "Name": "parVirtualNetworkIdToLink.value", + "Destination": "Parameters" + } + ] + }, + "VirtualWanName": { + "source": "powershell", + "type": "string", + "Value": "alz-vwan-{%Location%}", + "Targets": [ + { + "Name": "parVirtualWanName.value", + "Destination": "Parameters" + } + ] + }, + "AzFirewallName": { + "source": "powershell", + "type": "string", + "Value": "alz-azfw-{%Location%}", + "Targets": [ + { + "Name": "parAzFirewallName.value", + "Destination": "Parameters" + } + ] + }, + "FirewallPoliciesName": { + "source": "powershell", + "type": "string", + "Value": "alz-azfwpolicy-{%Location%}", + "Targets": [ + { + "Name": "parAzFirewallPoliciesName.value", + "Destination": "Parameters" + } + ] + }, + "AK8sPrivateLink": { + "source": "powershell", + "type": "string", + "Value": "privatelink.{%Location%}.azmk8s.io", + "Targets": [ + { + "Name": "parPrivateDnsZones.value.[0]", + "Destination": "Parameters" + } + ] + }, + "BatchPrivateLink": { + "source": "powershell", + "type": "string", + "Value": "privatelink.{%Location%}.batch.azure.com", + "Targets": [ + { + "Name": "parPrivateDnsZones.value.[1]", + "Destination": "Parameters" + } + ] + }, + "KustoPrivateLink": { + "source": "powershell", + "type": "string", + "Value": "privatelink.{%Location%}.kusto.windows.net", + "Targets": [ + { + "Name": "parPrivateDnsZones.value.[2]", + "Destination": "Parameters" + } + ] + }, + "BackupPrivateLink": { + "source": "powershell", + "type": "string", + "Value": "privatelink.{%Location%}.backup.windowsazure.com", + "Targets": [ + { + "Name": "parPrivateDnsZones.value.[3]", + "Destination": "Parameters" + } + ] + }, + "ConnectivityResourceGroupName": { + "source": "powershell", + "type": "string", + "Value": "rg-{%Prefix%}-connectivity", + "Targets": [ + { + "Name": "CONNECTIVITY_RESOURCE_GROUP", + "Destination": "Environment" + }, + { + "File": "resourceGroupConnectivity.parameters.all.json", + "Name": "parResourceGroupName.value", + "Destination": "Parameters" + } + ] + }, + "LoggingResourceGroupName": { + "source": "powershell", + "type": "string", + "Value": "rg-{%Prefix%}-logging", + "Targets": [ + { + "Name": "LOGGING_RESOURCE_GROUP", + "Destination": "Environment" + }, + { + "File": "resourceGroupLoggingAndSentinel.parameters.all.json", + "Name": "parResourceGroupName.value", + "Destination": "Parameters" + } + ] + }, + "RootParentManagementGroupId": { + "source": "powershell", + "type": "string", + "Value": "", + "Targets": [ + { + "Name": "ROOT_PARENT_MANAGEMENT_GROUP_ID", + "Destination": "Environment" + }, + { + "File": "managementGroups.parameters.all.json", + "Name": "parTopLevelManagementGroupParentId.value", + "Destination": "Parameters" + } + ] + } + } + }, + "test": { + "location": ".", + "short_name": "Test", + "description": "Test Deployment used to e2e tests", + "deployment_files": [ + { + "displayName": "Management Groups Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/managementGroups/managementGroupsScopeEscape.bicep", + "templateParametersFilePath": "./config/custom-parameters/managementGroups.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json", + "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", + "deploymentType": "managementGroup", + "firstRunWhatIf": true, + "order": 1 + } + ], + "inputs" : { + "RootParentManagementGroupId": { + "source": "powershell", + "type": "string", + "Value": "", + "Targets": [ + { + "Name": "ROOT_PARENT_MANAGEMENT_GROUP_ID", + "Destination": "Environment" + }, + { + "File": "managementGroups.parameters.all.json", + "Name": "parTopLevelManagementGroupParentId.value", + "Destination": "Parameters" + } + ] + } + } + } + } +} diff --git a/accelerator/.config/ALZ-Powershell.config.json b/accelerator/.config/ALZ-Powershell.config.json index 33ae37721..190d35579 100644 --- a/accelerator/.config/ALZ-Powershell.config.json +++ b/accelerator/.config/ALZ-Powershell.config.json @@ -1,128 +1,4 @@ { - "starter_modules": { - "complete": { - "location": ".", - "short_name": "Complete", - "description": "Complete Azure Landing Zones Deployment" - } - }, - "deployment_files": [ - { - "displayName": "Management Groups Deployment", - "templateFilePath": "./infra-as-code/bicep/modules/managementGroups/managementGroupsScopeEscape.bicep", - "templateParametersFilePath": "./config/custom-parameters/managementGroups.parameters.all.json", - "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json", - "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", - "deploymentType": "managementGroup", - "firstRunWhatIf": true, - "order": 1 - }, - { - "displayName": "Logging and Sentinel Resource Group Deployment", - "templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep", - "templateParametersFilePath": "./config/custom-parameters/resourceGroupLoggingAndSentinel.parameters.all.json", - "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json", - "subscriptionId": "MANAGEMENT_SUBSCRIPTION_ID", - "deploymentType": "subscription", - "firstRunWhatIf": true, - "order": 2 - }, - { - "displayName": "Logging and Sentinel Deployment", - "templateFilePath": "./infra-as-code/bicep/modules/logging/logging.bicep", - "templateParametersFilePath": "./config/custom-parameters/logging.parameters.all.json", - "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json", - "subscriptionId": "MANAGEMENT_SUBSCRIPTION_ID", - "resourceGroupName": "LOGGING_RESOURCE_GROUP", - "deploymentType": "resourceGroup", - "firstRunWhatIf": false, - "order": 3 - }, - { - "displayName": "Custom Policy Definitions Deployment", - "templateFilePath": "./infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep", - "templateParametersFilePath": "./config/custom-parameters/customPolicyDefinitions.parameters.all.json", - "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json", - "managementGroupId": "MANAGEMENT_GROUP_ID", - "deploymentType": "managementGroup", - "firstRunWhatIf": true, - "order": 4 - }, - { - "displayName": "Custom Role Definitions Deployment", - "templateFilePath": "./infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep", - "templateParametersFilePath": "./config/custom-parameters/customRoleDefinitions.parameters.all.json", - "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json", - "managementGroupId": "MANAGEMENT_GROUP_ID", - "deploymentType": "managementGroup", - "firstRunWhatIf": true, - "order": 5 - }, - { - "displayName": "Custom Management Group Diagnostic Settings", - "templateFilePath": "./infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep", - "templateParametersFilePath": "./config/custom-parameters/mgDiagSettingsAll.parameters.all.json", - "templateParametersSourceFilePath": "./infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json", - "managementGroupId": "MANAGEMENT_GROUP_ID", - "deploymentType": "managementGroup", - "firstRunWhatIf": false, - "order": 6 - }, - { - "displayName": "Built-in and Custom Policy Assignments Deployment", - "templateFilePath": "./infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep", - "templateParametersFilePath": "./config/custom-parameters/alzDefaultPolicyAssignments.parameters.all.json", - "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json", - "managementGroupId": "MANAGEMENT_GROUP_ID", - "deploymentType": "managementGroup", - "firstRunWhatIf": false, - "order": 7 - }, - { - "displayName": "Deploy Subscription Placement", - "templateFilePath": "./infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep", - "templateParametersFilePath": "./config/custom-parameters/subPlacementAll.parameters.all.json", - "templateParametersSourceFilePath": "./infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json", - "managementGroupId": "MANAGEMENT_GROUP_ID", - "deploymentType": "managementGroup", - "firstRunWhatIf": false, - "order": 8 - }, - { - "displayName": "Connectivity Resource Group Deployment", - "templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep", - "templateParametersFilePath": "./config/custom-parameters/resourceGroupConnectivity.parameters.all.json", - "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json", - "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", - "deploymentType": "subscription", - "firstRunWhatIf": true, - "order": 9 - }, - { - "displayName": "Hub (Hub-and-Spoke) Deployment", - "templateFilePath": "./infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep", - "templateParametersFilePath": "./config/custom-parameters/hubNetworking.parameters.all.json", - "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json", - "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", - "resourceGroupName": "CONNECTIVITY_RESOURCE_GROUP", - "networkType": "hubNetworking", - "deploymentType": "resourceGroup", - "firstRunWhatIf": false, - "order": 10 - }, - { - "displayName": "Hub (VWAN) Deployment", - "templateFilePath": "./infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep", - "templateParametersFilePath": "./config/custom-parameters/vwanConnectivity.parameters.all.json", - "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json", - "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", - "resourceGroupName": "CONNECTIVITY_RESOURCE_GROUP", - "networkType": "vwanConnectivity", - "deploymentType": "resourceGroup", - "firstRunWhatIf": false, - "order": 10 - } - ], "config_files": [ { "source": "infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json", @@ -383,11 +259,6 @@ { "name": "TOP_LEVEL_MG_PREFIX", "destination": "Environment" - }, - { - "name": "MANAGEMENT_GROUP_ID", - "destination": "Environment", - "required": true } ], "Value": "", @@ -417,8 +288,7 @@ }, { "Name": "LOCATION", - "Destination": "Environment", - "Required": true + "Destination": "Environment" } ], "AllowedValues": { @@ -514,26 +384,6 @@ "DefaultValue": "live", "Valid": "^[a-zA-Z0-9]{2,10}$" }, - "networkType": { - "Type": "UserInput", - "Description": "The type of networking to deploy. (e.g. 'hubNetworking', 'vwanConnectivity')", - "Value": "", - "DefaultValue": "hubNetworking", - "Targets": [ - { - "Name": "NETWORK_TYPE", - "Destination": "Environment", - "Required": true - } - ], - "AllowedValues": { - "Display": true, - "Values": [ - "hubNetworking", - "vwanConnectivity" - ] - } - }, "IdentitySubscriptionId": { "Type": "UserInput", "Description": "The identifier of the Identity Subscription. (e.g '00000000-0000-0000-0000-000000000000')", @@ -541,8 +391,7 @@ "Targets": [ { "Name": "IDENTITY_SUBSCRIPTION_ID", - "Destination": "Environment", - "Required": true + "Destination": "Environment" } ], "Value": "" @@ -554,8 +403,7 @@ "Targets": [ { "Name": "CONNECTIVITY_SUBSCRIPTION_ID", - "Destination": "Environment", - "Required": true + "Destination": "Environment" } ], "Value": "" @@ -567,8 +415,7 @@ "Targets": [ { "Name": "MANAGEMENT_SUBSCRIPTION_ID", - "Destination": "Environment", - "Required": true + "Destination": "Environment" } ], "Value": "" @@ -812,8 +659,7 @@ "Targets": [ { "Name": "CONNECTIVITY_RESOURCE_GROUP", - "Destination": "Environment", - "Required": true + "Destination": "Environment" }, { "File": "resourceGroupConnectivity.parameters.all.json", @@ -828,8 +674,7 @@ "Targets": [ { "Name": "LOGGING_RESOURCE_GROUP", - "Destination": "Environment", - "Required": true + "Destination": "Environment" }, { "File": "resourceGroupLoggingAndSentinel.parameters.all.json", @@ -837,22 +682,6 @@ "Destination": "Parameters" } ] - }, - "RootParentManagementGroupId": { - "Type": "Computed", - "Value": "", - "Targets": [ - { - "Name": "ROOT_PARENT_MANAGEMENT_GROUP_ID", - "Destination": "Environment", - "Required": true - }, - { - "File": "managementGroups.parameters.all.json", - "Name": "parTopLevelManagementGroupParentId.value", - "Destination": "Parameters" - } - ] } } } From 945af4c5f08174ad5f6fbe1d6ea6a3ab3380641c Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Wed, 26 Jun 2024 19:46:45 +0100 Subject: [PATCH 08/33] Update for viable what if --- accelerator/.config/ALZ-Powershell-Auto.config.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/accelerator/.config/ALZ-Powershell-Auto.config.json b/accelerator/.config/ALZ-Powershell-Auto.config.json index 06aa88447..1979e1121 100644 --- a/accelerator/.config/ALZ-Powershell-Auto.config.json +++ b/accelerator/.config/ALZ-Powershell-Auto.config.json @@ -43,7 +43,7 @@ "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json", "managementGroupId": "MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", - "firstRunWhatIf": true, + "firstRunWhatIf": false, "order": 4 }, { @@ -53,7 +53,7 @@ "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json", "managementGroupId": "MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", - "firstRunWhatIf": true, + "firstRunWhatIf": false, "order": 5 }, { From cec74ad1151d8100ce4e7415df64015807c34113 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Fri, 28 Jun 2024 17:20:11 +0100 Subject: [PATCH 09/33] Add destroy script --- .../.config/ALZ-Powershell-Auto.config.json | 1 + accelerator/scripts/destroy-landing-zone.ps1 | 187 ++++++++++++++++++ 2 files changed, 188 insertions(+) create mode 100644 accelerator/scripts/destroy-landing-zone.ps1 diff --git a/accelerator/.config/ALZ-Powershell-Auto.config.json b/accelerator/.config/ALZ-Powershell-Auto.config.json index 1979e1121..58c809415 100644 --- a/accelerator/.config/ALZ-Powershell-Auto.config.json +++ b/accelerator/.config/ALZ-Powershell-Auto.config.json @@ -4,6 +4,7 @@ "location": ".", "short_name": "Complete", "description": "Complete Azure Landing Zones Deployment", + "destroy_script_path": "accelerator/scripts/destroy-landing-zone.ps1", "deployment_files": [ { "displayName": "Management Groups Deployment", diff --git a/accelerator/scripts/destroy-landing-zone.ps1 b/accelerator/scripts/destroy-landing-zone.ps1 new file mode 100644 index 000000000..d01c72c58 --- /dev/null +++ b/accelerator/scripts/destroy-landing-zone.ps1 @@ -0,0 +1,187 @@ +## This script is derived from the original by Jack Tracey, which you can find here: https://github.com/jtracey93/PublicScripts/blob/master/Azure/PowerShell/Enterprise-scale/Wipe-ESLZAzTenant.ps1 + +$whatIf = [System.Convert]::ToBoolean("$${{ parameters.whatIfEnabled }}") +if($whatIf) { + Write-Warning "The deploy stage of this run will delete all aspects of your landing zone. This includes all resources in your platform subscriptions. Please ensure you have a backup of any data you wish to keep." + Write-Warning "DANGER! DO NOT APPROVE THIS RUN UNLESS YOU ARE CERTAIN YOU WANT TO DELETE EVERYTHING." + exit 0 +} + +$tenantRootGroupID = $env:ROOT_PARENT_MANAGEMENT_GROUP_ID +if ($tenantRootGroupID -eq "") { + $tenantRootGroupID = (Get-AzContext).Tenant.TenantId +} +$intermediateRootGroupID = $env:MANAGEMENT_GROUP_ID +$resetMdfcTierOnSubs = $true + +## Orphaned Role Assignements Function +function Invoke-RemoveOrphanedRoleAssignment { + [CmdletBinding(SupportsShouldProcess)] + param ( + [Parameter()][String[]]$SubscriptionId + ) + + $originalCtx = Get-AzContext + + $WhatIfPrefix = "" + if ($WhatIfPreference) { + $WhatIfPrefix = "What if: " + } + + # Get the latest stable API version + $roleAssignmentsApiVersions = ((Get-AzResourceProvider -ProviderNamespace Microsoft.Authorization).ResourceTypes | Where-Object ResourceTypeName -eq roleAssignments).ApiVersions + $latestRoleAssignmentsApiVersions = $roleAssignmentsApiVersions | Where-Object {$_ -notlike '*-preview'} | Sort-Object -Descending | Select-Object -First 1 + Write-Information "Using Role Assignments API Version : $($latestRoleAssignmentsApiVersions)" -InformationAction Continue + + foreach ($subId in $SubscriptionId) { + + # Use Rest API to ensure correct permissions are assigned when looking up + # whether identity exists, otherwise Get-AzRoleAssignment will always + # return `objectType : "unknown"` for all assignments with no errors. + + # Get Role Assignments + $getRequestPath = "/subscriptions/$($subId)/providers/Microsoft.Authorization/roleAssignments?api-version=$($latestRoleAssignmentsApiVersions)" + $getResponse = Invoke-AzRestMethod -Method "GET" -Path $getRequestPath + $roleAssignments = ($getResponse.Content | ConvertFrom-Json).value + + # Check for valid response + if ($getResponse.StatusCode -ne "200") { + throw $getResponse.Content + } + try { + # If invalid response, $roleAssignments will be null and throw an error + $roleAssignments.GetType() | Out-Null + } + catch { + throw $getResponse.Content + } + + # Get a list of assigned principalId values and lookup against AAD + $principalsRequestUri = "https://graph.microsoft.com/v1.0/directoryObjects/microsoft.graph.getByIds" + $principalsRequestBody = @{ + ids = $roleAssignments.properties.principalId + } | ConvertTo-Json -Depth 10 + $principalsResponse = Invoke-AzRestMethod -Method "POST" -Uri $principalsRequestUri -Payload $principalsRequestBody -WhatIf:$false + $principalIds = ($principalsResponse.Content | ConvertFrom-Json).value.id + + # Find all Role Assignments where the principalId is not found in AAD + $orphanedRoleAssignments = $roleAssignments | Where-Object { + ($_.properties.scope -eq "/subscriptions/$($subId)") -and + ($_.properties.principalId -notin $principalIds) + } + + # Delete orphaned Role Assignments + Write-Information "$($WhatIfPrefix)Deleting [$($orphanedRoleAssignments.Length)] orphaned Role Assignments for Subscription [$($subId)]" -InformationAction Continue + $orphanedRoleAssignments | ForEach-Object { + if ($PSCmdlet.ShouldProcess("$($_.id)", "Remove-AzRoleAssignment")) { + $deleteRequestPath = "$($_.id)?api-version=$($latestRoleAssignmentsApiVersions)" + $deleteResponse = Invoke-AzRestMethod -Method "DELETE" -Path $deleteRequestPath + # Check for valid response + if ($deleteResponse.StatusCode -ne "200") { + throw $deleteResponse.Content + } + } + } + } + Set-AzContext $originalCtx -WhatIf:$false | Out-Null +} + +#Toggle to stop warnings with regards to DisplayName and DisplayId +Set-Item Env:\SuppressAzurePowerShellBreakingChangeWarnings "true" + +# Start timer +$StopWatch = New-Object -TypeName System.Diagnostics.Stopwatch +$StopWatch.Start() + +# Get all Subscriptions that are in the Intermediate Root Management Group's hierarchy tree +$intermediateRootGroupChildSubscriptions = Search-AzGraph -Query "resourcecontainers | where type =~ 'microsoft.resources/subscriptions' | mv-expand mgmtGroups=properties.managementGroupAncestorsChain | where mgmtGroups.name =~ '$intermediateRootGroupID' | project subName=name, subID=subscriptionId, subState=properties.state, aadTenantID=tenantId, mgID=mgmtGroups.name, mgDisplayName=mgmtGroups.displayName" + +Write-Host "Moving all subscriptions under root management group" -ForegroundColor Yellow + +# For each Subscription in Intermediate Root Management Group's hierarchy tree, move it to the Tenant Root Management Group +$intermediateRootGroupChildSubscriptions | ForEach-Object -Parallel { + # The name 'Tenant Root Group' doesn't work. Instead, use the GUID of your Tenant Root Group + if ($_.subState -ne "Disabled") { + Write-Host "Moving Subscription: '$($_.subName)' under Tenant Root Management Group: '$($using:tenantRootGroupID)'" -ForegroundColor Cyan + New-AzManagementGroupSubscription -GroupId $using:tenantRootGroupID -SubscriptionId $_.subID | Out-Null + } +} + +# For each Subscription in the Intermediate Root Management Group's hierarchy tree, remove all Resources, Resource Groups and Deployments +Write-Host "Removing all Azure Resources, Resource Groups and Deployments from Subscriptions in scope" -ForegroundColor Yellow + +ForEach ($subscription in $intermediateRootGroupChildSubscriptions) { + Write-Host "Set context to Subscription: '$($subscription.subName)'" -ForegroundColor Cyan + Set-AzContext -Subscription $subscription.subID | Out-Null + + # Get all Resource Groups in Subscription + $resources = Get-AzResourceGroup + + $resources | ForEach-Object -Parallel { + Write-Host "Deleting " $_.ResourceGroupName "..." -ForegroundColor Red + Remove-AzResourceGroup -Name $_.ResourceGroupName -Force | Out-Null + } + + # Get Deployments for Subscription + $subDeployments = Get-AzSubscriptionDeployment + + Write-Host "Removing All Subscription Deployments for: $($subscription.subName)" -ForegroundColor Yellow + + # For each Subscription level deployment, remove it + $subDeployments | ForEach-Object -Parallel { + Write-Host "Removing $($_.DeploymentName) ..." -ForegroundColor Red + Remove-AzSubscriptionDeployment -Id $_.Id | Out-Null + } + + # Set MDFC tier to Free for each Subscription + if ($resetMdfcTierOnSubs) { + Write-Host "Resetting MDFC tier to Free for Subscription: $($subscription.subName)" -ForegroundColor Yellow + + $currentMdfcForSubUnfiltered = Get-AzSecurityPricing + $currentMdfcForSub = $currentMdfcForSubUnfiltered | Where-Object { $_.PricingTier -ne "Free" } + + ForEach ($mdfcPricingTier in $currentMdfcForSub) { + Write-Host "Resetting $($mdfcPricingTier.Name) to Free MDFC Pricing Tier for Subscription: $($subscription.subName)" -ForegroundColor Yellow + + Set-AzSecurityPricing -Name $mdfcPricingTier.Name -PricingTier 'Free' | Out-Null + } + } +} + +# This function only deletes Management Groups in the Intermediate Root Management Group's hierarchy tree and will NOT delete other Intermediate Root level Management Groups and their children e.g. in the case of "canary" +function Remove-Recursively($name) { + # Enters the parent Level + Write-Host "Entering the scope with $name" -ForegroundColor Green + $parent = Get-AzManagementGroup -GroupId $name -Expand -Recurse + + # Checks if there is any parent level + if ($null -ne $parent.Children) { + Write-Host "Found the following Children :" -ForegroundColor Yellow + Write-host ($parent.Children | Select-Object Name).Name -ForegroundColor White + + foreach ($children in $parent.Children) { + # Tries to recur to each child item + Remove-Recursively($children.Name) + } + } + + # If no children are found at each scope + Write-Host "No children found in scope $name" -ForegroundColor Yellow + Write-Host "Removing the scope $name" -ForegroundColor Red + + Remove-AzManagementGroup -InputObject $parent | Out-Null +} + +# Remove all the Management Groups in Intermediate Root Management Group's hierarchy tree, including itself +Remove-Recursively($intermediateRootGroupID) + +# Remove orphaned/identity not found RBAC role assignments from each subscription +Write-Host "Removing Oprhaned/Identity Not Found Role Assignments for all subscriptions: $($intermediateRootGroupChildSubscriptions.subID)" -ForegroundColor Yellow +Invoke-RemoveOrphanedRoleAssignment -SubscriptionId $intermediateRootGroupChildSubscriptions.subID + +# Stop timer +$StopWatch.Stop() + +# Display timer output as table +Write-Host "Time taken to complete task:" -ForegroundColor Yellow +$StopWatch.Elapsed | Format-Table \ No newline at end of file From 681326a6aa2a768778a3f376b07bb37534e8112c Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Fri, 28 Jun 2024 18:22:00 +0100 Subject: [PATCH 10/33] Fix script --- accelerator/scripts/destroy-landing-zone.ps1 | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/accelerator/scripts/destroy-landing-zone.ps1 b/accelerator/scripts/destroy-landing-zone.ps1 index d01c72c58..096105fe1 100644 --- a/accelerator/scripts/destroy-landing-zone.ps1 +++ b/accelerator/scripts/destroy-landing-zone.ps1 @@ -1,17 +1,20 @@ ## This script is derived from the original by Jack Tracey, which you can find here: https://github.com/jtracey93/PublicScripts/blob/master/Azure/PowerShell/Enterprise-scale/Wipe-ESLZAzTenant.ps1 -$whatIf = [System.Convert]::ToBoolean("$${{ parameters.whatIfEnabled }}") -if($whatIf) { +param ( + [bool]$whatIfEnabled = $true, + [string]$intermediateRootGroupID = $env:MANAGEMENT_GROUP_ID, + [string]$tenantRootGroupID = $env:ROOT_PARENT_MANAGEMENT_GROUP_ID +) + +if($whatIfEnabled) { Write-Warning "The deploy stage of this run will delete all aspects of your landing zone. This includes all resources in your platform subscriptions. Please ensure you have a backup of any data you wish to keep." Write-Warning "DANGER! DO NOT APPROVE THIS RUN UNLESS YOU ARE CERTAIN YOU WANT TO DELETE EVERYTHING." exit 0 } -$tenantRootGroupID = $env:ROOT_PARENT_MANAGEMENT_GROUP_ID if ($tenantRootGroupID -eq "") { $tenantRootGroupID = (Get-AzContext).Tenant.TenantId } -$intermediateRootGroupID = $env:MANAGEMENT_GROUP_ID $resetMdfcTierOnSubs = $true ## Orphaned Role Assignements Function From 048dbe102a5dd0eec39eb5d0b6643235501be2c5 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Mon, 1 Jul 2024 08:49:45 +0100 Subject: [PATCH 11/33] Idempotent script --- accelerator/scripts/destroy-landing-zone.ps1 | 22 ++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/accelerator/scripts/destroy-landing-zone.ps1 b/accelerator/scripts/destroy-landing-zone.ps1 index 096105fe1..dcd31c2e2 100644 --- a/accelerator/scripts/destroy-landing-zone.ps1 +++ b/accelerator/scripts/destroy-landing-zone.ps1 @@ -175,16 +175,26 @@ function Remove-Recursively($name) { Remove-AzManagementGroup -InputObject $parent | Out-Null } -# Remove all the Management Groups in Intermediate Root Management Group's hierarchy tree, including itself -Remove-Recursively($intermediateRootGroupID) +# Check if Management Group exists for idempotency +$managementGroups = Get-AzManagementGroup +$managementGroup = $managementGroups | Where-Object { $_.Name -eq $intermediateRootGroupID } + +if($null -eq $managementGroup) { + Write-Host "Management Group with ID: '$intermediateRootGroupID' does not exist." -ForegroundColor Yellow +} else { + Write-Host "Management Group with ID: '$intermediateRootGroupID' exists. Proceeding with deletion." -ForegroundColor Yellow + + # Remove all the Management Groups in Intermediate Root Management Group's hierarchy tree, including itself + Remove-Recursively($intermediateRootGroupID) -# Remove orphaned/identity not found RBAC role assignments from each subscription -Write-Host "Removing Oprhaned/Identity Not Found Role Assignments for all subscriptions: $($intermediateRootGroupChildSubscriptions.subID)" -ForegroundColor Yellow -Invoke-RemoveOrphanedRoleAssignment -SubscriptionId $intermediateRootGroupChildSubscriptions.subID + # Remove orphaned/identity not found RBAC role assignments from each subscription + Write-Host "Removing Oprhaned/Identity Not Found Role Assignments for all subscriptions: $($intermediateRootGroupChildSubscriptions.subID)" -ForegroundColor Yellow + Invoke-RemoveOrphanedRoleAssignment -SubscriptionId $intermediateRootGroupChildSubscriptions.subID +} # Stop timer $StopWatch.Stop() # Display timer output as table Write-Host "Time taken to complete task:" -ForegroundColor Yellow -$StopWatch.Elapsed | Format-Table \ No newline at end of file +$StopWatch.Elapsed | Format-Table From bb4dc6213d9d8fa6859986400764a19409bfa6f4 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Tue, 2 Jul 2024 23:19:21 +0100 Subject: [PATCH 12/33] Add groups to config file --- .../.config/ALZ-Powershell-Auto.config.json | 86 ++++++++++++++++--- 1 file changed, 75 insertions(+), 11 deletions(-) diff --git a/accelerator/.config/ALZ-Powershell-Auto.config.json b/accelerator/.config/ALZ-Powershell-Auto.config.json index 58c809415..22fbd426b 100644 --- a/accelerator/.config/ALZ-Powershell-Auto.config.json +++ b/accelerator/.config/ALZ-Powershell-Auto.config.json @@ -5,8 +5,51 @@ "short_name": "Complete", "description": "Complete Azure Landing Zones Deployment", "destroy_script_path": "accelerator/scripts/destroy-landing-zone.ps1", + "deployment_file_groups" : [ + { + "name": "management_groups", + "displayName": "Management Groups", + "order": 1 + }, + { + "name": "logging_and_sentinel", + "displayName": "Logging and Sentinel", + "order": 2 + }, + { + "name": "policy_definitions", + "displayName": "Policy Definitions", + "order": 3 + }, + { + "name": "role_definitions", + "displayName": "Role Definitions", + "order": 4 + }, + { + "name": "policy_assignments", + "displayName": "Policy Assignments", + "order": 5 + }, + { + "name": "management_group_diagnostic_settings", + "displayName": "Management Group Diagnostic Settings", + "order": 6 + }, + { + "name": "subscription_placement", + "displayName": "Subscription Placement", + "order": 7 + }, + { + "name": "connectivity", + "displayName": "Connectivity", + "order": 8 + } + ], "deployment_files": [ { + "name": "management_groups", "displayName": "Management Groups Deployment", "templateFilePath": "./infra-as-code/bicep/modules/managementGroups/managementGroupsScopeEscape.bicep", "templateParametersFilePath": "./config/custom-parameters/managementGroups.parameters.all.json", @@ -14,9 +57,11 @@ "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", "firstRunWhatIf": true, - "order": 1 + "order": 1, + "group": "management_groups" }, { + "name": "logging_and_sentinel_resource_group", "displayName": "Logging and Sentinel Resource Group Deployment", "templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep", "templateParametersFilePath": "./config/custom-parameters/resourceGroupLoggingAndSentinel.parameters.all.json", @@ -24,9 +69,11 @@ "subscriptionId": "MANAGEMENT_SUBSCRIPTION_ID", "deploymentType": "subscription", "firstRunWhatIf": true, - "order": 2 + "order": 2, + "group": "logging_and_sentinel" }, { + "name": "logging_and_sentinel", "displayName": "Logging and Sentinel Deployment", "templateFilePath": "./infra-as-code/bicep/modules/logging/logging.bicep", "templateParametersFilePath": "./config/custom-parameters/logging.parameters.all.json", @@ -35,9 +82,11 @@ "resourceGroupName": "LOGGING_RESOURCE_GROUP", "deploymentType": "resourceGroup", "firstRunWhatIf": false, - "order": 3 + "order": 3, + "group": "logging_and_sentinel" }, { + "name": "custom_policy_definitions", "displayName": "Custom Policy Definitions Deployment", "templateFilePath": "./infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep", "templateParametersFilePath": "./config/custom-parameters/customPolicyDefinitions.parameters.all.json", @@ -45,9 +94,11 @@ "managementGroupId": "MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", "firstRunWhatIf": false, - "order": 4 + "order": 4, + "group": "policy_definitions" }, { + "name": "custom_role_definitions", "displayName": "Custom Role Definitions Deployment", "templateFilePath": "./infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep", "templateParametersFilePath": "./config/custom-parameters/customRoleDefinitions.parameters.all.json", @@ -55,9 +106,11 @@ "managementGroupId": "MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", "firstRunWhatIf": false, - "order": 5 + "order": 5, + "group": "role_definitions" }, { + "name": "management_group_diagnostic_settings", "displayName": "Custom Management Group Diagnostic Settings", "templateFilePath": "./infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep", "templateParametersFilePath": "./config/custom-parameters/mgDiagSettingsAll.parameters.all.json", @@ -65,9 +118,11 @@ "managementGroupId": "MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", "firstRunWhatIf": false, - "order": 6 + "order": 6, + "group": "management_group_diagnostic_settings" }, { + "name": "policy_assignments", "displayName": "Built-in and Custom Policy Assignments Deployment", "templateFilePath": "./infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep", "templateParametersFilePath": "./config/custom-parameters/alzDefaultPolicyAssignments.parameters.all.json", @@ -75,9 +130,11 @@ "managementGroupId": "MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", "firstRunWhatIf": false, - "order": 7 + "order": 7, + "group": "policy_assignments" }, { + "name": "subscription_placement", "displayName": "Deploy Subscription Placement", "templateFilePath": "./infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep", "templateParametersFilePath": "./config/custom-parameters/subPlacementAll.parameters.all.json", @@ -85,9 +142,11 @@ "managementGroupId": "MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", "firstRunWhatIf": false, - "order": 8 + "order": 8, + "group": "subscription_placement" }, { + "name": "connectivity_resource_group", "displayName": "Connectivity Resource Group Deployment", "templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep", "templateParametersFilePath": "./config/custom-parameters/resourceGroupConnectivity.parameters.all.json", @@ -95,9 +154,11 @@ "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", "deploymentType": "subscription", "firstRunWhatIf": true, - "order": 9 + "order": 9, + "group": "connectivity" }, { + "name": "hub_and_spoke", "displayName": "Hub (Hub-and-Spoke) Deployment", "templateFilePath": "./infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep", "templateParametersFilePath": "./config/custom-parameters/hubNetworking.parameters.all.json", @@ -107,9 +168,11 @@ "networkType": "hubNetworking", "deploymentType": "resourceGroup", "firstRunWhatIf": false, - "order": 10 + "order": 10, + "group": "connectivity" }, { + "name": "vwan", "displayName": "Hub (VWAN) Deployment", "templateFilePath": "./infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep", "templateParametersFilePath": "./config/custom-parameters/vwanConnectivity.parameters.all.json", @@ -119,7 +182,8 @@ "networkType": "vwanConnectivity", "deploymentType": "resourceGroup", "firstRunWhatIf": false, - "order": 10 + "order": 10, + "group": "connectivity" } ], "inputs": { From d4b6a8544d08c5d37f84734edf0e22466059927b Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Mon, 8 Jul 2024 10:26:35 +0100 Subject: [PATCH 13/33] Add test starter module --- .../.config/ALZ-Powershell-Auto.config.json | 208 +++++++++++++++++- .../managementGroups/managementGroup.bicep | 35 +++ .../managementGroups.parameters.all.json | 18 ++ 3 files changed, 254 insertions(+), 7 deletions(-) create mode 100644 accelerator/test_modules/managementGroups/managementGroup.bicep create mode 100644 accelerator/test_modules/managementGroups/parameters/managementGroups.parameters.all.json diff --git a/accelerator/.config/ALZ-Powershell-Auto.config.json b/accelerator/.config/ALZ-Powershell-Auto.config.json index 22fbd426b..fbdeecbd7 100644 --- a/accelerator/.config/ALZ-Powershell-Auto.config.json +++ b/accelerator/.config/ALZ-Powershell-Auto.config.json @@ -162,7 +162,7 @@ "displayName": "Hub (Hub-and-Spoke) Deployment", "templateFilePath": "./infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep", "templateParametersFilePath": "./config/custom-parameters/hubNetworking.parameters.all.json", - "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.az.all.json", "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", "resourceGroupName": "CONNECTIVITY_RESOURCE_GROUP", "networkType": "hubNetworking", @@ -176,7 +176,7 @@ "displayName": "Hub (VWAN) Deployment", "templateFilePath": "./infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep", "templateParametersFilePath": "./config/custom-parameters/vwanConnectivity.parameters.all.json", - "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.az.all.json", "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", "resourceGroupName": "CONNECTIVITY_RESOURCE_GROUP", "networkType": "vwanConnectivity", @@ -606,20 +606,166 @@ "test": { "location": ".", "short_name": "Test", - "description": "Test Deployment used to e2e tests", + "description": "Test Azure Landing Zones Deployment for e2e testing", + "destroy_script_path": "accelerator/scripts/destroy-landing-zone.ps1", + "deployment_file_groups" : [ + { + "name": "management_groups", + "displayName": "Management Groups", + "order": 1 + }, + { + "name": "resource_groups", + "displayName": "Resource Groups", + "order": 2 + } + ], "deployment_files": [ { + "name": "management_groups", "displayName": "Management Groups Deployment", - "templateFilePath": "./infra-as-code/bicep/modules/managementGroups/managementGroupsScopeEscape.bicep", + "templateFilePath": "./accelerator/test_modules/managementGroups/managementGroups.bicep", "templateParametersFilePath": "./config/custom-parameters/managementGroups.parameters.all.json", - "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json", + "templateParametersSourceFilePath": "./accelerator/test_modules/managementGroups/parameters/managementGroups.parameters.all.json", "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", "firstRunWhatIf": true, - "order": 1 + "order": 1, + "group": "management_groups" + }, + { + "name": "management_resource_group", + "displayName": "Management Resource Group Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep", + "templateParametersFilePath": "./config/custom-parameters/resourceGroupManagement.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json", + "subscriptionId": "MANAGEMENT_SUBSCRIPTION_ID", + "deploymentType": "subscription", + "firstRunWhatIf": true, + "order": 2, + "group": "resource_groups" + }, + { + "name": "connectivity_resource_group", + "displayName": "Connectivity Resource Group Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep", + "templateParametersFilePath": "./config/custom-parameters/resourceGroupConnectivity.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json", + "subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID", + "deploymentType": "subscription", + "firstRunWhatIf": true, + "order": 3, + "group": "resource_groups" + }, + { + "name": "identity_resource_group", + "displayName": "Identity Resource Group Deployment", + "templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep", + "templateParametersFilePath": "./config/custom-parameters/resourceGroupIdentity.parameters.all.json", + "templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json", + "subscriptionId": "IDENTITY_SUBSCRIPTION_ID", + "deploymentType": "subscription", + "firstRunWhatIf": true, + "order": 3, + "group": "resource_groups" } ], - "inputs" : { + "inputs": { + "Prefix": { + "source": "input", + "type": "string", + "description": "The prefix that will be added to all resources created by this deployment. (e.g. 'alz')", + "Targets": [ + { + "Name": "parTopLevelManagementGroupPrefix.value", + "Destination": "Parameters" + }, + { + "name": "MANAGEMENT_GROUP_ID", + "destination": "Environment" + } + ], + "default": "alz", + "validation": "azure_name" + }, + "Location": { + "source": "input", + "type": "string", + "description": "Deployment location. (e.g. 'uksouth')", + "Targets": [ + { + "Name": "parLocation.value", + "Destination": "Parameters" + }, + { + "Name": "LOCATION", + "Destination": "Environment" + } + ], + "validation": "azure_location" + }, + "Environment": { + "source": "input", + "type": "string", + "description": "The Type of environment that will be created. (e.g. 'live', 'canary')", + "Targets": [ + { + "Name": "parTags.value.Environment", + "Destination": "Parameters" + } + ], + "default": "live", + "validation": "azure_name_section" + }, + "networkType": { + "source": "input", + "type": "string", + "description": "The type of networking to deploy. (e.g. 'hubNetworking', 'vwanConnectivity')", + "default": "hubNetworking", + "Targets": [ + { + "Name": "NETWORK_TYPE", + "Destination": "Environment" + } + ], + "validation": "network_type" + }, + "IdentitySubscriptionId": { + "source": "input", + "type": "string", + "description": "The identifier of the Identity Subscription. (e.g '00000000-0000-0000-0000-000000000000')", + "validation": "azure_subscription_id", + "Targets": [ + { + "Name": "IDENTITY_SUBSCRIPTION_ID", + "Destination": "Environment" + } + ] + }, + "ConnectivitySubscriptionId": { + "source": "input", + "type": "string", + "description": "The identifier of the Connectivity Subscription. (e.g '00000000-0000-0000-0000-000000000000')", + "validation": "azure_subscription_id", + "Targets": [ + { + "Name": "CONNECTIVITY_SUBSCRIPTION_ID", + "Destination": "Environment" + } + ] + }, + "ManagementSubscriptionId": { + "source": "input", + "type": "string", + "description": "The identifier of the Management Subscription. (e.g 00000000-0000-0000-0000-000000000000)", + "validation": "azure_subscription_id", + "Targets": [ + { + "Name": "MANAGEMENT_SUBSCRIPTION_ID", + "Destination": "Environment" + } + ] + }, "RootParentManagementGroupId": { "source": "powershell", "type": "string", @@ -635,6 +781,54 @@ "Destination": "Parameters" } ] + }, + "ConnectivityResourceGroupName": { + "source": "powershell", + "type": "string", + "Value": "rg-{%Prefix%}-connectivity", + "Targets": [ + { + "Name": "CONNECTIVITY_RESOURCE_GROUP", + "Destination": "Environment" + }, + { + "File": "resourceGroupConnectivity.parameters.all.json", + "Name": "parResourceGroupName.value", + "Destination": "Parameters" + } + ] + }, + "ManagementResourceGroupName": { + "source": "powershell", + "type": "string", + "Value": "rg-{%Prefix%}-management", + "Targets": [ + { + "Name": "MANAGEMENT_RESOURCE_GROUP", + "Destination": "Environment" + }, + { + "File": "resourceGroupManagement.parameters.all.json", + "Name": "parResourceGroupName.value", + "Destination": "Parameters" + } + ] + }, + "IdentityResourceGroupName": { + "source": "powershell", + "type": "string", + "Value": "rg-{%Prefix%}-identity", + "Targets": [ + { + "Name": "IDENTITY_RESOURCE_GROUP", + "Destination": "Environment" + }, + { + "File": "resourceGroupIdentity.parameters.all.json", + "Name": "parResourceGroupName.value", + "Destination": "Parameters" + } + ] } } } diff --git a/accelerator/test_modules/managementGroups/managementGroup.bicep b/accelerator/test_modules/managementGroups/managementGroup.bicep new file mode 100644 index 000000000..4417d1eca --- /dev/null +++ b/accelerator/test_modules/managementGroups/managementGroup.bicep @@ -0,0 +1,35 @@ +targetScope = 'managementGroup' + +metadata name = 'ALZ Bicep - Management Groups Module with Scope Escape' +metadata description = 'ALZ Bicep Module to set up Management Group structure, using Scope Escaping feature of ARM to allow deployment not requiring tenant root scope access.' + +@sys.description('Prefix used for the management group hierarchy. This management group will be created as part of the deployment.') +@minLength(2) +@maxLength(10) +param parTopLevelManagementGroupPrefix string = 'alz' + +@sys.description('Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix') +@maxLength(10) +param parTopLevelManagementGroupSuffix string = '' + +@sys.description('Display name for top level management group. This name will be applied to the management group prefix defined in parTopLevelManagementGroupPrefix parameter.') +@minLength(2) +param parTopLevelManagementGroupDisplayName string = 'Azure Landing Zones' + +@sys.description('Optional parent for Management Group hierarchy, used as intermediate root Management Group parent, if specified. If empty, default, will deploy beneath Tenant Root Management Group.') +param parTopLevelManagementGroupParentId string = '' + +resource resTopLevelMg 'Microsoft.Management/managementGroups@2023-04-01' = { + name: '${parTopLevelManagementGroupPrefix}${parTopLevelManagementGroupSuffix}' + properties: { + displayName: parTopLevelManagementGroupDisplayName + details: { + parent: { + id: empty(parTopLevelManagementGroupParentId) ? '/providers/Microsoft.Management/managementGroups/${tenant().tenantId}' : contains(toLower(parTopLevelManagementGroupParentId), toLower('/providers/Microsoft.Management/managementGroups/')) ? parTopLevelManagementGroupParentId : '/providers/Microsoft.Management/managementGroups/${parTopLevelManagementGroupParentId}' + } + } + } +} + +// Output Management Group IDs +output outTopLevelManagementGroupId string = resTopLevelMg.id diff --git a/accelerator/test_modules/managementGroups/parameters/managementGroups.parameters.all.json b/accelerator/test_modules/managementGroups/parameters/managementGroups.parameters.all.json new file mode 100644 index 000000000..b8d621174 --- /dev/null +++ b/accelerator/test_modules/managementGroups/parameters/managementGroups.parameters.all.json @@ -0,0 +1,18 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parTopLevelManagementGroupPrefix": { + "value": "alz" + }, + "parTopLevelManagementGroupSuffix": { + "value": "" + }, + "parTopLevelManagementGroupDisplayName": { + "value": "Azure Landing Zones" + }, + "parTopLevelManagementGroupParentId": { + "value": "" + } + } +} From 06af85a6d5e7c1c8256db1f53c319fcaca9db514 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Mon, 8 Jul 2024 11:02:19 +0100 Subject: [PATCH 14/33] Simplify destroy script --- accelerator/scripts/destroy-landing-zone.ps1 | 76 -------------------- 1 file changed, 76 deletions(-) diff --git a/accelerator/scripts/destroy-landing-zone.ps1 b/accelerator/scripts/destroy-landing-zone.ps1 index dcd31c2e2..2ce4c2692 100644 --- a/accelerator/scripts/destroy-landing-zone.ps1 +++ b/accelerator/scripts/destroy-landing-zone.ps1 @@ -17,78 +17,6 @@ if ($tenantRootGroupID -eq "") { } $resetMdfcTierOnSubs = $true -## Orphaned Role Assignements Function -function Invoke-RemoveOrphanedRoleAssignment { - [CmdletBinding(SupportsShouldProcess)] - param ( - [Parameter()][String[]]$SubscriptionId - ) - - $originalCtx = Get-AzContext - - $WhatIfPrefix = "" - if ($WhatIfPreference) { - $WhatIfPrefix = "What if: " - } - - # Get the latest stable API version - $roleAssignmentsApiVersions = ((Get-AzResourceProvider -ProviderNamespace Microsoft.Authorization).ResourceTypes | Where-Object ResourceTypeName -eq roleAssignments).ApiVersions - $latestRoleAssignmentsApiVersions = $roleAssignmentsApiVersions | Where-Object {$_ -notlike '*-preview'} | Sort-Object -Descending | Select-Object -First 1 - Write-Information "Using Role Assignments API Version : $($latestRoleAssignmentsApiVersions)" -InformationAction Continue - - foreach ($subId in $SubscriptionId) { - - # Use Rest API to ensure correct permissions are assigned when looking up - # whether identity exists, otherwise Get-AzRoleAssignment will always - # return `objectType : "unknown"` for all assignments with no errors. - - # Get Role Assignments - $getRequestPath = "/subscriptions/$($subId)/providers/Microsoft.Authorization/roleAssignments?api-version=$($latestRoleAssignmentsApiVersions)" - $getResponse = Invoke-AzRestMethod -Method "GET" -Path $getRequestPath - $roleAssignments = ($getResponse.Content | ConvertFrom-Json).value - - # Check for valid response - if ($getResponse.StatusCode -ne "200") { - throw $getResponse.Content - } - try { - # If invalid response, $roleAssignments will be null and throw an error - $roleAssignments.GetType() | Out-Null - } - catch { - throw $getResponse.Content - } - - # Get a list of assigned principalId values and lookup against AAD - $principalsRequestUri = "https://graph.microsoft.com/v1.0/directoryObjects/microsoft.graph.getByIds" - $principalsRequestBody = @{ - ids = $roleAssignments.properties.principalId - } | ConvertTo-Json -Depth 10 - $principalsResponse = Invoke-AzRestMethod -Method "POST" -Uri $principalsRequestUri -Payload $principalsRequestBody -WhatIf:$false - $principalIds = ($principalsResponse.Content | ConvertFrom-Json).value.id - - # Find all Role Assignments where the principalId is not found in AAD - $orphanedRoleAssignments = $roleAssignments | Where-Object { - ($_.properties.scope -eq "/subscriptions/$($subId)") -and - ($_.properties.principalId -notin $principalIds) - } - - # Delete orphaned Role Assignments - Write-Information "$($WhatIfPrefix)Deleting [$($orphanedRoleAssignments.Length)] orphaned Role Assignments for Subscription [$($subId)]" -InformationAction Continue - $orphanedRoleAssignments | ForEach-Object { - if ($PSCmdlet.ShouldProcess("$($_.id)", "Remove-AzRoleAssignment")) { - $deleteRequestPath = "$($_.id)?api-version=$($latestRoleAssignmentsApiVersions)" - $deleteResponse = Invoke-AzRestMethod -Method "DELETE" -Path $deleteRequestPath - # Check for valid response - if ($deleteResponse.StatusCode -ne "200") { - throw $deleteResponse.Content - } - } - } - } - Set-AzContext $originalCtx -WhatIf:$false | Out-Null -} - #Toggle to stop warnings with regards to DisplayName and DisplayId Set-Item Env:\SuppressAzurePowerShellBreakingChangeWarnings "true" @@ -186,10 +114,6 @@ if($null -eq $managementGroup) { # Remove all the Management Groups in Intermediate Root Management Group's hierarchy tree, including itself Remove-Recursively($intermediateRootGroupID) - - # Remove orphaned/identity not found RBAC role assignments from each subscription - Write-Host "Removing Oprhaned/Identity Not Found Role Assignments for all subscriptions: $($intermediateRootGroupChildSubscriptions.subID)" -ForegroundColor Yellow - Invoke-RemoveOrphanedRoleAssignment -SubscriptionId $intermediateRootGroupChildSubscriptions.subID } # Stop timer From a19dfd1341400528e58c36d78c527ef687a65ff7 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Mon, 8 Jul 2024 18:03:43 +0100 Subject: [PATCH 15/33] Add folders to retain into config --- .../.config/ALZ-Powershell-Auto.config.json | 32 ++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/accelerator/.config/ALZ-Powershell-Auto.config.json b/accelerator/.config/ALZ-Powershell-Auto.config.json index fbdeecbd7..b0e119282 100644 --- a/accelerator/.config/ALZ-Powershell-Auto.config.json +++ b/accelerator/.config/ALZ-Powershell-Auto.config.json @@ -5,6 +5,21 @@ "short_name": "Complete", "description": "Complete Azure Landing Zones Deployment", "destroy_script_path": "accelerator/scripts/destroy-landing-zone.ps1", + "folders_or_files_to_retain": [ + "accelerator", + "infra-as-code", + "version.json" + ], + "subfolders_or_files_to_remove" : [ + "media", + "samples", + "generateddocs", + ".azuredevops/pipelines", + ".github/workflows", + "pipeline-scripts", + "china", + "parameters" + ], "deployment_file_groups" : [ { "name": "management_groups", @@ -608,6 +623,21 @@ "short_name": "Test", "description": "Test Azure Landing Zones Deployment for e2e testing", "destroy_script_path": "accelerator/scripts/destroy-landing-zone.ps1", + "folders_or_files_to_retain": [ + "accelerator", + "infra-as-code/bicep/modules/resourceGroup", + "version.json" + ], + "subfolders_or_files_to_remove" : [ + "media", + "samples", + "generateddocs", + ".azuredevops/pipelines", + ".github/workflows", + "pipeline-scripts", + "china", + "parameters" + ], "deployment_file_groups" : [ { "name": "management_groups", @@ -666,7 +696,7 @@ "subscriptionId": "IDENTITY_SUBSCRIPTION_ID", "deploymentType": "subscription", "firstRunWhatIf": true, - "order": 3, + "order": 4, "group": "resource_groups" } ], From 378f956a7baf5d2bae3d2abec9fdcc28bfca8aa5 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Mon, 8 Jul 2024 19:24:43 +0100 Subject: [PATCH 16/33] Latest updates for test module --- .../.config/ALZ-Powershell-Auto.config.json | 15 +++-- accelerator/scripts/destroy-landing-zone.ps1 | 61 ++++++++++++++++--- .../managementGroup.bicep | 1 + .../managementGroup.parameters.all.json} | 0 4 files changed, 61 insertions(+), 16 deletions(-) rename accelerator/test_modules/{managementGroups => managementGroup}/managementGroup.bicep (99%) rename accelerator/test_modules/{managementGroups/parameters/managementGroups.parameters.all.json => managementGroup/parameters/managementGroup.parameters.all.json} (100%) diff --git a/accelerator/.config/ALZ-Powershell-Auto.config.json b/accelerator/.config/ALZ-Powershell-Auto.config.json index b0e119282..28b2f3c8b 100644 --- a/accelerator/.config/ALZ-Powershell-Auto.config.json +++ b/accelerator/.config/ALZ-Powershell-Auto.config.json @@ -18,7 +18,8 @@ ".github/workflows", "pipeline-scripts", "china", - "parameters" + "parameters", + "README.md" ], "deployment_file_groups" : [ { @@ -626,6 +627,7 @@ "folders_or_files_to_retain": [ "accelerator", "infra-as-code/bicep/modules/resourceGroup", + "infra-as-code/bicep/CRML/customerUsageAttribution", "version.json" ], "subfolders_or_files_to_remove" : [ @@ -636,7 +638,8 @@ ".github/workflows", "pipeline-scripts", "china", - "parameters" + "parameters", + "README.md" ], "deployment_file_groups" : [ { @@ -654,9 +657,9 @@ { "name": "management_groups", "displayName": "Management Groups Deployment", - "templateFilePath": "./accelerator/test_modules/managementGroups/managementGroups.bicep", - "templateParametersFilePath": "./config/custom-parameters/managementGroups.parameters.all.json", - "templateParametersSourceFilePath": "./accelerator/test_modules/managementGroups/parameters/managementGroups.parameters.all.json", + "templateFilePath": "./accelerator/test_modules/managementGroup/managementGroup.bicep", + "templateParametersFilePath": "./config/custom-parameters/managementGroup.parameters.all.json", + "templateParametersSourceFilePath": "./accelerator/test_modules/managementGroup/parameters/managementGroup.parameters.all.json", "managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID", "deploymentType": "managementGroup", "firstRunWhatIf": true, @@ -806,7 +809,7 @@ "Destination": "Environment" }, { - "File": "managementGroups.parameters.all.json", + "File": "managementGroup.parameters.all.json", "Name": "parTopLevelManagementGroupParentId.value", "Destination": "Parameters" } diff --git a/accelerator/scripts/destroy-landing-zone.ps1 b/accelerator/scripts/destroy-landing-zone.ps1 index 2ce4c2692..487af8f80 100644 --- a/accelerator/scripts/destroy-landing-zone.ps1 +++ b/accelerator/scripts/destroy-landing-zone.ps1 @@ -3,7 +3,10 @@ param ( [bool]$whatIfEnabled = $true, [string]$intermediateRootGroupID = $env:MANAGEMENT_GROUP_ID, - [string]$tenantRootGroupID = $env:ROOT_PARENT_MANAGEMENT_GROUP_ID + [string]$tenantRootGroupID = $env:ROOT_PARENT_MANAGEMENT_GROUP_ID, + [string]$connectivitySubscriptionId = $env:CONNECTIVITY_SUBSCRIPTION_ID, + [string]$identitySubscriptionId = $env:IDENTITY_SUBSCRIPTION_ID, + [string]$managementSubscriptionId = $env:MANAGEMENT_SUBSCRIPTION_ID ) if($whatIfEnabled) { @@ -41,38 +44,76 @@ $intermediateRootGroupChildSubscriptions | ForEach-Object -Parallel { # For each Subscription in the Intermediate Root Management Group's hierarchy tree, remove all Resources, Resource Groups and Deployments Write-Host "Removing all Azure Resources, Resource Groups and Deployments from Subscriptions in scope" -ForegroundColor Yellow +$subscriptionsToClean = @() ForEach ($subscription in $intermediateRootGroupChildSubscriptions) { - Write-Host "Set context to Subscription: '$($subscription.subName)'" -ForegroundColor Cyan - Set-AzContext -Subscription $subscription.subID | Out-Null + $subscriptionsToClean += { + name: $subscription.subName + id: $subscription.subID + } +} + +$subscriptionIds = $subscriptionsToClean | Select-Object -ExpandProperty id + +if($subscriptionIds -notcontains $managementSubscriptionId) { + $subscriptionsToClean += @{ + name = "Management" + id = $managementSubscriptionId + } + $subscriptionIds += $managementSubscriptionId +} + +if($subscriptionIds -notcontains $identitySubscriptionId) { + $subscriptionsToClean += @{ + name = "Identity" + id = $identitySubscriptionId + } + $subscriptionIds += $identitySubscriptionId +} + +if($subscriptionIds -notcontains $connectivitySubscriptionId) { + $subscriptionsToClean += @{ + name = "Connectivity" + id = $connectivitySubscriptionId + } + $subscriptionIds += $connectivitySubscriptionId +} + +ForEach ($subscription in $subscriptionsToClean) { + Write-Host "Set context to Subscription: '$($subscription.name)'" -ForegroundColor Cyan + Set-AzContext -Subscription $subscription.id | Out-Null # Get all Resource Groups in Subscription $resources = Get-AzResourceGroup $resources | ForEach-Object -Parallel { - Write-Host "Deleting " $_.ResourceGroupName "..." -ForegroundColor Red - Remove-AzResourceGroup -Name $_.ResourceGroupName -Force | Out-Null + if($_.ResourceGroupName -like "*$intermediateRootGroupID*") { + Write-Host "Deleting " $_.ResourceGroupName "..." -ForegroundColor Red + Remove-AzResourceGroup -Name $_.ResourceGroupName -Force | Out-Null + } } # Get Deployments for Subscription $subDeployments = Get-AzSubscriptionDeployment - Write-Host "Removing All Subscription Deployments for: $($subscription.subName)" -ForegroundColor Yellow + Write-Host "Removing All Successful Subscription Deployments for: $($subscription.name)" -ForegroundColor Yellow # For each Subscription level deployment, remove it $subDeployments | ForEach-Object -Parallel { - Write-Host "Removing $($_.DeploymentName) ..." -ForegroundColor Red - Remove-AzSubscriptionDeployment -Id $_.Id | Out-Null + if($_.ProvisioningState -eq "Succeeded") { + Write-Host "Removing $($_.DeploymentName) ..." -ForegroundColor Red + Remove-AzSubscriptionDeployment -Id $_.Id | Out-Null + } } # Set MDFC tier to Free for each Subscription if ($resetMdfcTierOnSubs) { - Write-Host "Resetting MDFC tier to Free for Subscription: $($subscription.subName)" -ForegroundColor Yellow + Write-Host "Resetting MDFC tier to Free for Subscription: $($subscription.name)" -ForegroundColor Yellow $currentMdfcForSubUnfiltered = Get-AzSecurityPricing $currentMdfcForSub = $currentMdfcForSubUnfiltered | Where-Object { $_.PricingTier -ne "Free" } ForEach ($mdfcPricingTier in $currentMdfcForSub) { - Write-Host "Resetting $($mdfcPricingTier.Name) to Free MDFC Pricing Tier for Subscription: $($subscription.subName)" -ForegroundColor Yellow + Write-Host "Resetting $($mdfcPricingTier.Name) to Free MDFC Pricing Tier for Subscription: $($subscription.name)" -ForegroundColor Yellow Set-AzSecurityPricing -Name $mdfcPricingTier.Name -PricingTier 'Free' | Out-Null } diff --git a/accelerator/test_modules/managementGroups/managementGroup.bicep b/accelerator/test_modules/managementGroup/managementGroup.bicep similarity index 99% rename from accelerator/test_modules/managementGroups/managementGroup.bicep rename to accelerator/test_modules/managementGroup/managementGroup.bicep index 4417d1eca..b7950c5e0 100644 --- a/accelerator/test_modules/managementGroups/managementGroup.bicep +++ b/accelerator/test_modules/managementGroup/managementGroup.bicep @@ -20,6 +20,7 @@ param parTopLevelManagementGroupDisplayName string = 'Azure Landing Zones' param parTopLevelManagementGroupParentId string = '' resource resTopLevelMg 'Microsoft.Management/managementGroups@2023-04-01' = { + scope: tenant() name: '${parTopLevelManagementGroupPrefix}${parTopLevelManagementGroupSuffix}' properties: { displayName: parTopLevelManagementGroupDisplayName diff --git a/accelerator/test_modules/managementGroups/parameters/managementGroups.parameters.all.json b/accelerator/test_modules/managementGroup/parameters/managementGroup.parameters.all.json similarity index 100% rename from accelerator/test_modules/managementGroups/parameters/managementGroups.parameters.all.json rename to accelerator/test_modules/managementGroup/parameters/managementGroup.parameters.all.json From eb94af21c39f1a1a43011c8ceef62d96b3f4c413 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Tue, 9 Jul 2024 12:42:04 +0100 Subject: [PATCH 17/33] Fix resource group deletion code --- accelerator/scripts/destroy-landing-zone.ps1 | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/accelerator/scripts/destroy-landing-zone.ps1 b/accelerator/scripts/destroy-landing-zone.ps1 index 487af8f80..c73828785 100644 --- a/accelerator/scripts/destroy-landing-zone.ps1 +++ b/accelerator/scripts/destroy-landing-zone.ps1 @@ -83,14 +83,19 @@ ForEach ($subscription in $subscriptionsToClean) { Set-AzContext -Subscription $subscription.id | Out-Null # Get all Resource Groups in Subscription - $resources = Get-AzResourceGroup + $resourceGroups = Get-AzResourceGroup - $resources | ForEach-Object -Parallel { - if($_.ResourceGroupName -like "*$intermediateRootGroupID*") { - Write-Host "Deleting " $_.ResourceGroupName "..." -ForegroundColor Red - Remove-AzResourceGroup -Name $_.ResourceGroupName -Force | Out-Null + $resourceGroupsToRemove = @() + ForEach ($resourceGroup in $resourceGroups) { + if ($resourceGroup.ResourceGroupName -like "*$intermediateRootGroupID*") { + $resourceGroupsToRemove += $resourceGroup.ResourceGroupName } } + + $resourceGroupsToRemove | ForEach-Object -Parallel { + Write-Host "Deleting " $_ "..." -ForegroundColor Red + Remove-AzResourceGroup -Name $_ -Force | Out-Null + } # Get Deployments for Subscription $subDeployments = Get-AzSubscriptionDeployment From 4920d44d5e08dd8654c2f9318bb85a33729c29c4 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Tue, 9 Jul 2024 12:45:44 +0100 Subject: [PATCH 18/33] Filter down more --- accelerator/scripts/destroy-landing-zone.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/accelerator/scripts/destroy-landing-zone.ps1 b/accelerator/scripts/destroy-landing-zone.ps1 index c73828785..40798691e 100644 --- a/accelerator/scripts/destroy-landing-zone.ps1 +++ b/accelerator/scripts/destroy-landing-zone.ps1 @@ -87,7 +87,7 @@ ForEach ($subscription in $subscriptionsToClean) { $resourceGroupsToRemove = @() ForEach ($resourceGroup in $resourceGroups) { - if ($resourceGroup.ResourceGroupName -like "*$intermediateRootGroupID*") { + if ($resourceGroup.ResourceGroupName -like "rg-$intermediateRootGroupID-*") { $resourceGroupsToRemove += $resourceGroup.ResourceGroupName } } From 11a912a7472829d0a336a6629d098271338eccef Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Tue, 9 Jul 2024 14:24:31 +0100 Subject: [PATCH 19/33] Only remove deployments created by this module --- accelerator/scripts/destroy-landing-zone.ps1 | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/accelerator/scripts/destroy-landing-zone.ps1 b/accelerator/scripts/destroy-landing-zone.ps1 index 40798691e..6967efc01 100644 --- a/accelerator/scripts/destroy-landing-zone.ps1 +++ b/accelerator/scripts/destroy-landing-zone.ps1 @@ -102,14 +102,19 @@ ForEach ($subscription in $subscriptionsToClean) { Write-Host "Removing All Successful Subscription Deployments for: $($subscription.name)" -ForegroundColor Yellow - # For each Subscription level deployment, remove it - $subDeployments | ForEach-Object -Parallel { - if($_.ProvisioningState -eq "Succeeded") { - Write-Host "Removing $($_.DeploymentName) ..." -ForegroundColor Red - Remove-AzSubscriptionDeployment -Id $_.Id | Out-Null + $deploymentsToRemove = @() + ForEach ($deployment in $subDeployments) { + if ($deployment.DeploymentName -like "$intermediateRootGroupID-*" -and $deployment.ProvisioningState -eq "Succeeded") { + $deploymentsToRemove += $deployment } } + # For each Subscription level deployment, remove it + $deploymentsToRemove | ForEach-Object -Parallel { + Write-Host "Removing $($_.DeploymentName) ..." -ForegroundColor Red + Remove-AzSubscriptionDeployment -Id $_.Id | Out-Null + } + # Set MDFC tier to Free for each Subscription if ($resetMdfcTierOnSubs) { Write-Host "Resetting MDFC tier to Free for Subscription: $($subscription.name)" -ForegroundColor Yellow From 8f2d393a527dc9ef539943a6e50f8b05c48b9f89 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Tue, 9 Jul 2024 15:47:38 +0100 Subject: [PATCH 20/33] Add PREFIX env var --- accelerator/.config/ALZ-Powershell-Auto.config.json | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/accelerator/.config/ALZ-Powershell-Auto.config.json b/accelerator/.config/ALZ-Powershell-Auto.config.json index 28b2f3c8b..8fcdcb102 100644 --- a/accelerator/.config/ALZ-Powershell-Auto.config.json +++ b/accelerator/.config/ALZ-Powershell-Auto.config.json @@ -226,7 +226,11 @@ }, { "name": "MANAGEMENT_GROUP_ID", - "destination": "Environment" + "Destination": "Environment" + }, + { + "name": "PREFIX", + "Destination": "Environment" } ], "default": "alz", @@ -715,7 +719,11 @@ }, { "name": "MANAGEMENT_GROUP_ID", - "destination": "Environment" + "Destination": "Environment" + }, + { + "Name": "PREFIX", + "Destination": "Environment" } ], "default": "alz", From 088245a9d55425b3d4c96c039a0e5376322925c0 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Tue, 9 Jul 2024 15:49:47 +0100 Subject: [PATCH 21/33] Add prefix param to avoid confusion --- accelerator/scripts/destroy-landing-zone.ps1 | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/accelerator/scripts/destroy-landing-zone.ps1 b/accelerator/scripts/destroy-landing-zone.ps1 index 6967efc01..94cf66669 100644 --- a/accelerator/scripts/destroy-landing-zone.ps1 +++ b/accelerator/scripts/destroy-landing-zone.ps1 @@ -2,6 +2,7 @@ param ( [bool]$whatIfEnabled = $true, + [string]$prefix = $env:PREFIX, [string]$intermediateRootGroupID = $env:MANAGEMENT_GROUP_ID, [string]$tenantRootGroupID = $env:ROOT_PARENT_MANAGEMENT_GROUP_ID, [string]$connectivitySubscriptionId = $env:CONNECTIVITY_SUBSCRIPTION_ID, @@ -87,7 +88,7 @@ ForEach ($subscription in $subscriptionsToClean) { $resourceGroupsToRemove = @() ForEach ($resourceGroup in $resourceGroups) { - if ($resourceGroup.ResourceGroupName -like "rg-$intermediateRootGroupID-*") { + if ($resourceGroup.ResourceGroupName -like "rg-$prefix*") { $resourceGroupsToRemove += $resourceGroup.ResourceGroupName } } @@ -104,7 +105,7 @@ ForEach ($subscription in $subscriptionsToClean) { $deploymentsToRemove = @() ForEach ($deployment in $subDeployments) { - if ($deployment.DeploymentName -like "$intermediateRootGroupID-*" -and $deployment.ProvisioningState -eq "Succeeded") { + if ($deployment.DeploymentName -like "$prefix*" -and $deployment.ProvisioningState -eq "Succeeded") { $deploymentsToRemove += $deployment } } From 07d7cf90dde74755564e9cc9e23d6563d184ef65 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Tue, 9 Jul 2024 17:06:40 +0100 Subject: [PATCH 22/33] Fix linting --- .../.config/ALZ-Powershell-Auto.config.json | 28 +++---- accelerator/scripts/destroy-landing-zone.ps1 | 79 ++++++++++--------- 2 files changed, 57 insertions(+), 50 deletions(-) diff --git a/accelerator/.config/ALZ-Powershell-Auto.config.json b/accelerator/.config/ALZ-Powershell-Auto.config.json index 8fcdcb102..9ba0ea85b 100644 --- a/accelerator/.config/ALZ-Powershell-Auto.config.json +++ b/accelerator/.config/ALZ-Powershell-Auto.config.json @@ -11,13 +11,13 @@ "version.json" ], "subfolders_or_files_to_remove" : [ - "media", - "samples", - "generateddocs", - ".azuredevops/pipelines", - ".github/workflows", - "pipeline-scripts", - "china", + "media", + "samples", + "generateddocs", + ".azuredevops/pipelines", + ".github/workflows", + "pipeline-scripts", + "china", "parameters", "README.md" ], @@ -635,13 +635,13 @@ "version.json" ], "subfolders_or_files_to_remove" : [ - "media", - "samples", - "generateddocs", - ".azuredevops/pipelines", - ".github/workflows", - "pipeline-scripts", - "china", + "media", + "samples", + "generateddocs", + ".azuredevops/pipelines", + ".github/workflows", + "pipeline-scripts", + "china", "parameters", "README.md" ], diff --git a/accelerator/scripts/destroy-landing-zone.ps1 b/accelerator/scripts/destroy-landing-zone.ps1 index 94cf66669..c1b30521a 100644 --- a/accelerator/scripts/destroy-landing-zone.ps1 +++ b/accelerator/scripts/destroy-landing-zone.ps1 @@ -31,19 +31,19 @@ $StopWatch.Start() # Get all Subscriptions that are in the Intermediate Root Management Group's hierarchy tree $intermediateRootGroupChildSubscriptions = Search-AzGraph -Query "resourcecontainers | where type =~ 'microsoft.resources/subscriptions' | mv-expand mgmtGroups=properties.managementGroupAncestorsChain | where mgmtGroups.name =~ '$intermediateRootGroupID' | project subName=name, subID=subscriptionId, subState=properties.state, aadTenantID=tenantId, mgID=mgmtGroups.name, mgDisplayName=mgmtGroups.displayName" -Write-Host "Moving all subscriptions under root management group" -ForegroundColor Yellow +Write-Output "Moving all subscriptions under root management group" # For each Subscription in Intermediate Root Management Group's hierarchy tree, move it to the Tenant Root Management Group $intermediateRootGroupChildSubscriptions | ForEach-Object -Parallel { # The name 'Tenant Root Group' doesn't work. Instead, use the GUID of your Tenant Root Group if ($_.subState -ne "Disabled") { - Write-Host "Moving Subscription: '$($_.subName)' under Tenant Root Management Group: '$($using:tenantRootGroupID)'" -ForegroundColor Cyan + Write-Output "Moving Subscription: '$($_.subName)' under Tenant Root Management Group: '$($using:tenantRootGroupID)'" New-AzManagementGroupSubscription -GroupId $using:tenantRootGroupID -SubscriptionId $_.subID | Out-Null } } # For each Subscription in the Intermediate Root Management Group's hierarchy tree, remove all Resources, Resource Groups and Deployments -Write-Host "Removing all Azure Resources, Resource Groups and Deployments from Subscriptions in scope" -ForegroundColor Yellow +Write-Output "Removing all Azure Resources, Resource Groups and Deployments from Subscriptions in scope" $subscriptionsToClean = @() ForEach ($subscription in $intermediateRootGroupChildSubscriptions) { @@ -80,7 +80,7 @@ if($subscriptionIds -notcontains $connectivitySubscriptionId) { } ForEach ($subscription in $subscriptionsToClean) { - Write-Host "Set context to Subscription: '$($subscription.name)'" -ForegroundColor Cyan + Write-Output "Set context to Subscription: '$($subscription.name)'" Set-AzContext -Subscription $subscription.id | Out-Null # Get all Resource Groups in Subscription @@ -94,15 +94,15 @@ ForEach ($subscription in $subscriptionsToClean) { } $resourceGroupsToRemove | ForEach-Object -Parallel { - Write-Host "Deleting " $_ "..." -ForegroundColor Red + Write-Output "Deleting $_..." Remove-AzResourceGroup -Name $_ -Force | Out-Null } - + # Get Deployments for Subscription $subDeployments = Get-AzSubscriptionDeployment - Write-Host "Removing All Successful Subscription Deployments for: $($subscription.name)" -ForegroundColor Yellow - + Write-Output "Removing All Successful Subscription Deployments for: $($subscription.name)" + $deploymentsToRemove = @() ForEach ($deployment in $subDeployments) { if ($deployment.DeploymentName -like "$prefix*" -and $deployment.ProvisioningState -eq "Succeeded") { @@ -112,47 +112,54 @@ ForEach ($subscription in $subscriptionsToClean) { # For each Subscription level deployment, remove it $deploymentsToRemove | ForEach-Object -Parallel { - Write-Host "Removing $($_.DeploymentName) ..." -ForegroundColor Red + Write-Output "Removing $($_.DeploymentName) ..." Remove-AzSubscriptionDeployment -Id $_.Id | Out-Null } # Set MDFC tier to Free for each Subscription if ($resetMdfcTierOnSubs) { - Write-Host "Resetting MDFC tier to Free for Subscription: $($subscription.name)" -ForegroundColor Yellow - + Write-Output "Resetting MDFC tier to Free for Subscription: $($subscription.name)" + $currentMdfcForSubUnfiltered = Get-AzSecurityPricing $currentMdfcForSub = $currentMdfcForSubUnfiltered | Where-Object { $_.PricingTier -ne "Free" } ForEach ($mdfcPricingTier in $currentMdfcForSub) { - Write-Host "Resetting $($mdfcPricingTier.Name) to Free MDFC Pricing Tier for Subscription: $($subscription.name)" -ForegroundColor Yellow - + Write-Output "Resetting $($mdfcPricingTier.Name) to Free MDFC Pricing Tier for Subscription: $($subscription.name)" + Set-AzSecurityPricing -Name $mdfcPricingTier.Name -PricingTier 'Free' | Out-Null } } } # This function only deletes Management Groups in the Intermediate Root Management Group's hierarchy tree and will NOT delete other Intermediate Root level Management Groups and their children e.g. in the case of "canary" -function Remove-Recursively($name) { - # Enters the parent Level - Write-Host "Entering the scope with $name" -ForegroundColor Green - $parent = Get-AzManagementGroup -GroupId $name -Expand -Recurse - - # Checks if there is any parent level - if ($null -ne $parent.Children) { - Write-Host "Found the following Children :" -ForegroundColor Yellow - Write-host ($parent.Children | Select-Object Name).Name -ForegroundColor White - - foreach ($children in $parent.Children) { - # Tries to recur to each child item - Remove-Recursively($children.Name) + +function Remove-Recursively { + [CmdletBinding(SupportsShouldProcess = $true)] + param ( + [string]$name + ) + if($PSCmdlet.ShouldProcess($name, "Remove-AzManagementGroup")) { + # Enters the parent Level + Write-Output "Entering the scope with $name" + $parent = Get-AzManagementGroup -GroupId $name -Expand -Recurse + + # Checks if there is any parent level + if ($null -ne $parent.Children) { + Write-Output "Found the following Children :" + Write-Output ($parent.Children | Select-Object Name).Name + + foreach ($children in $parent.Children) { + # Tries to recur to each child item + Remove-Recursively($children.Name) + } } - } - # If no children are found at each scope - Write-Host "No children found in scope $name" -ForegroundColor Yellow - Write-Host "Removing the scope $name" -ForegroundColor Red - - Remove-AzManagementGroup -InputObject $parent | Out-Null + # If no children are found at each scope + Write-Output "No children found in scope $name" + Write-Output "Removing the scope $name" + + Remove-AzManagementGroup -InputObject $parent | Out-Null + } } # Check if Management Group exists for idempotency @@ -160,10 +167,10 @@ $managementGroups = Get-AzManagementGroup $managementGroup = $managementGroups | Where-Object { $_.Name -eq $intermediateRootGroupID } if($null -eq $managementGroup) { - Write-Host "Management Group with ID: '$intermediateRootGroupID' does not exist." -ForegroundColor Yellow + Write-Output "Management Group with ID: '$intermediateRootGroupID' does not exist." } else { - Write-Host "Management Group with ID: '$intermediateRootGroupID' exists. Proceeding with deletion." -ForegroundColor Yellow - + Write-Output "Management Group with ID: '$intermediateRootGroupID' exists. Proceeding with deletion." + # Remove all the Management Groups in Intermediate Root Management Group's hierarchy tree, including itself Remove-Recursively($intermediateRootGroupID) } @@ -172,5 +179,5 @@ if($null -eq $managementGroup) { $StopWatch.Stop() # Display timer output as table -Write-Host "Time taken to complete task:" -ForegroundColor Yellow +Write-Output "Time taken to complete task:" $StopWatch.Elapsed | Format-Table From 9b500d2aa156b919005771e77098d3ed1d54873f Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Wed, 10 Jul 2024 16:53:53 +0100 Subject: [PATCH 23/33] Update accelerator docs --- docs/wiki/Accelerator.md | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/docs/wiki/Accelerator.md b/docs/wiki/Accelerator.md index c71bf53b6..226561e89 100644 --- a/docs/wiki/Accelerator.md +++ b/docs/wiki/Accelerator.md @@ -1,10 +1,16 @@ -## ALZ Bicep Accelerator +## ALZ Bicep Accelerator (Classic) -This document provides prescriptive guidance around implementing, automating, and maintaining your ALZ Bicep module with the ALZ Bicep Accelerator. +**IMPORTANT**: The Azure Landing Zones Accelerators documentation has been moved to [aka.ms/alz/accelerator/docs](https://aka.ms/alz/accelerator/docs). Head over there now to get started. -### What is the ALZ Bicep Accelerator? +The Azure Landing Zones Accelerators been updated to automate the bootstrapping of Version Control System and Azure resources. Please only use the following instructions if you need to use the classic version of the ALZ Bicep Accelerator. + +>NOTE: The classic version of the ALZ Bicep Accelerator will be maintained for a limited time. We recommend that you migrate to the new version as soon as possible. + +### What is the ALZ Bicep Accelerator (Classic)? + +>NOTE: These instructions now include the `-bicepLegacyMode $true` parameter, which needs be set explicily to use the classic version. The ALZ Bicep Accelerator framework was developed to provide end-users with the following abilities: @@ -67,7 +73,7 @@ In order to setup the Accelerator framework with the production GitHub Action Wo 1. Create your ALZ Bicep Accelerator framework with the following ALZ PowerShell Module cmdlet: ```powershell - Deploy-Accelerator -o -i "bicep" -b "alz_github + Deploy-Accelerator -o -i "bicep" -b "alz_github" -bicepLegacyMode $true ``` > **Note:** @@ -137,7 +143,7 @@ In order to setup the Accelerator framework with the production ready Azure DevO 1. Create your ALZ Bicep Accelerator framework with the following ALZ PowerShell Module cmdlet: ```powershell - Deploy-Accelerator -o -i "bicep" -b "alz_azuredevops" + Deploy-Accelerator -o -i "bicep" -b "alz_azuredevops" -bicepLegacyMode $true ``` > **Note:** @@ -224,13 +230,13 @@ With the ALZ Accelerator framework, we have designed the pipelines and directory Here is an example of using the cmdlet to upgrade to the latest version: ```powershell - Deploy-Accelerator -i "bicep" -b "alz_github" -o "C:\Repos\ALZ\accelerator" + Deploy-Accelerator -i "bicep" -b "alz_github" -o "C:\Repos\ALZ\accelerator" -bicepLegacyMode $true ``` Here is an example of using the to upgrade to version v0.17.2: ```powershell - Deploy-Accelerator -i "bicep" -b "alz_github" -v "v0.17.2" -o "C:\Repos\ALZ\accelerator" + Deploy-Accelerator -i "bicep" -b "alz_github" -v "v0.17.2" -o "C:\Repos\ALZ\accelerator" -bicepLegacyMode $true ``` You will be prompted for inputs again and the upgrade will be run for you. From 46db89b29a224930f9b0ea89003ee2b2fb6e1866 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Wed, 10 Jul 2024 21:34:23 +0100 Subject: [PATCH 24/33] Remove china policies --- accelerator/.config/ALZ-Powershell-Auto.config.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/accelerator/.config/ALZ-Powershell-Auto.config.json b/accelerator/.config/ALZ-Powershell-Auto.config.json index 9ba0ea85b..89fefb216 100644 --- a/accelerator/.config/ALZ-Powershell-Auto.config.json +++ b/accelerator/.config/ALZ-Powershell-Auto.config.json @@ -18,6 +18,9 @@ ".github/workflows", "pipeline-scripts", "china", + "china/policy_definitions", + "china/policy_set_definitions", + "china/policy_assignments", "parameters", "README.md" ], From 9078ee747fa721979aece4374781406ce2351359 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Thu, 11 Jul 2024 12:40:59 +0100 Subject: [PATCH 25/33] Fix PowerShell Typo --- accelerator/scripts/destroy-landing-zone.ps1 | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/accelerator/scripts/destroy-landing-zone.ps1 b/accelerator/scripts/destroy-landing-zone.ps1 index c1b30521a..b526a1b01 100644 --- a/accelerator/scripts/destroy-landing-zone.ps1 +++ b/accelerator/scripts/destroy-landing-zone.ps1 @@ -47,9 +47,9 @@ Write-Output "Removing all Azure Resources, Resource Groups and Deployments from $subscriptionsToClean = @() ForEach ($subscription in $intermediateRootGroupChildSubscriptions) { - $subscriptionsToClean += { - name: $subscription.subName - id: $subscription.subID + $subscriptionsToClean += @{ + name = $subscription.subName + id = $subscription.subID } } @@ -58,7 +58,7 @@ $subscriptionIds = $subscriptionsToClean | Select-Object -ExpandProperty id if($subscriptionIds -notcontains $managementSubscriptionId) { $subscriptionsToClean += @{ name = "Management" - id = $managementSubscriptionId + id = $managementSubscriptionId } $subscriptionIds += $managementSubscriptionId } @@ -66,7 +66,7 @@ if($subscriptionIds -notcontains $managementSubscriptionId) { if($subscriptionIds -notcontains $identitySubscriptionId) { $subscriptionsToClean += @{ name = "Identity" - id = $identitySubscriptionId + id = $identitySubscriptionId } $subscriptionIds += $identitySubscriptionId } @@ -74,7 +74,7 @@ if($subscriptionIds -notcontains $identitySubscriptionId) { if($subscriptionIds -notcontains $connectivitySubscriptionId) { $subscriptionsToClean += @{ name = "Connectivity" - id = $connectivitySubscriptionId + id = $connectivitySubscriptionId } $subscriptionIds += $connectivitySubscriptionId } From 3d19410943e6b4aec90fad56a12c27c5ab3ec58b Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Thu, 11 Jul 2024 17:50:06 +0100 Subject: [PATCH 26/33] skip delete on no mg --- accelerator/scripts/destroy-landing-zone.ps1 | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/accelerator/scripts/destroy-landing-zone.ps1 b/accelerator/scripts/destroy-landing-zone.ps1 index b526a1b01..57347ea0e 100644 --- a/accelerator/scripts/destroy-landing-zone.ps1 +++ b/accelerator/scripts/destroy-landing-zone.ps1 @@ -16,6 +16,13 @@ if($whatIfEnabled) { exit 0 } +$managementGroups = Get-AzManagementGroup +$managementGroup = $managementGroups | Where-Object { $_.Name -eq $intermediateRootGroupID } +if($null -eq $managementGroup) { + Write-Warning "The $intermediateRootGroupID does not exist, so there is nothing to delete." + exit 0 +} + if ($tenantRootGroupID -eq "") { $tenantRootGroupID = (Get-AzContext).Tenant.TenantId } From a6df47a3f309a0ef701506fb0816812b6d80ad23 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Fri, 12 Jul 2024 14:17:55 +0100 Subject: [PATCH 27/33] Add on demand folder support --- .../.config/ALZ-Powershell-Auto.config.json | 45 ++++++++++++++++--- 1 file changed, 39 insertions(+), 6 deletions(-) diff --git a/accelerator/.config/ALZ-Powershell-Auto.config.json b/accelerator/.config/ALZ-Powershell-Auto.config.json index 89fefb216..d2cd2a298 100644 --- a/accelerator/.config/ALZ-Powershell-Auto.config.json +++ b/accelerator/.config/ALZ-Powershell-Auto.config.json @@ -7,8 +7,7 @@ "destroy_script_path": "accelerator/scripts/destroy-landing-zone.ps1", "folders_or_files_to_retain": [ "accelerator", - "infra-as-code", - "version.json" + "infra-as-code" ], "subfolders_or_files_to_remove" : [ "media", @@ -22,7 +21,15 @@ "china/policy_set_definitions", "china/policy_assignments", "parameters", - "README.md" + "README.md", + "ALZ-Powershell.config.json", + "test_modules/managementGroup" + ], + "on_demand_folders" : [ + { + "target": "infra-as-code", + "source": "infra-as-code" + } ], "deployment_file_groups" : [ { @@ -206,6 +213,16 @@ } ], "inputs": { + "ReleaseVersion": { + "source": "powershell", + "type": "string", + "Targets": [ + { + "Name": "RELEASE_VERSION", + "Destination": "Environment" + } + ] + }, "Prefix": { "source": "input", "type": "string", @@ -634,8 +651,7 @@ "folders_or_files_to_retain": [ "accelerator", "infra-as-code/bicep/modules/resourceGroup", - "infra-as-code/bicep/CRML/customerUsageAttribution", - "version.json" + "infra-as-code/bicep/CRML/customerUsageAttribution" ], "subfolders_or_files_to_remove" : [ "media", @@ -646,7 +662,14 @@ "pipeline-scripts", "china", "parameters", - "README.md" + "README.md", + "ALZ-Powershell.config.json" + ], + "on_demand_folders" : [ + { + "target": "infra-as-code", + "source": "infra-as-code" + } ], "deployment_file_groups" : [ { @@ -711,6 +734,16 @@ } ], "inputs": { + "ReleaseVersion": { + "source": "powershell", + "type": "string", + "Targets": [ + { + "Name": "RELEASE_VERSION", + "Destination": "Environment" + } + ] + }, "Prefix": { "source": "input", "type": "string", From 9f33ef484f085ff42931078520d20e62610d2bcf Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Fri, 12 Jul 2024 14:22:49 +0100 Subject: [PATCH 28/33] Update version json --- version.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/version.json b/version.json index c2c88a6c1..e92f40423 100644 --- a/version.json +++ b/version.json @@ -1,6 +1,6 @@ { - "version": "0.18.0", - "gitTag": "v0.18.0", - "releaseNotes": "https://github.com/Azure/ALZ-Bicep/releases/tag/v0.18.0", - "releaseDateTimeUTC": "20240709T0222079056Z" + "version": "0.19.0", + "gitTag": "v0.19.0", + "releaseNotes": "https://github.com/Azure/ALZ-Bicep/releases/tag/v0.19.0", + "releaseDateTimeUTC": "20240713T1000000000Z" } From 4bd7ff64e41cd9e00513919a2d10e6c9e1e68e7f Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Mon, 15 Jul 2024 12:37:39 +0100 Subject: [PATCH 29/33] Docs typo --- docs/wiki/Accelerator.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/wiki/Accelerator.md b/docs/wiki/Accelerator.md index dacf1b815..4b2655f58 100644 --- a/docs/wiki/Accelerator.md +++ b/docs/wiki/Accelerator.md @@ -4,7 +4,7 @@ **IMPORTANT**: The Azure Landing Zones Accelerators documentation has been moved to [aka.ms/alz/accelerator/docs](https://aka.ms/alz/accelerator/docs). Head over there now to get started. -The Azure Landing Zones Accelerators been updated to automate the bootstrapping of Version Control System and Azure resources. Please only use the following instructions if you need to use the classic version of the ALZ Bicep Accelerator. +The Azure Landing Zones Accelerators have been updated to automate the bootstrapping of your Version Control System and Azure resources. Please only use the following instructions if you need to use the classic version of the ALZ Bicep Accelerator. >NOTE: The classic version of the ALZ Bicep Accelerator will be maintained for a limited time. We recommend that you migrate to the new version as soon as possible. From 1a299f31ded771f999afe92b498cbd9b0e2a9a71 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Wed, 17 Jul 2024 20:32:04 -0500 Subject: [PATCH 30/33] Update wiki for clarity --- docs/wiki/Accelerator.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/wiki/Accelerator.md b/docs/wiki/Accelerator.md index 4b2655f58..a374f2988 100644 --- a/docs/wiki/Accelerator.md +++ b/docs/wiki/Accelerator.md @@ -2,15 +2,18 @@ ## ALZ Bicep Accelerator (Classic) -**IMPORTANT**: The Azure Landing Zones Accelerators documentation has been moved to [aka.ms/alz/accelerator/docs](https://aka.ms/alz/accelerator/docs). Head over there now to get started. +> [!IMPORTANT] +> The ALZ Bicep Accelerator has been updated to automate the bootstrapping of your Version Control System and Azure resources. The ALZ Bicep Accelerator's documentation has been moved to [aka.ms/alz/accelerator/docs](https://aka.ms/alz/accelerator/docs). Head over there now to get started! +> Use the instructions below only if you need to use the classic version of the ALZ Bicep Accelerator. -The Azure Landing Zones Accelerators have been updated to automate the bootstrapping of your Version Control System and Azure resources. Please only use the following instructions if you need to use the classic version of the ALZ Bicep Accelerator. +> [!NOTE] +> The classic version of the ALZ Bicep Accelerator will be maintained for a limited time. We recommend migrating to the new version as soon as possible. ->NOTE: The classic version of the ALZ Bicep Accelerator will be maintained for a limited time. We recommend that you migrate to the new version as soon as possible. ### What is the ALZ Bicep Accelerator (Classic)? ->NOTE: These instructions now include the `-bicepLegacyMode $true` parameter, which needs be set explicily to use the classic version. +> [!NOTE] +> These instructions now include the `-bicepLegacyMode $true` parameter, which needs be set explicily to use the classic version. The ALZ Bicep Accelerator framework was developed to provide end-users with the following abilities: From 25c2a33332fca8084e478f3958111d6498771920 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Wed, 17 Jul 2024 20:41:18 -0500 Subject: [PATCH 31/33] Add header --- docs/wiki/Accelerator.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/wiki/Accelerator.md b/docs/wiki/Accelerator.md index a374f2988..d8ed29bb3 100644 --- a/docs/wiki/Accelerator.md +++ b/docs/wiki/Accelerator.md @@ -6,9 +6,10 @@ > The ALZ Bicep Accelerator has been updated to automate the bootstrapping of your Version Control System and Azure resources. The ALZ Bicep Accelerator's documentation has been moved to [aka.ms/alz/accelerator/docs](https://aka.ms/alz/accelerator/docs). Head over there now to get started! > Use the instructions below only if you need to use the classic version of the ALZ Bicep Accelerator. -> [!NOTE] -> The classic version of the ALZ Bicep Accelerator will be maintained for a limited time. We recommend migrating to the new version as soon as possible. +### Deprecation Notice +> [!WARNING] +> The classic version of the ALZ Bicep Accelerator will be maintained for a limited time. We recommend migrating to the new version as soon as possible. ### What is the ALZ Bicep Accelerator (Classic)? From 51594855bc0e7e8dd8fe9bc15c565125cce07278 Mon Sep 17 00:00:00 2001 From: Jared Holgate Date: Thu, 18 Jul 2024 12:03:24 +0100 Subject: [PATCH 32/33] Support regional availability zones --- .../.config/ALZ-Powershell-Auto.config.json | 52 +++++++++++++++++-- 1 file changed, 47 insertions(+), 5 deletions(-) diff --git a/accelerator/.config/ALZ-Powershell-Auto.config.json b/accelerator/.config/ALZ-Powershell-Auto.config.json index d2cd2a298..66f60d6c2 100644 --- a/accelerator/.config/ALZ-Powershell-Auto.config.json +++ b/accelerator/.config/ALZ-Powershell-Auto.config.json @@ -274,7 +274,7 @@ "Destination": "Parameters" }, { - "Name": "parVirtualWanHubs.value.[0].parHubLocation", + "Name": "parVirtualWanHubs.value[0].parHubLocation", "Destination": "Parameters" }, { @@ -555,7 +555,7 @@ "Value": "privatelink.{%Location%}.azmk8s.io", "Targets": [ { - "Name": "parPrivateDnsZones.value.[0]", + "Name": "parPrivateDnsZones.value[0]", "Destination": "Parameters" } ] @@ -566,7 +566,7 @@ "Value": "privatelink.{%Location%}.batch.azure.com", "Targets": [ { - "Name": "parPrivateDnsZones.value.[1]", + "Name": "parPrivateDnsZones.value[1]", "Destination": "Parameters" } ] @@ -577,7 +577,7 @@ "Value": "privatelink.{%Location%}.kusto.windows.net", "Targets": [ { - "Name": "parPrivateDnsZones.value.[2]", + "Name": "parPrivateDnsZones.value[2]", "Destination": "Parameters" } ] @@ -588,7 +588,7 @@ "Value": "privatelink.{%Location%}.backup.windowsazure.com", "Targets": [ { - "Name": "parPrivateDnsZones.value.[3]", + "Name": "parPrivateDnsZones.value[3]", "Destination": "Parameters" } ] @@ -640,6 +640,37 @@ "Destination": "Parameters" } ] + }, + "AvailabilityZones": { + "source": "powershell", + "type": "list(string)", + "Value": "", + "Targets": [ + { + "Name": "AVAILABILITY_ZONES", + "Destination": "Environment" + }, + { + "File": "vwanConnectivity.parameters.all.json", + "Name": "parVirtualWanHubs.value[0].parAzFirewallAvailabilityZones", + "Destination": "Parameters" + }, + { + "File": "hubNetworking.parameters.all.json", + "Name": "parAzErGatewayAvailabilityZones.value", + "Destination": "Parameters" + }, + { + "File": "hubNetworking.parameters.all.json", + "Name": "parAzVpnGatewayAvailabilityZones.value", + "Destination": "Parameters" + }, + { + "File": "hubNetworking.parameters.all.json", + "Name": "parAzFirewallAvailabilityZones.value", + "Destination": "Parameters" + } + ] } } }, @@ -906,6 +937,17 @@ "Destination": "Parameters" } ] + }, + "AvailabilityZones": { + "source": "powershell", + "type": "list(string)", + "Value": "", + "Targets": [ + { + "Name": "AVAILABILITY_ZONES", + "Destination": "Environment" + } + ] } } } From 1f4361a8f1cdfee7636e1c55a9d2d54811149fe0 Mon Sep 17 00:00:00 2001 From: Zach Trocinski Date: Thu, 18 Jul 2024 11:01:01 -0500 Subject: [PATCH 33/33] Fix incorrect link and misspelling --- README.md | 2 +- docs/wiki/Accelerator.md | 2 +- infra-as-code/bicep/modules/README.md | 1 - 3 files changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index ee937cf37..4f145153d 100644 --- a/README.md +++ b/README.md @@ -116,7 +116,7 @@ For support on the artifacts contained in this repository, please refer to [this [wiki_resiliency]: https://github.com/Azure/ALZ-Bicep/wiki/Resiliency "Wiki - Resiliency" [wiki_contributing]: https://github.com/Azure/ALZ-Bicep/wiki/Contributing "Wiki - Contributing" [wiki_accelerator]: "Wiki - Accelerator" -[wiki_amba]: "Wiki - AMBA" +[wiki_amba]: "Wiki - AMBA" [wiki_faq]: "Wiki - FAQs" [wiki_cuaid]: "Wiki - Telemetry Usage ID" [wiki_acrdeploy]: "Wiki - Private Bicep Registry" diff --git a/docs/wiki/Accelerator.md b/docs/wiki/Accelerator.md index d8ed29bb3..73327755a 100644 --- a/docs/wiki/Accelerator.md +++ b/docs/wiki/Accelerator.md @@ -227,7 +227,7 @@ The ALZ-Bicep repository regularly releases new [versions](https://github.com/Az With the ALZ Accelerator framework, we have designed the pipelines and directory structure to make it easy to upgrade to the latest ALZ Bicep version. The following steps will guide you through the upgrade process. -1. Prior to upgrading, read the release note:s for the version you are upgrading to. The release note:s will provide you with information on any breaking changes that may impact your deployment. This is especially important if you have created any custom modules or have [modified any of the ALZ Bicep modules](#incorporating-modified-alz-modules) that may have dependencies on the modules that are being upgraded. +1. Prior to upgrading, read the release notes for the version you are upgrading to. The release notes will provide you with information on any breaking changes that may impact your deployment. This is especially important if you have created any custom modules or have [modified any of the ALZ Bicep modules](#incorporating-modified-alz-modules) that may have dependencies on the modules that are being upgraded. 1. Using the ALZ PowerShell Module, you can update to the latest or a specified version. You must specifiy the same IaC, Bootstrap and Output directory that you used when you initially deployed the ALZ Bicep Accelerator. diff --git a/infra-as-code/bicep/modules/README.md b/infra-as-code/bicep/modules/README.md index d252a94af..c1d5bf847 100644 --- a/infra-as-code/bicep/modules/README.md +++ b/infra-as-code/bicep/modules/README.md @@ -12,7 +12,6 @@ To get started with ALZ Bicep, please refer to the [Deployment Flow wiki page][w 2. High-level deployment flow. 3. Links to more detailed instructions on individual modules. - [//]: # (************************) [//]: # (INSERT LINK LABELS BELOW) [//]: # (************************)