From 68e18a99f7442f123e2cdde80e2637cffa64bdf0 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Fri, 4 Mar 2022 13:49:55 +0100 Subject: [PATCH 01/24] Establishing the LB for internal LB --- .../loadBalancers/deploy.bicep | 52 +++++++++---------- 1 file changed, 24 insertions(+), 28 deletions(-) diff --git a/arm/Microsoft.Network/loadBalancers/deploy.bicep b/arm/Microsoft.Network/loadBalancers/deploy.bicep index fce86c4573..23aedd0cc5 100644 --- a/arm/Microsoft.Network/loadBalancers/deploy.bicep +++ b/arm/Microsoft.Network/loadBalancers/deploy.bicep @@ -64,24 +64,17 @@ param inboundNatRules array = [] @description('Optional. The outbound rules.') param outboundRules array = [] -var frontendsSubnets = [for item in frontendIPConfigurations: { - id: item.subnetId -}] -var frontendsPublicIPAddresses = [for item in frontendIPConfigurations: { - id: item.publicIPAddressId -}] -var frontendsObj = { - subnets: frontendsSubnets - publicIPAddresses: frontendsPublicIPAddresses -} - var frontendIPConfigurations_var = [for (frontendIPConfiguration, index) in frontendIPConfigurations: { name: frontendIPConfiguration.name properties: { - subnet: !empty(frontendIPConfiguration.subnetId) ? frontendsObj.subnets[index] : null - publicIPAddress: !empty(frontendIPConfiguration.publicIPAddressId) ? frontendsObj.publicIPAddresses[index] : null - privateIPAddress: !empty(frontendIPConfiguration.privateIPAddress) ? frontendIPConfiguration.privateIPAddress : null - privateIPAllocationMethod: !empty(frontendIPConfiguration.subnetId) ? (empty(frontendIPConfiguration.privateIPAddress) ? 'Dynamic' : 'Static') : null + subnet: contains(frontendIPConfiguration, 'subnetId') ? { + id: frontendIPConfiguration.subnetId + } : null + publicIPAddress: contains(frontendIPConfiguration, 'publicIPAddressId') ? { + id: frontendIPConfiguration.publicIPAddressId + } : null + privateIPAddress: contains(frontendIPConfiguration, 'privateIPAddress') ? frontendIPConfiguration.privateIPAddress : null + privateIPAllocationMethod: contains(frontendIPConfiguration, 'subnetId') ? (contains(frontendIPConfiguration, 'privateIPAddress') ? 'Static' : 'Dynamic') : null } }] @@ -130,7 +123,7 @@ var probes_var = [for probe in probes: { name: probe.name properties: { protocol: contains(probe, 'protocol') ? probe.protocol : 'Tcp' - requestPath: (contains(probe, 'protocol') && toLower(probe.protocol) == 'tcp') ? null : probe.requestPath + requestPath: toLower(probe.protocol) != 'tcp' ? probe.requestPath : null port: contains(probe, 'port') ? probe.port : 80 intervalInSeconds: contains(probe, 'intervalInSeconds') ? probe.intervalInSeconds : 5 numberOfProbes: contains(probe, 'numberOfProbes') ? probe.numberOfProbes : 2 @@ -176,15 +169,15 @@ resource loadBalancer 'Microsoft.Network/loadBalancers@2021-05-01' = { } } -module loadBalancer_backendAddressPools 'backendAddressPools/deploy.bicep' = [for (backendAddressPool, index) in backendAddressPools: { - name: '${uniqueString(deployment().name, location)}-LoadBalancer-backendAddressPools-${index}' - params: { - loadBalancerName: loadBalancer.name - name: backendAddressPool.name - loadBalancerBackendAddresses: contains(backendAddressPool, 'loadBalancerBackendAddresses') ? backendAddressPool.loadBalancerBackendAddresses : [] - tunnelInterfaces: contains(backendAddressPool, 'tunnelInterfaces') ? backendAddressPool.tunnelInterfaces : [] - } -}] +// module loadBalancer_backendAddressPools 'backendAddressPools/deploy.bicep' = [for (backendAddressPool, index) in backendAddressPools: { +// name: '${uniqueString(deployment().name, location)}-LoadBalancer-backendAddressPools-${index}' +// params: { +// loadBalancerName: loadBalancer.name +// name: backendAddressPool.name +// loadBalancerBackendAddresses: contains(backendAddressPool, 'loadBalancerBackendAddresses') ? backendAddressPool.loadBalancerBackendAddresses : [] +// tunnelInterfaces: contains(backendAddressPool, 'tunnelInterfaces') ? backendAddressPool.tunnelInterfaces : [] +// } +// }] module loadBalancer_inboundNATRules 'inboundNatRules/deploy.bicep' = [for (inboundNATRule, index) in inboundNatRules: { name: '${uniqueString(deployment().name, location)}-LoadBalancer-inboundNatRules-${index}' @@ -202,9 +195,9 @@ module loadBalancer_inboundNATRules 'inboundNatRules/deploy.bicep' = [for (inbou idleTimeoutInMinutes: contains(inboundNATRule, 'idleTimeoutInMinutes') ? inboundNATRule.idleTimeoutInMinutes : 4 protocol: contains(inboundNATRule, 'protocol') ? inboundNATRule.protocol : 'Tcp' } - dependsOn: [ - loadBalancer_backendAddressPools - ] +// dependsOn: [ +// loadBalancer_backendAddressPools +// ] }] resource loadBalancer_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { @@ -245,3 +238,6 @@ output resourceId string = loadBalancer.id @description('The resource group the load balancer was deployed into') output resourceGroupName string = resourceGroup().name + +@description('The backend address pools available in the load balancer.') +output backendpools array = loadBalancer.properties.backendAddressPools From 43f8abbfc0fb844a7254eb841293974ef638a7f5 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 19:39:48 +0100 Subject: [PATCH 02/24] Test loadbalancer update --- .../ms.network.loadbalancers.yml | 1 + .../workflows/ms.network.loadbalancers.yml | 2 +- .../.parameters/internal.parameters.json | 126 ++++++++++++++++++ .../backendAddressPools/deploy.bicep | 4 +- .../loadBalancers/deploy.bicep | 25 ++-- 5 files changed, 142 insertions(+), 16 deletions(-) create mode 100644 arm/Microsoft.Network/loadBalancers/.parameters/internal.parameters.json diff --git a/.azuredevops/modulePipelines/ms.network.loadbalancers.yml b/.azuredevops/modulePipelines/ms.network.loadbalancers.yml index bc5150aee2..27403cb51f 100644 --- a/.azuredevops/modulePipelines/ms.network.loadbalancers.yml +++ b/.azuredevops/modulePipelines/ms.network.loadbalancers.yml @@ -44,6 +44,7 @@ stages: deploymentBlocks: - path: $(modulePath)/.parameters/parameters.json - path: $(modulePath)/.parameters/min.parameters.json + - path: $(modulePath)/.parameters/internal.parameters.json - stage: Publishing displayName: Publish module diff --git a/.github/workflows/ms.network.loadbalancers.yml b/.github/workflows/ms.network.loadbalancers.yml index 206b77a828..873d857b58 100644 --- a/.github/workflows/ms.network.loadbalancers.yml +++ b/.github/workflows/ms.network.loadbalancers.yml @@ -81,7 +81,7 @@ jobs: strategy: fail-fast: false matrix: - parameterFilePaths: ['min.parameters.json', 'parameters.json'] + parameterFilePaths: ['min.parameters.json', 'parameters.json', 'internal.parameters.json'] steps: - name: 'Checkout' uses: actions/checkout@v2 diff --git a/arm/Microsoft.Network/loadBalancers/.parameters/internal.parameters.json b/arm/Microsoft.Network/loadBalancers/.parameters/internal.parameters.json new file mode 100644 index 0000000000..e44419e92b --- /dev/null +++ b/arm/Microsoft.Network/loadBalancers/.parameters/internal.parameters.json @@ -0,0 +1,126 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "<>-az-lb-x-002" + }, + "loadBalancerSku": { + "value": "Standard" + }, + "frontendIPConfigurations": { + "value": [ + { + "name": "privateIPConfig1", + "subnetId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001" + } + ] + }, + "backendAddressPools": { + "value": [ + { + "name": "servers" + } + ] + }, + "probes": { + "value": [ + { + "name": "probe1", + "protocol": "Tcp", + "port": "62000", + "intervalInSeconds": 5, + "numberOfProbes": 2 + }, + { + "name": "probe2", + "protocol": "Https", + "port": 443, + "requestPath": "/" + } + ] + }, + "loadBalancingRules": { + "value": [ + { + "name": "privateIPLBRule1", + "frontendIPConfigurationName": "privateIPConfig1", + "frontendPort": 0, + "backendPort": 0, + "enableFloatingIP": true, + "idleTimeoutInMinutes": 4, + "protocol": "All", + "loadDistribution": "Default", + "probeName": "probe1", + "disableOutboundSnat": true, + "enableTcpReset": false, + "backendAddressPoolName": "servers" + }, + { + "name": "privateIPLBRule2", + "frontendIPConfigurationName": "privateIPConfig1", + "frontendPort": 443, + "backendPort": 443, + "loadDistribution": "Default", + "probeName": "probe2", + "backendAddressPoolName": "servers" + } + ] + }, + "inboundNatRules": { + "value": [ + { + "name": "inboundNatRule1", + "frontendIPConfigurationName": "privateIPConfig1", + "frontendPort": 443, + "backendPort": 443, + "enableFloatingIP": false, + "idleTimeoutInMinutes": 4, + "protocol": "Tcp", + "enableTcpReset": false + }, + { + "name": "inboundNatRule2", + "frontendIPConfigurationName": "privateIPConfig1", + "frontendPort": 3389, + "backendPort": 3389 + } + ] + }, + "outboundRules": { + "value": [ + { + "name": "outboundRule1", + "frontendIPConfigurationName": "privateIPConfig1", + "backendAddressPoolName": "servers", + "allocatedOutboundPorts": 63984 + } + ] + }, + "roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "<>" + ] + } + ] + }, + "diagnosticLogsRetentionInDays": { + "value": 7 + }, + "diagnosticStorageAccountId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" + }, + "diagnosticWorkspaceId": { + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001" + }, + "diagnosticEventHubAuthorizationRuleId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" + }, + "diagnosticEventHubName": { + "value": "adp-<>-az-evh-x-001" + } + } +} diff --git a/arm/Microsoft.Network/loadBalancers/backendAddressPools/deploy.bicep b/arm/Microsoft.Network/loadBalancers/backendAddressPools/deploy.bicep index 85b118de6b..95a6d95b0f 100644 --- a/arm/Microsoft.Network/loadBalancers/backendAddressPools/deploy.bicep +++ b/arm/Microsoft.Network/loadBalancers/backendAddressPools/deploy.bicep @@ -25,8 +25,8 @@ resource loadBalancer 'Microsoft.Network/loadBalancers@2021-05-01' existing = { resource backendAddressPool 'Microsoft.Network/loadBalancers/backendAddressPools@2021-05-01' = { name: name properties: { - loadBalancerBackendAddresses: loadBalancerBackendAddresses - tunnelInterfaces: tunnelInterfaces + loadBalancerBackendAddresses: !empty(loadBalancerBackendAddresses) ? loadBalancerBackendAddresses : null + tunnelInterfaces: !empty(tunnelInterfaces) ? tunnelInterfaces : null } parent: loadBalancer } diff --git a/arm/Microsoft.Network/loadBalancers/deploy.bicep b/arm/Microsoft.Network/loadBalancers/deploy.bicep index 23aedd0cc5..fdf3133b27 100644 --- a/arm/Microsoft.Network/loadBalancers/deploy.bicep +++ b/arm/Microsoft.Network/loadBalancers/deploy.bicep @@ -162,22 +162,21 @@ resource loadBalancer 'Microsoft.Network/loadBalancers@2021-05-01' = { } properties: { frontendIPConfigurations: frontendIPConfigurations_var - backendAddressPools: backendAddressPools loadBalancingRules: loadBalancingRules_var outboundRules: outboundRules_var probes: probes_var } } -// module loadBalancer_backendAddressPools 'backendAddressPools/deploy.bicep' = [for (backendAddressPool, index) in backendAddressPools: { -// name: '${uniqueString(deployment().name, location)}-LoadBalancer-backendAddressPools-${index}' -// params: { -// loadBalancerName: loadBalancer.name -// name: backendAddressPool.name -// loadBalancerBackendAddresses: contains(backendAddressPool, 'loadBalancerBackendAddresses') ? backendAddressPool.loadBalancerBackendAddresses : [] -// tunnelInterfaces: contains(backendAddressPool, 'tunnelInterfaces') ? backendAddressPool.tunnelInterfaces : [] -// } -// }] +module loadBalancer_backendAddressPools 'backendAddressPools/deploy.bicep' = [for (backendAddressPool, index) in backendAddressPools: { + name: '${uniqueString(deployment().name, location)}-loadBalancer-backendAddressPools-${index}' + params: { + loadBalancerName: loadBalancer.name + name: backendAddressPool.name + tunnelInterfaces: contains(backendAddressPool, 'tunnelInterfaces') && !empty(backendAddressPool.tunnelInterfaces) ? backendAddressPool.tunnelInterfaces : [] + loadBalancerBackendAddresses: contains(backendAddressPool, 'loadBalancerBackendAddresses') && !empty(backendAddressPool.loadBalancerBackendAddresses) ? backendAddressPool.loadBalancerBackendAddresses : [] + } +}] module loadBalancer_inboundNATRules 'inboundNatRules/deploy.bicep' = [for (inboundNATRule, index) in inboundNatRules: { name: '${uniqueString(deployment().name, location)}-LoadBalancer-inboundNatRules-${index}' @@ -195,9 +194,9 @@ module loadBalancer_inboundNATRules 'inboundNatRules/deploy.bicep' = [for (inbou idleTimeoutInMinutes: contains(inboundNATRule, 'idleTimeoutInMinutes') ? inboundNATRule.idleTimeoutInMinutes : 4 protocol: contains(inboundNATRule, 'protocol') ? inboundNATRule.protocol : 'Tcp' } -// dependsOn: [ -// loadBalancer_backendAddressPools -// ] + dependsOn: [ + loadBalancer_backendAddressPools + ] }] resource loadBalancer_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { From b18c0f57056a75e0f733af3cf89a3aa2849865df Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 19:49:47 +0100 Subject: [PATCH 03/24] Update readme --- arm/Microsoft.Network/loadBalancers/readme.md | 1 + 1 file changed, 1 insertion(+) diff --git a/arm/Microsoft.Network/loadBalancers/readme.md b/arm/Microsoft.Network/loadBalancers/readme.md index 462bf1d2dc..5261b6180b 100644 --- a/arm/Microsoft.Network/loadBalancers/readme.md +++ b/arm/Microsoft.Network/loadBalancers/readme.md @@ -210,6 +210,7 @@ Tag names and tag values can be provided as needed. A tag can be left without a | Output Name | Type | Description | | :-- | :-- | :-- | +| `backendpools` | array | The backend address pools available in the load balancer. | | `name` | string | The name of the load balancer | | `resourceGroupName` | string | The resource group the load balancer was deployed into | | `resourceId` | string | The resource ID of the load balancer | From 990a36ee36097ce243f4dd63456b6169a0d9f710 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 20:25:09 +0100 Subject: [PATCH 04/24] Test --- .../loadBalancers/.parameters/min.parameters.json | 4 +--- arm/Microsoft.Network/loadBalancers/deploy.bicep | 7 +++++++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.Network/loadBalancers/.parameters/min.parameters.json b/arm/Microsoft.Network/loadBalancers/.parameters/min.parameters.json index dac87cc927..695027dc9f 100644 --- a/arm/Microsoft.Network/loadBalancers/.parameters/min.parameters.json +++ b/arm/Microsoft.Network/loadBalancers/.parameters/min.parameters.json @@ -9,9 +9,7 @@ "value": [ { "name": "publicIPConfig1", - "publicIPAddressId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-min-lb", - "subnetId": "", - "privateIPAddress": "" + "publicIPAddressId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-min-lb" } ] } diff --git a/arm/Microsoft.Network/loadBalancers/deploy.bicep b/arm/Microsoft.Network/loadBalancers/deploy.bicep index fdf3133b27..3f87f09b40 100644 --- a/arm/Microsoft.Network/loadBalancers/deploy.bicep +++ b/arm/Microsoft.Network/loadBalancers/deploy.bicep @@ -74,7 +74,14 @@ var frontendIPConfigurations_var = [for (frontendIPConfiguration, index) in fron id: frontendIPConfiguration.publicIPAddressId } : null privateIPAddress: contains(frontendIPConfiguration, 'privateIPAddress') ? frontendIPConfiguration.privateIPAddress : null + privateIPAddressVersion: contains(frontendIPConfiguration, 'privateIPAddressVersion') ? frontendIPConfiguration.privateIPAddressVersion : 'IPv4' privateIPAllocationMethod: contains(frontendIPConfiguration, 'subnetId') ? (contains(frontendIPConfiguration, 'privateIPAddress') ? 'Static' : 'Dynamic') : null + gatewayLoadBalancer: contains(frontendIPConfiguration, 'gatewayLoadBalancer') ? { + id: frontendIPConfiguration.gatewayLoadBalancer + } : null + publicIPPrefix: contains(frontendIPConfiguration, 'publicIPPrefix') ? { + id: frontendIPConfiguration.publicIPPrefix + } : null } }] From e3dac30c5af7007f016077b3443c8a58d5c45b71 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 20:38:07 +0100 Subject: [PATCH 05/24] Test with && !empty() --- arm/Microsoft.Network/loadBalancers/deploy.bicep | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/arm/Microsoft.Network/loadBalancers/deploy.bicep b/arm/Microsoft.Network/loadBalancers/deploy.bicep index 3f87f09b40..188e52a9e2 100644 --- a/arm/Microsoft.Network/loadBalancers/deploy.bicep +++ b/arm/Microsoft.Network/loadBalancers/deploy.bicep @@ -67,19 +67,19 @@ param outboundRules array = [] var frontendIPConfigurations_var = [for (frontendIPConfiguration, index) in frontendIPConfigurations: { name: frontendIPConfiguration.name properties: { - subnet: contains(frontendIPConfiguration, 'subnetId') ? { + subnet: contains(frontendIPConfiguration, 'subnetId') && !empty(frontendIPConfiguration.subnetId) ? { id: frontendIPConfiguration.subnetId } : null - publicIPAddress: contains(frontendIPConfiguration, 'publicIPAddressId') ? { + publicIPAddress: contains(frontendIPConfiguration, 'publicIPAddressId') && !empty(frontendIPConfiguration.publicIPAddressId) ? { id: frontendIPConfiguration.publicIPAddressId } : null - privateIPAddress: contains(frontendIPConfiguration, 'privateIPAddress') ? frontendIPConfiguration.privateIPAddress : null + privateIPAddress: contains(frontendIPConfiguration, 'privateIPAddress') && !empty(frontendIPConfiguration.privateIPAddress) ? frontendIPConfiguration.privateIPAddress : null privateIPAddressVersion: contains(frontendIPConfiguration, 'privateIPAddressVersion') ? frontendIPConfiguration.privateIPAddressVersion : 'IPv4' privateIPAllocationMethod: contains(frontendIPConfiguration, 'subnetId') ? (contains(frontendIPConfiguration, 'privateIPAddress') ? 'Static' : 'Dynamic') : null - gatewayLoadBalancer: contains(frontendIPConfiguration, 'gatewayLoadBalancer') ? { + gatewayLoadBalancer: contains(frontendIPConfiguration, 'gatewayLoadBalancer') && !empty(frontendIPConfiguration.gatewayLoadBalancer) ? { id: frontendIPConfiguration.gatewayLoadBalancer } : null - publicIPPrefix: contains(frontendIPConfiguration, 'publicIPPrefix') ? { + publicIPPrefix: contains(frontendIPConfiguration, 'publicIPPrefix') && !empty(frontendIPConfiguration.publicIPPrefix) ? { id: frontendIPConfiguration.publicIPPrefix } : null } From 6fe046a5ce00a91a62797d1c644a3256f0f849ff Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 21:01:48 +0100 Subject: [PATCH 06/24] test deployment without backend child --- .../loadBalancers/deploy.bicep | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/arm/Microsoft.Network/loadBalancers/deploy.bicep b/arm/Microsoft.Network/loadBalancers/deploy.bicep index 188e52a9e2..a0fcf2233d 100644 --- a/arm/Microsoft.Network/loadBalancers/deploy.bicep +++ b/arm/Microsoft.Network/loadBalancers/deploy.bicep @@ -170,20 +170,21 @@ resource loadBalancer 'Microsoft.Network/loadBalancers@2021-05-01' = { properties: { frontendIPConfigurations: frontendIPConfigurations_var loadBalancingRules: loadBalancingRules_var + backendAddressPools: backendAddressPools outboundRules: outboundRules_var probes: probes_var } } -module loadBalancer_backendAddressPools 'backendAddressPools/deploy.bicep' = [for (backendAddressPool, index) in backendAddressPools: { - name: '${uniqueString(deployment().name, location)}-loadBalancer-backendAddressPools-${index}' - params: { - loadBalancerName: loadBalancer.name - name: backendAddressPool.name - tunnelInterfaces: contains(backendAddressPool, 'tunnelInterfaces') && !empty(backendAddressPool.tunnelInterfaces) ? backendAddressPool.tunnelInterfaces : [] - loadBalancerBackendAddresses: contains(backendAddressPool, 'loadBalancerBackendAddresses') && !empty(backendAddressPool.loadBalancerBackendAddresses) ? backendAddressPool.loadBalancerBackendAddresses : [] - } -}] +// module loadBalancer_backendAddressPools 'backendAddressPools/deploy.bicep' = [for (backendAddressPool, index) in backendAddressPools: { +// name: '${uniqueString(deployment().name, location)}-loadBalancer-backendAddressPools-${index}' +// params: { +// loadBalancerName: loadBalancer.name +// name: backendAddressPool.name +// tunnelInterfaces: contains(backendAddressPool, 'tunnelInterfaces') && !empty(backendAddressPool.tunnelInterfaces) ? backendAddressPool.tunnelInterfaces : [] +// loadBalancerBackendAddresses: contains(backendAddressPool, 'loadBalancerBackendAddresses') && !empty(backendAddressPool.loadBalancerBackendAddresses) ? backendAddressPool.loadBalancerBackendAddresses : [] +// } +// }] module loadBalancer_inboundNATRules 'inboundNatRules/deploy.bicep' = [for (inboundNATRule, index) in inboundNatRules: { name: '${uniqueString(deployment().name, location)}-LoadBalancer-inboundNatRules-${index}' @@ -201,9 +202,9 @@ module loadBalancer_inboundNATRules 'inboundNatRules/deploy.bicep' = [for (inbou idleTimeoutInMinutes: contains(inboundNATRule, 'idleTimeoutInMinutes') ? inboundNATRule.idleTimeoutInMinutes : 4 protocol: contains(inboundNATRule, 'protocol') ? inboundNATRule.protocol : 'Tcp' } - dependsOn: [ - loadBalancer_backendAddressPools - ] + // dependsOn: [ + // loadBalancer_backendAddressPools + // ] }] resource loadBalancer_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { From d4152ad7615be1d7c7dba59dccb4918374379659 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 21:03:04 +0100 Subject: [PATCH 07/24] Update with using backend child --- .../loadBalancers/deploy.bicep | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/arm/Microsoft.Network/loadBalancers/deploy.bicep b/arm/Microsoft.Network/loadBalancers/deploy.bicep index a0fcf2233d..777c2c7a69 100644 --- a/arm/Microsoft.Network/loadBalancers/deploy.bicep +++ b/arm/Microsoft.Network/loadBalancers/deploy.bicep @@ -176,15 +176,15 @@ resource loadBalancer 'Microsoft.Network/loadBalancers@2021-05-01' = { } } -// module loadBalancer_backendAddressPools 'backendAddressPools/deploy.bicep' = [for (backendAddressPool, index) in backendAddressPools: { -// name: '${uniqueString(deployment().name, location)}-loadBalancer-backendAddressPools-${index}' -// params: { -// loadBalancerName: loadBalancer.name -// name: backendAddressPool.name -// tunnelInterfaces: contains(backendAddressPool, 'tunnelInterfaces') && !empty(backendAddressPool.tunnelInterfaces) ? backendAddressPool.tunnelInterfaces : [] -// loadBalancerBackendAddresses: contains(backendAddressPool, 'loadBalancerBackendAddresses') && !empty(backendAddressPool.loadBalancerBackendAddresses) ? backendAddressPool.loadBalancerBackendAddresses : [] -// } -// }] +module loadBalancer_backendAddressPools 'backendAddressPools/deploy.bicep' = [for (backendAddressPool, index) in backendAddressPools: { + name: '${uniqueString(deployment().name, location)}-loadBalancer-backendAddressPools-${index}' + params: { + loadBalancerName: loadBalancer.name + name: backendAddressPool.name + tunnelInterfaces: contains(backendAddressPool, 'tunnelInterfaces') && !empty(backendAddressPool.tunnelInterfaces) ? backendAddressPool.tunnelInterfaces : null + loadBalancerBackendAddresses: contains(backendAddressPool, 'loadBalancerBackendAddresses') && !empty(backendAddressPool.loadBalancerBackendAddresses) ? backendAddressPool.loadBalancerBackendAddresses : null + } +}] module loadBalancer_inboundNATRules 'inboundNatRules/deploy.bicep' = [for (inboundNATRule, index) in inboundNatRules: { name: '${uniqueString(deployment().name, location)}-LoadBalancer-inboundNatRules-${index}' @@ -202,9 +202,9 @@ module loadBalancer_inboundNATRules 'inboundNatRules/deploy.bicep' = [for (inbou idleTimeoutInMinutes: contains(inboundNATRule, 'idleTimeoutInMinutes') ? inboundNATRule.idleTimeoutInMinutes : 4 protocol: contains(inboundNATRule, 'protocol') ? inboundNATRule.protocol : 'Tcp' } - // dependsOn: [ - // loadBalancer_backendAddressPools - // ] + dependsOn: [ + loadBalancer_backendAddressPools + ] }] resource loadBalancer_lock 'Microsoft.Authorization/locks@2017-04-01' = if (lock != 'NotSpecified') { From ea0ea209fb13933d4398299de7481191ddcc79c9 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 21:23:09 +0100 Subject: [PATCH 08/24] Fix for tunnelInterface --- .../loadBalancers/backendAddressPools/deploy.bicep | 2 +- arm/Microsoft.Network/loadBalancers/deploy.bicep | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.Network/loadBalancers/backendAddressPools/deploy.bicep b/arm/Microsoft.Network/loadBalancers/backendAddressPools/deploy.bicep index 95a6d95b0f..799fbf2464 100644 --- a/arm/Microsoft.Network/loadBalancers/backendAddressPools/deploy.bicep +++ b/arm/Microsoft.Network/loadBalancers/backendAddressPools/deploy.bicep @@ -26,7 +26,7 @@ resource backendAddressPool 'Microsoft.Network/loadBalancers/backendAddressPools name: name properties: { loadBalancerBackendAddresses: !empty(loadBalancerBackendAddresses) ? loadBalancerBackendAddresses : null - tunnelInterfaces: !empty(tunnelInterfaces) ? tunnelInterfaces : null + tunnelInterfaces: !empty(tunnelInterfaces) ? tunnelInterfaces : [] } parent: loadBalancer } diff --git a/arm/Microsoft.Network/loadBalancers/deploy.bicep b/arm/Microsoft.Network/loadBalancers/deploy.bicep index 777c2c7a69..693d82eab8 100644 --- a/arm/Microsoft.Network/loadBalancers/deploy.bicep +++ b/arm/Microsoft.Network/loadBalancers/deploy.bicep @@ -137,6 +137,10 @@ var probes_var = [for probe in probes: { } }] +var backendAddressPoolNames = [for backendAddressPool in backendAddressPools: { + name: backendAddressPool.name +}] + @description('Optional. The name of metrics that will be streamed.') @allowed([ 'AllMetrics' @@ -170,7 +174,7 @@ resource loadBalancer 'Microsoft.Network/loadBalancers@2021-05-01' = { properties: { frontendIPConfigurations: frontendIPConfigurations_var loadBalancingRules: loadBalancingRules_var - backendAddressPools: backendAddressPools + backendAddressPools: backendAddressPoolNames outboundRules: outboundRules_var probes: probes_var } @@ -181,7 +185,7 @@ module loadBalancer_backendAddressPools 'backendAddressPools/deploy.bicep' = [fo params: { loadBalancerName: loadBalancer.name name: backendAddressPool.name - tunnelInterfaces: contains(backendAddressPool, 'tunnelInterfaces') && !empty(backendAddressPool.tunnelInterfaces) ? backendAddressPool.tunnelInterfaces : null + tunnelInterfaces: contains(backendAddressPool, 'tunnelInterfaces') && !empty(backendAddressPool.tunnelInterfaces) ? backendAddressPool.tunnelInterfaces : [] loadBalancerBackendAddresses: contains(backendAddressPool, 'loadBalancerBackendAddresses') && !empty(backendAddressPool.loadBalancerBackendAddresses) ? backendAddressPool.loadBalancerBackendAddresses : null } }] From 81dfeef83481e29767003d28bfae59dea728c605 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 21:31:11 +0100 Subject: [PATCH 09/24] Fix backendAddressPool.loadBalancerBackendAddresses --- .../loadBalancers/backendAddressPools/deploy.bicep | 2 +- arm/Microsoft.Network/loadBalancers/deploy.bicep | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.Network/loadBalancers/backendAddressPools/deploy.bicep b/arm/Microsoft.Network/loadBalancers/backendAddressPools/deploy.bicep index 799fbf2464..9b70dde338 100644 --- a/arm/Microsoft.Network/loadBalancers/backendAddressPools/deploy.bicep +++ b/arm/Microsoft.Network/loadBalancers/backendAddressPools/deploy.bicep @@ -25,7 +25,7 @@ resource loadBalancer 'Microsoft.Network/loadBalancers@2021-05-01' existing = { resource backendAddressPool 'Microsoft.Network/loadBalancers/backendAddressPools@2021-05-01' = { name: name properties: { - loadBalancerBackendAddresses: !empty(loadBalancerBackendAddresses) ? loadBalancerBackendAddresses : null + loadBalancerBackendAddresses: !empty(loadBalancerBackendAddresses) ? loadBalancerBackendAddresses : [] tunnelInterfaces: !empty(tunnelInterfaces) ? tunnelInterfaces : [] } parent: loadBalancer diff --git a/arm/Microsoft.Network/loadBalancers/deploy.bicep b/arm/Microsoft.Network/loadBalancers/deploy.bicep index 693d82eab8..709b36aaef 100644 --- a/arm/Microsoft.Network/loadBalancers/deploy.bicep +++ b/arm/Microsoft.Network/loadBalancers/deploy.bicep @@ -186,7 +186,7 @@ module loadBalancer_backendAddressPools 'backendAddressPools/deploy.bicep' = [fo loadBalancerName: loadBalancer.name name: backendAddressPool.name tunnelInterfaces: contains(backendAddressPool, 'tunnelInterfaces') && !empty(backendAddressPool.tunnelInterfaces) ? backendAddressPool.tunnelInterfaces : [] - loadBalancerBackendAddresses: contains(backendAddressPool, 'loadBalancerBackendAddresses') && !empty(backendAddressPool.loadBalancerBackendAddresses) ? backendAddressPool.loadBalancerBackendAddresses : null + loadBalancerBackendAddresses: contains(backendAddressPool, 'loadBalancerBackendAddresses') && !empty(backendAddressPool.loadBalancerBackendAddresses) ? backendAddressPool.loadBalancerBackendAddresses : [] } }] From 34d0315d4ec49c90ab7d0307aeff9aa178714688 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 21:40:59 +0100 Subject: [PATCH 10/24] fix privateIPAllocationMethod when subnet is blank --- .../loadBalancers/backendAddressPools/deploy.bicep | 4 ++-- arm/Microsoft.Network/loadBalancers/deploy.bicep | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.Network/loadBalancers/backendAddressPools/deploy.bicep b/arm/Microsoft.Network/loadBalancers/backendAddressPools/deploy.bicep index 9b70dde338..85b118de6b 100644 --- a/arm/Microsoft.Network/loadBalancers/backendAddressPools/deploy.bicep +++ b/arm/Microsoft.Network/loadBalancers/backendAddressPools/deploy.bicep @@ -25,8 +25,8 @@ resource loadBalancer 'Microsoft.Network/loadBalancers@2021-05-01' existing = { resource backendAddressPool 'Microsoft.Network/loadBalancers/backendAddressPools@2021-05-01' = { name: name properties: { - loadBalancerBackendAddresses: !empty(loadBalancerBackendAddresses) ? loadBalancerBackendAddresses : [] - tunnelInterfaces: !empty(tunnelInterfaces) ? tunnelInterfaces : [] + loadBalancerBackendAddresses: loadBalancerBackendAddresses + tunnelInterfaces: tunnelInterfaces } parent: loadBalancer } diff --git a/arm/Microsoft.Network/loadBalancers/deploy.bicep b/arm/Microsoft.Network/loadBalancers/deploy.bicep index 709b36aaef..940d9e9e61 100644 --- a/arm/Microsoft.Network/loadBalancers/deploy.bicep +++ b/arm/Microsoft.Network/loadBalancers/deploy.bicep @@ -75,7 +75,7 @@ var frontendIPConfigurations_var = [for (frontendIPConfiguration, index) in fron } : null privateIPAddress: contains(frontendIPConfiguration, 'privateIPAddress') && !empty(frontendIPConfiguration.privateIPAddress) ? frontendIPConfiguration.privateIPAddress : null privateIPAddressVersion: contains(frontendIPConfiguration, 'privateIPAddressVersion') ? frontendIPConfiguration.privateIPAddressVersion : 'IPv4' - privateIPAllocationMethod: contains(frontendIPConfiguration, 'subnetId') ? (contains(frontendIPConfiguration, 'privateIPAddress') ? 'Static' : 'Dynamic') : null + privateIPAllocationMethod: contains(frontendIPConfiguration, 'subnetId') && !empty(frontendIPConfiguration.subnetId) ? (contains(frontendIPConfiguration, 'privateIPAddress') ? 'Static' : 'Dynamic') : null gatewayLoadBalancer: contains(frontendIPConfiguration, 'gatewayLoadBalancer') && !empty(frontendIPConfiguration.gatewayLoadBalancer) ? { id: frontendIPConfiguration.gatewayLoadBalancer } : null From d047a0b07e34da3a8db7db9e6ffa2bf3c9d91f8d Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 21:43:33 +0100 Subject: [PATCH 11/24] Fix internal LB and full param files --- .../.parameters/internal.parameters.json | 15 --------------- .../loadBalancers/.parameters/parameters.json | 4 +--- 2 files changed, 1 insertion(+), 18 deletions(-) diff --git a/arm/Microsoft.Network/loadBalancers/.parameters/internal.parameters.json b/arm/Microsoft.Network/loadBalancers/.parameters/internal.parameters.json index e44419e92b..2975a39219 100644 --- a/arm/Microsoft.Network/loadBalancers/.parameters/internal.parameters.json +++ b/arm/Microsoft.Network/loadBalancers/.parameters/internal.parameters.json @@ -31,12 +31,6 @@ "port": "62000", "intervalInSeconds": 5, "numberOfProbes": 2 - }, - { - "name": "probe2", - "protocol": "Https", - "port": 443, - "requestPath": "/" } ] }, @@ -55,15 +49,6 @@ "disableOutboundSnat": true, "enableTcpReset": false, "backendAddressPoolName": "servers" - }, - { - "name": "privateIPLBRule2", - "frontendIPConfigurationName": "privateIPConfig1", - "frontendPort": 443, - "backendPort": 443, - "loadDistribution": "Default", - "probeName": "probe2", - "backendAddressPoolName": "servers" } ] }, diff --git a/arm/Microsoft.Network/loadBalancers/.parameters/parameters.json b/arm/Microsoft.Network/loadBalancers/.parameters/parameters.json index 1dd8655e73..8ed7862388 100644 --- a/arm/Microsoft.Network/loadBalancers/.parameters/parameters.json +++ b/arm/Microsoft.Network/loadBalancers/.parameters/parameters.json @@ -9,9 +9,7 @@ "value": [ { "name": "publicIPConfig1", - "publicIPAddressId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-x-lb", - "subnetId": "", - "privateIPAddress": "" + "publicIPAddressId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/publicIPAddresses/adp-<>-az-pip-x-lb" } ] }, From 85372cf10db5831100a1b48c578b6214ef2b350f Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 22:06:07 +0100 Subject: [PATCH 12/24] Test --- .../loadBalancers/.parameters/internal.parameters.json | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/arm/Microsoft.Network/loadBalancers/.parameters/internal.parameters.json b/arm/Microsoft.Network/loadBalancers/.parameters/internal.parameters.json index 2975a39219..4fa665c3dc 100644 --- a/arm/Microsoft.Network/loadBalancers/.parameters/internal.parameters.json +++ b/arm/Microsoft.Network/loadBalancers/.parameters/internal.parameters.json @@ -72,16 +72,6 @@ } ] }, - "outboundRules": { - "value": [ - { - "name": "outboundRule1", - "frontendIPConfigurationName": "privateIPConfig1", - "backendAddressPoolName": "servers", - "allocatedOutboundPorts": 63984 - } - ] - }, "roleAssignments": { "value": [ { From b5e513acbf29ee9e2264556066928e0b35e72ce5 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 22:31:08 +0100 Subject: [PATCH 13/24] Deploy LB for testing with VMs --- .github/workflows/platform.dependencies.yml | 27 +++++ .../parameters/internal.parameters.json | 101 ++++++++++++++++++ 2 files changed, 128 insertions(+) create mode 100644 utilities/pipelines/dependencies/Microsoft.Network/loadBalancers/parameters/internal.parameters.json diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 4f499ea2c9..8e581c7bb9 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -1264,3 +1264,30 @@ jobs: subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_lb: + runs-on: ubuntu-20.04 + name: 'Deploy load balancers' + env: + namespace: 'Microsoft.Network\loadBalancers' + needs: + - job_deploy_vnet + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['internal.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' diff --git a/utilities/pipelines/dependencies/Microsoft.Network/loadBalancers/parameters/internal.parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/loadBalancers/parameters/internal.parameters.json new file mode 100644 index 0000000000..83de86890d --- /dev/null +++ b/utilities/pipelines/dependencies/Microsoft.Network/loadBalancers/parameters/internal.parameters.json @@ -0,0 +1,101 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "adp-<>-az-lb-x-001" + }, + "loadBalancerSku": { + "value": "Standard" + }, + "frontendIPConfigurations": { + "value": [ + { + "name": "privateIPConfig1", + "subnetId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<>-az-vnet-x-001/subnets/<>-az-subnet-x-001" + } + ] + }, + "backendAddressPools": { + "value": [ + { + "name": "servers" + } + ] + }, + "probes": { + "value": [ + { + "name": "probe1", + "protocol": "Tcp", + "port": "62000", + "intervalInSeconds": 5, + "numberOfProbes": 2 + } + ] + }, + "loadBalancingRules": { + "value": [ + { + "name": "privateIPLBRule1", + "frontendIPConfigurationName": "privateIPConfig1", + "frontendPort": 0, + "backendPort": 0, + "enableFloatingIP": true, + "idleTimeoutInMinutes": 4, + "protocol": "All", + "loadDistribution": "Default", + "probeName": "probe1", + "disableOutboundSnat": true, + "enableTcpReset": false, + "backendAddressPoolName": "servers" + } + ] + }, + "inboundNatRules": { + "value": [ + { + "name": "inboundNatRule1", + "frontendIPConfigurationName": "privateIPConfig1", + "frontendPort": 443, + "backendPort": 443, + "enableFloatingIP": false, + "idleTimeoutInMinutes": 4, + "protocol": "Tcp", + "enableTcpReset": false + }, + { + "name": "inboundNatRule2", + "frontendIPConfigurationName": "privateIPConfig1", + "frontendPort": 3389, + "backendPort": 3389 + } + ] + }, + "roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "<>" + ] + } + ] + }, + "diagnosticLogsRetentionInDays": { + "value": 7 + }, + "diagnosticStorageAccountId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" + }, + "diagnosticWorkspaceId": { + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001" + }, + "diagnosticEventHubAuthorizationRuleId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" + }, + "diagnosticEventHubName": { + "value": "adp-<>-az-evh-x-001" + } + } +} From c255fcbd1e769abbbbeffd5f096d281e5b8e96e0 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 22:45:54 +0100 Subject: [PATCH 14/24] update dependency pipeline --- .../platform.dependencies.yml | 18 ++++++++++++++++++ .github/workflows/platform.dependencies.yml | 3 +++ 2 files changed, 21 insertions(+) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 88bd93488c..a64871143e 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -884,3 +884,21 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: Default Virtual Machine + + - stage: deploy_lb + displayName: Deploy load balancers + dependsOn: + - deploy_vnet + - deploy_sa + - deploy_evh + - deploy_law + variables: + resourceType: 'Microsoft.Network/loadBalancers' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/jobs.validateModuleDeployment.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/internal.parameters.json + templateFilePath: $(templateFilePath) + displayName: Deploy module diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 8e581c7bb9..342b5a7af5 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -1272,6 +1272,9 @@ jobs: namespace: 'Microsoft.Network\loadBalancers' needs: - job_deploy_vnet + - job_deploy_sa + - job_deploy_evh + - job_deploy_law strategy: fail-fast: false matrix: From fa282ab77589002ec3dcdb8ad44436c8293255e4 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 23:26:10 +0100 Subject: [PATCH 15/24] deploy dependency lb --- .github/workflows/platform.dependencies.yml | 2468 +++++++++---------- 1 file changed, 1234 insertions(+), 1234 deletions(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 342b5a7af5..c35af80c2b 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -35,1246 +35,1246 @@ env: DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: - job_deploy_rg: - runs-on: ubuntu-20.04 - name: 'Deploy resource group' - env: - namespace: 'Microsoft.Resources\resourceGroups' - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['validation.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_ppg: - runs-on: ubuntu-20.04 - name: 'Deploy proximity placement group' - env: - namespace: 'Microsoft.Compute\proximityPlacementGroups' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_msi: - runs-on: ubuntu-20.04 - name: 'Deploy user assigned identity' - env: - namespace: 'Microsoft.ManagedIdentity\userAssignedIdentities' - needs: - - job_deploy_rg - outputs: - msiPrincipalId: ${{ steps.print_msi_prinId.outputs.msiPrincipalId }} - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - id: deploy_msi - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - name: Set msi principal ID output - id: print_msi_prinId - uses: azure/powershell@v1 - with: - inlineScript: | - $deploymentOutput = '${{ steps.deploy_msi.outputs.deploymentOutput }}' - $msiPrincipalId = (ConvertFrom-Json $deploymentOutput).principalId - Write-Verbose "msiPrincipalId: $msiPrincipalId" -Verbose - Write-Output ('::set-output name={0}::{1}' -f 'msiPrincipalId', $msiPrincipalId) - azPSVersion: 'latest' - - job_deploy_pa: - runs-on: ubuntu-20.04 - name: 'Deploy policy assignment' - env: - namespace: 'Microsoft.Authorization\policyAssignments' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['mg.parameters.json', 'sub.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_evh: - runs-on: ubuntu-20.04 - name: 'Deploy eventhub' - env: - namespace: 'Microsoft.EventHub\namespaces' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_law: - runs-on: ubuntu-20.04 - name: 'Deploy log analytics workspace' - env: - namespace: 'Microsoft.OperationalInsights\workspaces' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['appi.parameters.json', 'aut.parameters.json', 'parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sa: - runs-on: ubuntu-20.04 - name: 'Deploy storage account' - env: - namespace: 'Microsoft.Storage\storageAccounts' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: - ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_sa_upload_storage_files: - runs-on: ubuntu-20.04 - name: 'Upload files to storage account' - env: - namespace: 'Microsoft.Storage\storageAccounts' - needs: - - job_deploy_sa - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Setup agent' - shell: pwsh - run: | - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Define PS modules to install on the runner - $Modules = @( - @{ Name = 'Az.Storage' } - ) - - # Set agent up - Set-EnvironmentOnAgent -PSModules $Modules - - name: Azure Login - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - enable-AzPSSession: true - - name: Run PowerShell - uses: azure/powershell@v1 - with: - inlineScript: | - $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'parameters' 'parameters.json' - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFile.ps1') - - # Replace tokens in parameter file - $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json -AsHashTable - $ConvertTokensInputs = @{ - FilePath = $parameterFilePath - Tokens = @{} - TokenPrefix = $Settings.parameterFileTokens.tokenPrefix - TokenSuffix = $Settings.parameterFileTokens.tokenSuffix - } - - # Add local tokens - if ($Settings.parameterFileTokens.localTokens) { - $tokenMap = @{} - foreach ($token in $Settings.parameterFileTokens.localTokens) { - $tokenMap += @{ $token.name = $token.value } - } - Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose - $ConvertTokensInputs.Tokens += $tokenMap - } - - $null = Convert-TokensInFile @ConvertTokensInputs - - # Get storage account name - $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # Upload files to storage account - $functionInput = @{ - ResourceGroupName = '${{ env.defaultResourceGroupName }}' - StorageAccountName = $storageAccountParameters.name.value - contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'uploads' - targetContainer = $storageAccountParameters.blobServices.value.containers[0].name - } - - Write-Verbose "Invoke task with" -Verbose - Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - Export-ContentToBlob @functionInput -Verbose - azPSVersion: 'latest' - - job_deploy_sig: - runs-on: ubuntu-20.04 - name: 'Deploy shared image gallery and definition' - env: - namespace: 'Microsoft.Compute\galleries' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_imgt: - runs-on: ubuntu-20.04 - name: 'Deploy image template' - if: github.event.inputs.deployVhdDependencies == 'true' - env: - namespace: 'Microsoft.VirtualMachineImages\imageTemplates' - needs: - - job_deploy_rolea - - job_deploy_sig - outputs: - imageTemplateName: ${{ steps.print_imgt_output.outputs.imageTemplateName }} - imageTemplateResourceGroup: ${{ steps.print_imgt_output.outputs.imageTemplateResourceGroup }} - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - id: deploy_imgt - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - name: 'Set image template output' - id: print_imgt_output - uses: azure/powershell@v1 - with: - inlineScript: | - $deploymentOutput = '${{ steps.deploy_imgt.outputs.deploymentOutput }}' - $imageTemplateName = (ConvertFrom-Json $deploymentOutput).name - $imageTemplateResourceGroup = (ConvertFrom-Json $deploymentOutput).resourceGroupName - Write-Verbose "imageTemplateName: $imageTemplateName" -Verbose - Write-Verbose "imageTemplateResourceGroup: $imageTemplateResourceGroup" -Verbose - Write-Output ('::set-output name={0}::{1}' -f 'imageTemplateName', $imageTemplateName) - Write-Output ('::set-output name={0}::{1}' -f 'imageTemplateResourceGroup', $imageTemplateResourceGroup) - azPSVersion: 'latest' - - job_deploy_vhd_to_sa: - runs-on: ubuntu-20.04 - name: 'Trigger vhd build and store it to a storage account blob container' - if: github.event.inputs.deployVhdDependencies == 'true' - env: - imgtNamespace: 'Microsoft.VirtualMachineImages\imageTemplates' - saNamespace: 'Microsoft.Storage\storageAccounts' - needs: - - job_deploy_imgt - - job_deploy_sa - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Setup agent' - shell: pwsh - run: | - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Define PS modules to install on the runner - $Modules = @( - @{ Name = 'Az.ImageBuilder' }, - @{ Name = 'Az.Storage' } - ) - - # Set agent up - Set-EnvironmentOnAgent -PSModules $Modules - - name: Azure Login - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - enable-AzPSSession: true - - name: 'Trigger building new image' - uses: azure/powershell@v1 - with: - inlineScript: | - Write-Verbose "Retrieving output from previous job" -Verbose - $imageTemplateName = '${{ needs.job_deploy_imgt.outputs.imageTemplateName }}' - $imageTemplateResourceGroup = '${{ needs.job_deploy_imgt.outputs.imageTemplateResourceGroup }}' - - Write-Verbose "Trigger new image creation with imageTemplateName $imageTemplateName and imageTemplateResourceGroup $imageTemplateResourceGroup" -Verbose - Start-AzImageBuilderTemplate -ImageTemplateName $imageTemplateName -ResourceGroupName $imageTemplateResourceGroup - azPSVersion: 'latest' - - name: 'Copy baked vhd to a storage account' - uses: azure/powershell@v1 - with: - inlineScript: | - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFile.ps1') - - # Prepare replace tokens in parameter file - $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json -AsHashTable - $ConvertTokensInputs = @{ - Tokens = @{} - TokenPrefix = $Settings.parameterFileTokens.tokenPrefix - TokenSuffix = $Settings.parameterFileTokens.tokenSuffix - } - - # Add local tokens - if ($Settings.parameterFileTokens.localTokens) { - $tokenMap = @{} - foreach ($token in $Settings.parameterFileTokens.localTokens) { - $tokenMap += @{ $token.name = $token.value } - } - Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose - $ConvertTokensInputs.Tokens += $tokenMap - } - - # Retrieving parameters from previous job outputs and parameter files - Write-Verbose "Retrieving parameters from previous job outputs" -Verbose - $imageTemplateName = '${{ needs.job_deploy_imgt.outputs.imageTemplateName }}' - $imageTemplateResourceGroup = '${{ needs.job_deploy_imgt.outputs.imageTemplateResourceGroup }}' - - Write-Verbose "Retrieving parameters from storage account parameter files" -Verbose - $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.saNamespace }}' 'parameters' 'parameters.json' - $null = Convert-TokensInFile @ConvertTokensInputs -FilePath $parameterFilePath -Verbose - $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - Write-Verbose "Retrieving parameters from image template parameter files" -Verbose - $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.imgtNamespace }}' 'parameters' 'parameters.json' - $null = Convert-TokensInFile @ConvertTokensInputs -FilePath $parameterFilePath -Verbose - $imageTemplateParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # Initializing parameters before the blob copy - Write-Verbose "Initializing source storage account parameters before the blob copy" -Verbose - $imgtRunOutput = Get-AzImageBuilderRunOutput -ImageTemplateName $imageTemplateName -ResourceGroupName $imageTemplateResourceGroup | Where-Object ArtifactUri -NE $null - $sourceUri = $imgtRunOutput.ArtifactUri - $sourceStorageAccountName = $sourceUri.Split('//')[1].Split('.')[0] - $sourceStorageAccount = Get-AzStorageAccount | Where-Object StorageAccountName -EQ $sourceStorageAccountName - $sourceStorageAccountContext = $sourceStorageAccount.Context - $sourceStorageAccountRGName = $sourceStorageAccount.ResourceGroupName - Write-Verbose "Retrieving artifact uri $sourceUri stored in resource group $sourceStorageAccountRGName" -Verbose - - Write-Verbose "Initializing destination storage account parameters before the blob copy" -Verbose - $destinationStorageAccountName = $storageAccountParameters.name.value - $destinationStorageAccount = Get-AzStorageAccount | Where-Object StorageAccountName -EQ $destinationStorageAccountName - $destinationStorageAccountContext = $destinationStorageAccount.Context - $destinationContainerName = 'vhds' - $destinationBlobName = $imageTemplateParameters.name.value - $destinationBlobName = "$destinationBlobName.vhd" - Write-Verbose "Planning for destination blob name $destinationBlobName in container $destinationContainerName and storage account $destinationStorageAccountName" -Verbose - - # Copying the vhd to a destination blob container - Write-Verbose "Copying the vhd to a destination blob container" -Verbose - $resourceActionInputObject = @{ - AbsoluteUri = $sourceUri - Context = $sourceStorageAccountContext - DestContext = $destinationStorageAccountContext - DestBlob = $destinationBlobName - DestContainer = $destinationContainerName - Force = $true - } - Start-AzStorageBlobCopy @resourceActionInputObject - azPSVersion: 'latest' - - job_deploy_ag: - runs-on: ubuntu-20.04 - name: 'Deploy action groups' - env: - namespace: 'Microsoft.Insights\actionGroups' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_asg: - runs-on: ubuntu-20.04 - name: 'Deploy application security groups' - env: - namespace: 'Microsoft.Network\applicationSecurityGroups' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_udr: - runs-on: ubuntu-20.04 - name: 'Deploy route tables' - env: - namespace: 'Microsoft.Network\routeTables' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sqlmi_udr: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi route tables' - if: github.event.inputs.deploySqlMiDependencies == 'true' - env: - namespace: 'Microsoft.Network\routeTables' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['sqlMi.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_nsg: - runs-on: ubuntu-20.04 - name: 'Deploy network security groups' - env: - namespace: 'Microsoft.Network\networkSecurityGroups' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: - [ - 'apgw.parameters.json', - 'ase.parameters.json', - 'bastion.parameters.json', - 'parameters.json', - ] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sqlmi_nsg: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi network security group' - if: github.event.inputs.deploySqlMiDependencies == 'true' - env: - namespace: 'Microsoft.Network\networkSecurityGroups' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['sqlmi.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_pip: - runs-on: ubuntu-20.04 - name: 'Deploy public IP addresses' - env: - namespace: 'Microsoft.Network\publicIPAddresses' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: - [ - 'apgw.parameters.json', - 'bas.parameters.json', - 'lb.parameters.json', - 'lb.min.parameters.json', - 'fw.parameters.json', - ] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_appi: - runs-on: ubuntu-20.04 - name: 'Deploy application insight' - env: - namespace: 'Microsoft.Insights\components' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_aut: - runs-on: ubuntu-20.04 - name: 'Deploy automation account' - env: - namespace: 'Microsoft.Automation\automationAccounts' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_avdhp: - runs-on: ubuntu-20.04 - name: 'Deploy AVD host pool' - env: - namespace: 'Microsoft.DesktopVirtualization\hostpools' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_rsv: - runs-on: ubuntu-20.04 - name: 'Deploy recovery services vault' - env: - namespace: 'Microsoft.RecoveryServices\vaults' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - - job_deploy_msi - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - customParameterFileTokens: '{"msiPrincipalId":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}' - - job_deploy_kv: - runs-on: ubuntu-20.04 - name: 'Deploy key vaults' - env: - namespace: 'Microsoft.KeyVault\vaults' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - - job_deploy_msi - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json', 'pe.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - customParameterFileTokens: '{"msiPrincipalId":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}' - - job_deploy_kv_secrets: - runs-on: ubuntu-20.04 - name: 'Set key vault secrets keys and certificates' - env: - namespace: 'Microsoft.KeyVault\vaults' - needs: - - job_deploy_kv - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Setup agent' - shell: pwsh - run: | - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Define PS modules to install on the runner - $Modules = @( - @{ Name = 'Az.KeyVault' } - ) - - # Set agent up - Set-EnvironmentOnAgent -PSModules $Modules - - name: Azure Login - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - enable-AzPSSession: true - - name: 'Set key vault secrets keys and certificates' - uses: azure/powershell@v1 - with: - inlineScript: | - - $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'parameters.json' - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFile.ps1') - - # Replace tokens in parameter file - $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json -AsHashTable - $ConvertTokensInputs = @{ - FilePath = $parameterFilePath - Tokens = @{} - TokenPrefix = $Settings.parameterFileTokens.tokenPrefix - TokenSuffix = $Settings.parameterFileTokens.tokenSuffix - } - if ($Settings.parameterFileTokens.localTokens) { - $tokenMap = @{} - foreach ($token in $Settings.parameterFileTokens.localTokens) { - $tokenMap += @{ $token.name = $token.value } - } - Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose - $ConvertTokensInputs.Tokens += $tokenMap - } - $null = Convert-TokensInFile @ConvertTokensInputs - - # Get key vault name - $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters - $keyVaultName = $keyVaultParameters.name.value - - # Generate values - $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length - $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - $passwordString = (New-Guid).Guid.SubString(0, 19) - $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) - $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - - # Set secrets - # ------- - @( - @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS - @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS - @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer - @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer - @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway - @{ name = 'apimClientId'; secretValue = $username } # API management - @{ name = 'apimClientSecret'; secretValue = $password } # API management - ) | ForEach-Object { - $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue - Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - - # Set certificates - # ----------- - $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal - @( - @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway - ) | ForEach-Object { - $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy - Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - - # Set keys - # ---- - @( - @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS - ) | ForEach-Object { - $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination - Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - azPSVersion: 'latest' - - job_deploy_sqlmi_kv: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi key vault' - if: github.event.inputs.deploySqlMiDependencies == 'true' - env: - namespace: 'Microsoft.KeyVault\vaults' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - - job_deploy_msi - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['sqlmi.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - customParameterFileTokens: '{"msiPrincipalId":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}' - - job_deploy_sqlmi_kv_secrets: - runs-on: ubuntu-20.04 - name: 'Set sqlmi key vault secrets and keys' - if: github.event.inputs.deploySqlMiDependencies == 'true' - needs: - - job_deploy_sqlmi_kv - env: - namespace: 'Microsoft.KeyVault\vaults' - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Setup agent' - shell: pwsh - run: | - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Define PS modules to install on the runner - $Modules = @( - @{ Name = 'Az.KeyVault' } - ) - - # Set agent up - Set-EnvironmentOnAgent -PSModules $Modules - - - name: Azure Login - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - enable-AzPSSession: true - - name: 'Set sqlmi key vault secrets and keys' - uses: azure/powershell@v1 - with: - inlineScript: | - $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'sqlmi.parameters.json' - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFile.ps1') - - # Replace tokens in parameter file - $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json -AsHashTable - $ConvertTokensInputs = @{ - FilePath = $parameterFilePath - Tokens = @{} - TokenPrefix = $Settings.parameterFileTokens.tokenPrefix - TokenSuffix = $Settings.parameterFileTokens.tokenSuffix - } - - # Add local tokens - if ($Settings.parameterFileTokens.localTokens) { - $tokenMap = @{} - foreach ($token in $Settings.parameterFileTokens.localTokens) { - $tokenMap += @{ $token.name = $token.value } - } - Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose - $ConvertTokensInputs.Tokens += $tokenMap - } - - $null = Convert-TokensInFile @ConvertTokensInputs - - # Get key vault name - $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters - $keyVaultName = $keyVaultParameters.name.value - - # Generate values - $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length - $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - $passwordString = (New-Guid).Guid.SubString(0, 19) - $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - - # Set secrets - # ------- - @( - @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances - @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances - ) | ForEach-Object { - $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue - Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - - # Set keys - # ---- - @( - @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances - ) | ForEach-Object { - $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination - Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - azPSVersion: 'latest' - - job_deploy_avdag: - runs-on: ubuntu-20.04 - name: 'Deploy AVD application group' - env: - namespace: 'Microsoft.DesktopVirtualization\applicationgroups' - needs: - - job_deploy_avdhp - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_rolea: - runs-on: ubuntu-20.04 - name: 'Deploy role assignments' - env: - namespace: 'Microsoft.Authorization\roleAssignments' - needs: - - job_deploy_msi - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/subscription/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - customParameterFileTokens: '{"msiPrincipalId":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}' - - job_deploy_vnet: - runs-on: ubuntu-20.04 - name: 'Deploy virtual networks' - env: - namespace: 'Microsoft.Network\virtualNetworks' - needs: - - job_deploy_nsg - strategy: - fail-fast: false - matrix: - parameterFilePaths: - [ - '1.bastion.parameters.json', - '2.vnetpeer01.parameters.json', - '3.vnetpeer02.parameters.json', - '4.azfw.parameters.json', - '5.aks.parameters.json', - '7.virtualHubConnection.parameters.json', - 'parameters.json', - ] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sqlmi_vnet: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi virtual network' - if: github.event.inputs.deploySqlMiDependencies == 'true' - env: - namespace: 'Microsoft.Network\virtualNetworks' - needs: - - job_deploy_sqlmi_udr - - job_deploy_sqlmi_nsg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['6.sqlmi.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_dnszone: - runs-on: ubuntu-20.04 - name: 'Deploy private DNS zones' - env: - namespace: 'Microsoft.Network\privateDnsZones' - needs: - - job_deploy_vnet - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_vm: - runs-on: ubuntu-20.04 - name: 'Deploy virtual machines' - env: - namespace: 'Microsoft.Compute\virtualMachines' - needs: - - job_deploy_kv_secrets - - job_deploy_vnet - - job_deploy_rsv - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' + # job_deploy_rg: + # runs-on: ubuntu-20.04 + # name: 'Deploy resource group' + # env: + # namespace: 'Microsoft.Resources\resourceGroups' + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['validation.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_ppg: + # runs-on: ubuntu-20.04 + # name: 'Deploy proximity placement group' + # env: + # namespace: 'Microsoft.Compute\proximityPlacementGroups' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_msi: + # runs-on: ubuntu-20.04 + # name: 'Deploy user assigned identity' + # env: + # namespace: 'Microsoft.ManagedIdentity\userAssignedIdentities' + # needs: + # - job_deploy_rg + # outputs: + # msiPrincipalId: ${{ steps.print_msi_prinId.outputs.msiPrincipalId }} + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # id: deploy_msi + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + # - name: Set msi principal ID output + # id: print_msi_prinId + # uses: azure/powershell@v1 + # with: + # inlineScript: | + # $deploymentOutput = '${{ steps.deploy_msi.outputs.deploymentOutput }}' + # $msiPrincipalId = (ConvertFrom-Json $deploymentOutput).principalId + # Write-Verbose "msiPrincipalId: $msiPrincipalId" -Verbose + # Write-Output ('::set-output name={0}::{1}' -f 'msiPrincipalId', $msiPrincipalId) + # azPSVersion: 'latest' + + # job_deploy_pa: + # runs-on: ubuntu-20.04 + # name: 'Deploy policy assignment' + # env: + # namespace: 'Microsoft.Authorization\policyAssignments' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['mg.parameters.json', 'sub.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_evh: + # runs-on: ubuntu-20.04 + # name: 'Deploy eventhub' + # env: + # namespace: 'Microsoft.EventHub\namespaces' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_law: + # runs-on: ubuntu-20.04 + # name: 'Deploy log analytics workspace' + # env: + # namespace: 'Microsoft.OperationalInsights\workspaces' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['appi.parameters.json', 'aut.parameters.json', 'parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sa: + # runs-on: ubuntu-20.04 + # name: 'Deploy storage account' + # env: + # namespace: 'Microsoft.Storage\storageAccounts' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_sa_upload_storage_files: + # runs-on: ubuntu-20.04 + # name: 'Upload files to storage account' + # env: + # namespace: 'Microsoft.Storage\storageAccounts' + # needs: + # - job_deploy_sa + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Setup agent' + # shell: pwsh + # run: | + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # # Define PS modules to install on the runner + # $Modules = @( + # @{ Name = 'Az.Storage' } + # ) + + # # Set agent up + # Set-EnvironmentOnAgent -PSModules $Modules + # - name: Azure Login + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_CREDENTIALS }} + # enable-AzPSSession: true + # - name: Run PowerShell + # uses: azure/powershell@v1 + # with: + # inlineScript: | + # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'parameters' 'parameters.json' + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFile.ps1') + + # # Replace tokens in parameter file + # $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json -AsHashTable + # $ConvertTokensInputs = @{ + # FilePath = $parameterFilePath + # Tokens = @{} + # TokenPrefix = $Settings.parameterFileTokens.tokenPrefix + # TokenSuffix = $Settings.parameterFileTokens.tokenSuffix + # } + + # # Add local tokens + # if ($Settings.parameterFileTokens.localTokens) { + # $tokenMap = @{} + # foreach ($token in $Settings.parameterFileTokens.localTokens) { + # $tokenMap += @{ $token.name = $token.value } + # } + # Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose + # $ConvertTokensInputs.Tokens += $tokenMap + # } + + # $null = Convert-TokensInFile @ConvertTokensInputs + + # # Get storage account name + # $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # # Upload files to storage account + # $functionInput = @{ + # ResourceGroupName = '${{ env.defaultResourceGroupName }}' + # StorageAccountName = $storageAccountParameters.name.value + # contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'uploads' + # targetContainer = $storageAccountParameters.blobServices.value.containers[0].name + # } + + # Write-Verbose "Invoke task with" -Verbose + # Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + # Export-ContentToBlob @functionInput -Verbose + # azPSVersion: 'latest' + + # job_deploy_sig: + # runs-on: ubuntu-20.04 + # name: 'Deploy shared image gallery and definition' + # env: + # namespace: 'Microsoft.Compute\galleries' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_imgt: + # runs-on: ubuntu-20.04 + # name: 'Deploy image template' + # if: github.event.inputs.deployVhdDependencies == 'true' + # env: + # namespace: 'Microsoft.VirtualMachineImages\imageTemplates' + # needs: + # - job_deploy_rolea + # - job_deploy_sig + # outputs: + # imageTemplateName: ${{ steps.print_imgt_output.outputs.imageTemplateName }} + # imageTemplateResourceGroup: ${{ steps.print_imgt_output.outputs.imageTemplateResourceGroup }} + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # id: deploy_imgt + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + # - name: 'Set image template output' + # id: print_imgt_output + # uses: azure/powershell@v1 + # with: + # inlineScript: | + # $deploymentOutput = '${{ steps.deploy_imgt.outputs.deploymentOutput }}' + # $imageTemplateName = (ConvertFrom-Json $deploymentOutput).name + # $imageTemplateResourceGroup = (ConvertFrom-Json $deploymentOutput).resourceGroupName + # Write-Verbose "imageTemplateName: $imageTemplateName" -Verbose + # Write-Verbose "imageTemplateResourceGroup: $imageTemplateResourceGroup" -Verbose + # Write-Output ('::set-output name={0}::{1}' -f 'imageTemplateName', $imageTemplateName) + # Write-Output ('::set-output name={0}::{1}' -f 'imageTemplateResourceGroup', $imageTemplateResourceGroup) + # azPSVersion: 'latest' + + # job_deploy_vhd_to_sa: + # runs-on: ubuntu-20.04 + # name: 'Trigger vhd build and store it to a storage account blob container' + # if: github.event.inputs.deployVhdDependencies == 'true' + # env: + # imgtNamespace: 'Microsoft.VirtualMachineImages\imageTemplates' + # saNamespace: 'Microsoft.Storage\storageAccounts' + # needs: + # - job_deploy_imgt + # - job_deploy_sa + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Setup agent' + # shell: pwsh + # run: | + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # # Define PS modules to install on the runner + # $Modules = @( + # @{ Name = 'Az.ImageBuilder' }, + # @{ Name = 'Az.Storage' } + # ) + + # # Set agent up + # Set-EnvironmentOnAgent -PSModules $Modules + # - name: Azure Login + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_CREDENTIALS }} + # enable-AzPSSession: true + # - name: 'Trigger building new image' + # uses: azure/powershell@v1 + # with: + # inlineScript: | + # Write-Verbose "Retrieving output from previous job" -Verbose + # $imageTemplateName = '${{ needs.job_deploy_imgt.outputs.imageTemplateName }}' + # $imageTemplateResourceGroup = '${{ needs.job_deploy_imgt.outputs.imageTemplateResourceGroup }}' + + # Write-Verbose "Trigger new image creation with imageTemplateName $imageTemplateName and imageTemplateResourceGroup $imageTemplateResourceGroup" -Verbose + # Start-AzImageBuilderTemplate -ImageTemplateName $imageTemplateName -ResourceGroupName $imageTemplateResourceGroup + # azPSVersion: 'latest' + # - name: 'Copy baked vhd to a storage account' + # uses: azure/powershell@v1 + # with: + # inlineScript: | + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFile.ps1') + + # # Prepare replace tokens in parameter file + # $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json -AsHashTable + # $ConvertTokensInputs = @{ + # Tokens = @{} + # TokenPrefix = $Settings.parameterFileTokens.tokenPrefix + # TokenSuffix = $Settings.parameterFileTokens.tokenSuffix + # } + + # # Add local tokens + # if ($Settings.parameterFileTokens.localTokens) { + # $tokenMap = @{} + # foreach ($token in $Settings.parameterFileTokens.localTokens) { + # $tokenMap += @{ $token.name = $token.value } + # } + # Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose + # $ConvertTokensInputs.Tokens += $tokenMap + # } + + # # Retrieving parameters from previous job outputs and parameter files + # Write-Verbose "Retrieving parameters from previous job outputs" -Verbose + # $imageTemplateName = '${{ needs.job_deploy_imgt.outputs.imageTemplateName }}' + # $imageTemplateResourceGroup = '${{ needs.job_deploy_imgt.outputs.imageTemplateResourceGroup }}' + + # Write-Verbose "Retrieving parameters from storage account parameter files" -Verbose + # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.saNamespace }}' 'parameters' 'parameters.json' + # $null = Convert-TokensInFile @ConvertTokensInputs -FilePath $parameterFilePath -Verbose + # $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # Write-Verbose "Retrieving parameters from image template parameter files" -Verbose + # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.imgtNamespace }}' 'parameters' 'parameters.json' + # $null = Convert-TokensInFile @ConvertTokensInputs -FilePath $parameterFilePath -Verbose + # $imageTemplateParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # # Initializing parameters before the blob copy + # Write-Verbose "Initializing source storage account parameters before the blob copy" -Verbose + # $imgtRunOutput = Get-AzImageBuilderRunOutput -ImageTemplateName $imageTemplateName -ResourceGroupName $imageTemplateResourceGroup | Where-Object ArtifactUri -NE $null + # $sourceUri = $imgtRunOutput.ArtifactUri + # $sourceStorageAccountName = $sourceUri.Split('//')[1].Split('.')[0] + # $sourceStorageAccount = Get-AzStorageAccount | Where-Object StorageAccountName -EQ $sourceStorageAccountName + # $sourceStorageAccountContext = $sourceStorageAccount.Context + # $sourceStorageAccountRGName = $sourceStorageAccount.ResourceGroupName + # Write-Verbose "Retrieving artifact uri $sourceUri stored in resource group $sourceStorageAccountRGName" -Verbose + + # Write-Verbose "Initializing destination storage account parameters before the blob copy" -Verbose + # $destinationStorageAccountName = $storageAccountParameters.name.value + # $destinationStorageAccount = Get-AzStorageAccount | Where-Object StorageAccountName -EQ $destinationStorageAccountName + # $destinationStorageAccountContext = $destinationStorageAccount.Context + # $destinationContainerName = 'vhds' + # $destinationBlobName = $imageTemplateParameters.name.value + # $destinationBlobName = "$destinationBlobName.vhd" + # Write-Verbose "Planning for destination blob name $destinationBlobName in container $destinationContainerName and storage account $destinationStorageAccountName" -Verbose + + # # Copying the vhd to a destination blob container + # Write-Verbose "Copying the vhd to a destination blob container" -Verbose + # $resourceActionInputObject = @{ + # AbsoluteUri = $sourceUri + # Context = $sourceStorageAccountContext + # DestContext = $destinationStorageAccountContext + # DestBlob = $destinationBlobName + # DestContainer = $destinationContainerName + # Force = $true + # } + # Start-AzStorageBlobCopy @resourceActionInputObject + # azPSVersion: 'latest' + + # job_deploy_ag: + # runs-on: ubuntu-20.04 + # name: 'Deploy action groups' + # env: + # namespace: 'Microsoft.Insights\actionGroups' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_asg: + # runs-on: ubuntu-20.04 + # name: 'Deploy application security groups' + # env: + # namespace: 'Microsoft.Network\applicationSecurityGroups' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_udr: + # runs-on: ubuntu-20.04 + # name: 'Deploy route tables' + # env: + # namespace: 'Microsoft.Network\routeTables' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sqlmi_udr: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi route tables' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # env: + # namespace: 'Microsoft.Network\routeTables' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['sqlMi.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_nsg: + # runs-on: ubuntu-20.04 + # name: 'Deploy network security groups' + # env: + # namespace: 'Microsoft.Network\networkSecurityGroups' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # [ + # 'apgw.parameters.json', + # 'ase.parameters.json', + # 'bastion.parameters.json', + # 'parameters.json', + # ] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sqlmi_nsg: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi network security group' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # env: + # namespace: 'Microsoft.Network\networkSecurityGroups' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['sqlmi.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_pip: + # runs-on: ubuntu-20.04 + # name: 'Deploy public IP addresses' + # env: + # namespace: 'Microsoft.Network\publicIPAddresses' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # [ + # 'apgw.parameters.json', + # 'bas.parameters.json', + # 'lb.parameters.json', + # 'lb.min.parameters.json', + # 'fw.parameters.json', + # ] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_appi: + # runs-on: ubuntu-20.04 + # name: 'Deploy application insight' + # env: + # namespace: 'Microsoft.Insights\components' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_aut: + # runs-on: ubuntu-20.04 + # name: 'Deploy automation account' + # env: + # namespace: 'Microsoft.Automation\automationAccounts' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_avdhp: + # runs-on: ubuntu-20.04 + # name: 'Deploy AVD host pool' + # env: + # namespace: 'Microsoft.DesktopVirtualization\hostpools' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_rsv: + # runs-on: ubuntu-20.04 + # name: 'Deploy recovery services vault' + # env: + # namespace: 'Microsoft.RecoveryServices\vaults' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # - job_deploy_msi + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + # customParameterFileTokens: '{"msiPrincipalId":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}' + + # job_deploy_kv: + # runs-on: ubuntu-20.04 + # name: 'Deploy key vaults' + # env: + # namespace: 'Microsoft.KeyVault\vaults' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # - job_deploy_msi + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json', 'pe.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + # customParameterFileTokens: '{"msiPrincipalId":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}' + + # job_deploy_kv_secrets: + # runs-on: ubuntu-20.04 + # name: 'Set key vault secrets keys and certificates' + # env: + # namespace: 'Microsoft.KeyVault\vaults' + # needs: + # - job_deploy_kv + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Setup agent' + # shell: pwsh + # run: | + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # # Define PS modules to install on the runner + # $Modules = @( + # @{ Name = 'Az.KeyVault' } + # ) + + # # Set agent up + # Set-EnvironmentOnAgent -PSModules $Modules + # - name: Azure Login + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_CREDENTIALS }} + # enable-AzPSSession: true + # - name: 'Set key vault secrets keys and certificates' + # uses: azure/powershell@v1 + # with: + # inlineScript: | + + # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'parameters.json' + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFile.ps1') + + # # Replace tokens in parameter file + # $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json -AsHashTable + # $ConvertTokensInputs = @{ + # FilePath = $parameterFilePath + # Tokens = @{} + # TokenPrefix = $Settings.parameterFileTokens.tokenPrefix + # TokenSuffix = $Settings.parameterFileTokens.tokenSuffix + # } + # if ($Settings.parameterFileTokens.localTokens) { + # $tokenMap = @{} + # foreach ($token in $Settings.parameterFileTokens.localTokens) { + # $tokenMap += @{ $token.name = $token.value } + # } + # Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose + # $ConvertTokensInputs.Tokens += $tokenMap + # } + # $null = Convert-TokensInFile @ConvertTokensInputs + + # # Get key vault name + # $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + # $keyVaultName = $keyVaultParameters.name.value + + # # Generate values + # $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length + # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + # $passwordString = (New-Guid).Guid.SubString(0, 19) + # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + # $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) + # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + + # # Set secrets + # # ------- + # @( + # @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS + # @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS + # @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer + # @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer + # @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway + # @{ name = 'apimClientId'; secretValue = $username } # API management + # @{ name = 'apimClientSecret'; secretValue = $password } # API management + # ) | ForEach-Object { + # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + # Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + + # # Set certificates + # # ----------- + # $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal + # @( + # @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway + # ) | ForEach-Object { + # $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy + # Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + + # # Set keys + # # ---- + # @( + # @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS + # ) | ForEach-Object { + # $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + # Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + # azPSVersion: 'latest' + + # job_deploy_sqlmi_kv: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi key vault' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # env: + # namespace: 'Microsoft.KeyVault\vaults' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # - job_deploy_msi + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['sqlmi.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + # customParameterFileTokens: '{"msiPrincipalId":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}' + + # job_deploy_sqlmi_kv_secrets: + # runs-on: ubuntu-20.04 + # name: 'Set sqlmi key vault secrets and keys' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # needs: + # - job_deploy_sqlmi_kv + # env: + # namespace: 'Microsoft.KeyVault\vaults' + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Setup agent' + # shell: pwsh + # run: | + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # # Define PS modules to install on the runner + # $Modules = @( + # @{ Name = 'Az.KeyVault' } + # ) + + # # Set agent up + # Set-EnvironmentOnAgent -PSModules $Modules + + # - name: Azure Login + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_CREDENTIALS }} + # enable-AzPSSession: true + # - name: 'Set sqlmi key vault secrets and keys' + # uses: azure/powershell@v1 + # with: + # inlineScript: | + # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'sqlmi.parameters.json' + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFile.ps1') + + # # Replace tokens in parameter file + # $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json -AsHashTable + # $ConvertTokensInputs = @{ + # FilePath = $parameterFilePath + # Tokens = @{} + # TokenPrefix = $Settings.parameterFileTokens.tokenPrefix + # TokenSuffix = $Settings.parameterFileTokens.tokenSuffix + # } + + # # Add local tokens + # if ($Settings.parameterFileTokens.localTokens) { + # $tokenMap = @{} + # foreach ($token in $Settings.parameterFileTokens.localTokens) { + # $tokenMap += @{ $token.name = $token.value } + # } + # Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose + # $ConvertTokensInputs.Tokens += $tokenMap + # } + + # $null = Convert-TokensInFile @ConvertTokensInputs + + # # Get key vault name + # $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + # $keyVaultName = $keyVaultParameters.name.value + + # # Generate values + # $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length + # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + # $passwordString = (New-Guid).Guid.SubString(0, 19) + # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + + # # Set secrets + # # ------- + # @( + # @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances + # @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances + # ) | ForEach-Object { + # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + # Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + + # # Set keys + # # ---- + # @( + # @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances + # ) | ForEach-Object { + # $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + # Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + # azPSVersion: 'latest' + + # job_deploy_avdag: + # runs-on: ubuntu-20.04 + # name: 'Deploy AVD application group' + # env: + # namespace: 'Microsoft.DesktopVirtualization\applicationgroups' + # needs: + # - job_deploy_avdhp + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_rolea: + # runs-on: ubuntu-20.04 + # name: 'Deploy role assignments' + # env: + # namespace: 'Microsoft.Authorization\roleAssignments' + # needs: + # - job_deploy_msi + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/subscription/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + # customParameterFileTokens: '{"msiPrincipalId":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}' + + # job_deploy_vnet: + # runs-on: ubuntu-20.04 + # name: 'Deploy virtual networks' + # env: + # namespace: 'Microsoft.Network\virtualNetworks' + # needs: + # - job_deploy_nsg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # [ + # '1.bastion.parameters.json', + # '2.vnetpeer01.parameters.json', + # '3.vnetpeer02.parameters.json', + # '4.azfw.parameters.json', + # '5.aks.parameters.json', + # '7.virtualHubConnection.parameters.json', + # 'parameters.json', + # ] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sqlmi_vnet: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi virtual network' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # env: + # namespace: 'Microsoft.Network\virtualNetworks' + # needs: + # - job_deploy_sqlmi_udr + # - job_deploy_sqlmi_nsg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['6.sqlmi.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_dnszone: + # runs-on: ubuntu-20.04 + # name: 'Deploy private DNS zones' + # env: + # namespace: 'Microsoft.Network\privateDnsZones' + # needs: + # - job_deploy_vnet + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_vm: + # runs-on: ubuntu-20.04 + # name: 'Deploy virtual machines' + # env: + # namespace: 'Microsoft.Compute\virtualMachines' + # needs: + # - job_deploy_kv_secrets + # - job_deploy_vnet + # - job_deploy_rsv + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' job_deploy_lb: runs-on: ubuntu-20.04 name: 'Deploy load balancers' env: namespace: 'Microsoft.Network\loadBalancers' - needs: - - job_deploy_vnet - - job_deploy_sa - - job_deploy_evh - - job_deploy_law + # needs: + # - job_deploy_vnet + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law strategy: fail-fast: false matrix: From 4e728b07b928116ed0b621adcde559dfa5207373 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 5 Mar 2022 23:41:48 +0100 Subject: [PATCH 16/24] Uncomment dependency pipeline --- .github/workflows/platform.dependencies.yml | 2468 +++++++++---------- 1 file changed, 1234 insertions(+), 1234 deletions(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index c35af80c2b..342b5a7af5 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -35,1246 +35,1246 @@ env: DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: - # job_deploy_rg: - # runs-on: ubuntu-20.04 - # name: 'Deploy resource group' - # env: - # namespace: 'Microsoft.Resources\resourceGroups' - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['validation.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_ppg: - # runs-on: ubuntu-20.04 - # name: 'Deploy proximity placement group' - # env: - # namespace: 'Microsoft.Compute\proximityPlacementGroups' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_msi: - # runs-on: ubuntu-20.04 - # name: 'Deploy user assigned identity' - # env: - # namespace: 'Microsoft.ManagedIdentity\userAssignedIdentities' - # needs: - # - job_deploy_rg - # outputs: - # msiPrincipalId: ${{ steps.print_msi_prinId.outputs.msiPrincipalId }} - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # id: deploy_msi - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - # - name: Set msi principal ID output - # id: print_msi_prinId - # uses: azure/powershell@v1 - # with: - # inlineScript: | - # $deploymentOutput = '${{ steps.deploy_msi.outputs.deploymentOutput }}' - # $msiPrincipalId = (ConvertFrom-Json $deploymentOutput).principalId - # Write-Verbose "msiPrincipalId: $msiPrincipalId" -Verbose - # Write-Output ('::set-output name={0}::{1}' -f 'msiPrincipalId', $msiPrincipalId) - # azPSVersion: 'latest' - - # job_deploy_pa: - # runs-on: ubuntu-20.04 - # name: 'Deploy policy assignment' - # env: - # namespace: 'Microsoft.Authorization\policyAssignments' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['mg.parameters.json', 'sub.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_evh: - # runs-on: ubuntu-20.04 - # name: 'Deploy eventhub' - # env: - # namespace: 'Microsoft.EventHub\namespaces' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_law: - # runs-on: ubuntu-20.04 - # name: 'Deploy log analytics workspace' - # env: - # namespace: 'Microsoft.OperationalInsights\workspaces' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['appi.parameters.json', 'aut.parameters.json', 'parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_sa: - # runs-on: ubuntu-20.04 - # name: 'Deploy storage account' - # env: - # namespace: 'Microsoft.Storage\storageAccounts' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_sa_upload_storage_files: - # runs-on: ubuntu-20.04 - # name: 'Upload files to storage account' - # env: - # namespace: 'Microsoft.Storage\storageAccounts' - # needs: - # - job_deploy_sa - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Setup agent' - # shell: pwsh - # run: | - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Define PS modules to install on the runner - # $Modules = @( - # @{ Name = 'Az.Storage' } - # ) - - # # Set agent up - # Set-EnvironmentOnAgent -PSModules $Modules - # - name: Azure Login - # uses: azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - # enable-AzPSSession: true - # - name: Run PowerShell - # uses: azure/powershell@v1 - # with: - # inlineScript: | - # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'parameters' 'parameters.json' - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFile.ps1') - - # # Replace tokens in parameter file - # $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json -AsHashTable - # $ConvertTokensInputs = @{ - # FilePath = $parameterFilePath - # Tokens = @{} - # TokenPrefix = $Settings.parameterFileTokens.tokenPrefix - # TokenSuffix = $Settings.parameterFileTokens.tokenSuffix - # } - - # # Add local tokens - # if ($Settings.parameterFileTokens.localTokens) { - # $tokenMap = @{} - # foreach ($token in $Settings.parameterFileTokens.localTokens) { - # $tokenMap += @{ $token.name = $token.value } - # } - # Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose - # $ConvertTokensInputs.Tokens += $tokenMap - # } - - # $null = Convert-TokensInFile @ConvertTokensInputs - - # # Get storage account name - # $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # # Upload files to storage account - # $functionInput = @{ - # ResourceGroupName = '${{ env.defaultResourceGroupName }}' - # StorageAccountName = $storageAccountParameters.name.value - # contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'uploads' - # targetContainer = $storageAccountParameters.blobServices.value.containers[0].name - # } - - # Write-Verbose "Invoke task with" -Verbose - # Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - # Export-ContentToBlob @functionInput -Verbose - # azPSVersion: 'latest' - - # job_deploy_sig: - # runs-on: ubuntu-20.04 - # name: 'Deploy shared image gallery and definition' - # env: - # namespace: 'Microsoft.Compute\galleries' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_imgt: - # runs-on: ubuntu-20.04 - # name: 'Deploy image template' - # if: github.event.inputs.deployVhdDependencies == 'true' - # env: - # namespace: 'Microsoft.VirtualMachineImages\imageTemplates' - # needs: - # - job_deploy_rolea - # - job_deploy_sig - # outputs: - # imageTemplateName: ${{ steps.print_imgt_output.outputs.imageTemplateName }} - # imageTemplateResourceGroup: ${{ steps.print_imgt_output.outputs.imageTemplateResourceGroup }} - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # id: deploy_imgt - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - # - name: 'Set image template output' - # id: print_imgt_output - # uses: azure/powershell@v1 - # with: - # inlineScript: | - # $deploymentOutput = '${{ steps.deploy_imgt.outputs.deploymentOutput }}' - # $imageTemplateName = (ConvertFrom-Json $deploymentOutput).name - # $imageTemplateResourceGroup = (ConvertFrom-Json $deploymentOutput).resourceGroupName - # Write-Verbose "imageTemplateName: $imageTemplateName" -Verbose - # Write-Verbose "imageTemplateResourceGroup: $imageTemplateResourceGroup" -Verbose - # Write-Output ('::set-output name={0}::{1}' -f 'imageTemplateName', $imageTemplateName) - # Write-Output ('::set-output name={0}::{1}' -f 'imageTemplateResourceGroup', $imageTemplateResourceGroup) - # azPSVersion: 'latest' - - # job_deploy_vhd_to_sa: - # runs-on: ubuntu-20.04 - # name: 'Trigger vhd build and store it to a storage account blob container' - # if: github.event.inputs.deployVhdDependencies == 'true' - # env: - # imgtNamespace: 'Microsoft.VirtualMachineImages\imageTemplates' - # saNamespace: 'Microsoft.Storage\storageAccounts' - # needs: - # - job_deploy_imgt - # - job_deploy_sa - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Setup agent' - # shell: pwsh - # run: | - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Define PS modules to install on the runner - # $Modules = @( - # @{ Name = 'Az.ImageBuilder' }, - # @{ Name = 'Az.Storage' } - # ) - - # # Set agent up - # Set-EnvironmentOnAgent -PSModules $Modules - # - name: Azure Login - # uses: azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - # enable-AzPSSession: true - # - name: 'Trigger building new image' - # uses: azure/powershell@v1 - # with: - # inlineScript: | - # Write-Verbose "Retrieving output from previous job" -Verbose - # $imageTemplateName = '${{ needs.job_deploy_imgt.outputs.imageTemplateName }}' - # $imageTemplateResourceGroup = '${{ needs.job_deploy_imgt.outputs.imageTemplateResourceGroup }}' - - # Write-Verbose "Trigger new image creation with imageTemplateName $imageTemplateName and imageTemplateResourceGroup $imageTemplateResourceGroup" -Verbose - # Start-AzImageBuilderTemplate -ImageTemplateName $imageTemplateName -ResourceGroupName $imageTemplateResourceGroup - # azPSVersion: 'latest' - # - name: 'Copy baked vhd to a storage account' - # uses: azure/powershell@v1 - # with: - # inlineScript: | - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFile.ps1') - - # # Prepare replace tokens in parameter file - # $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json -AsHashTable - # $ConvertTokensInputs = @{ - # Tokens = @{} - # TokenPrefix = $Settings.parameterFileTokens.tokenPrefix - # TokenSuffix = $Settings.parameterFileTokens.tokenSuffix - # } - - # # Add local tokens - # if ($Settings.parameterFileTokens.localTokens) { - # $tokenMap = @{} - # foreach ($token in $Settings.parameterFileTokens.localTokens) { - # $tokenMap += @{ $token.name = $token.value } - # } - # Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose - # $ConvertTokensInputs.Tokens += $tokenMap - # } - - # # Retrieving parameters from previous job outputs and parameter files - # Write-Verbose "Retrieving parameters from previous job outputs" -Verbose - # $imageTemplateName = '${{ needs.job_deploy_imgt.outputs.imageTemplateName }}' - # $imageTemplateResourceGroup = '${{ needs.job_deploy_imgt.outputs.imageTemplateResourceGroup }}' - - # Write-Verbose "Retrieving parameters from storage account parameter files" -Verbose - # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.saNamespace }}' 'parameters' 'parameters.json' - # $null = Convert-TokensInFile @ConvertTokensInputs -FilePath $parameterFilePath -Verbose - # $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # Write-Verbose "Retrieving parameters from image template parameter files" -Verbose - # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.imgtNamespace }}' 'parameters' 'parameters.json' - # $null = Convert-TokensInFile @ConvertTokensInputs -FilePath $parameterFilePath -Verbose - # $imageTemplateParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # # Initializing parameters before the blob copy - # Write-Verbose "Initializing source storage account parameters before the blob copy" -Verbose - # $imgtRunOutput = Get-AzImageBuilderRunOutput -ImageTemplateName $imageTemplateName -ResourceGroupName $imageTemplateResourceGroup | Where-Object ArtifactUri -NE $null - # $sourceUri = $imgtRunOutput.ArtifactUri - # $sourceStorageAccountName = $sourceUri.Split('//')[1].Split('.')[0] - # $sourceStorageAccount = Get-AzStorageAccount | Where-Object StorageAccountName -EQ $sourceStorageAccountName - # $sourceStorageAccountContext = $sourceStorageAccount.Context - # $sourceStorageAccountRGName = $sourceStorageAccount.ResourceGroupName - # Write-Verbose "Retrieving artifact uri $sourceUri stored in resource group $sourceStorageAccountRGName" -Verbose - - # Write-Verbose "Initializing destination storage account parameters before the blob copy" -Verbose - # $destinationStorageAccountName = $storageAccountParameters.name.value - # $destinationStorageAccount = Get-AzStorageAccount | Where-Object StorageAccountName -EQ $destinationStorageAccountName - # $destinationStorageAccountContext = $destinationStorageAccount.Context - # $destinationContainerName = 'vhds' - # $destinationBlobName = $imageTemplateParameters.name.value - # $destinationBlobName = "$destinationBlobName.vhd" - # Write-Verbose "Planning for destination blob name $destinationBlobName in container $destinationContainerName and storage account $destinationStorageAccountName" -Verbose - - # # Copying the vhd to a destination blob container - # Write-Verbose "Copying the vhd to a destination blob container" -Verbose - # $resourceActionInputObject = @{ - # AbsoluteUri = $sourceUri - # Context = $sourceStorageAccountContext - # DestContext = $destinationStorageAccountContext - # DestBlob = $destinationBlobName - # DestContainer = $destinationContainerName - # Force = $true - # } - # Start-AzStorageBlobCopy @resourceActionInputObject - # azPSVersion: 'latest' - - # job_deploy_ag: - # runs-on: ubuntu-20.04 - # name: 'Deploy action groups' - # env: - # namespace: 'Microsoft.Insights\actionGroups' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_asg: - # runs-on: ubuntu-20.04 - # name: 'Deploy application security groups' - # env: - # namespace: 'Microsoft.Network\applicationSecurityGroups' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_udr: - # runs-on: ubuntu-20.04 - # name: 'Deploy route tables' - # env: - # namespace: 'Microsoft.Network\routeTables' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_sqlmi_udr: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi route tables' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # env: - # namespace: 'Microsoft.Network\routeTables' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['sqlMi.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_nsg: - # runs-on: ubuntu-20.04 - # name: 'Deploy network security groups' - # env: - # namespace: 'Microsoft.Network\networkSecurityGroups' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # [ - # 'apgw.parameters.json', - # 'ase.parameters.json', - # 'bastion.parameters.json', - # 'parameters.json', - # ] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_sqlmi_nsg: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi network security group' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # env: - # namespace: 'Microsoft.Network\networkSecurityGroups' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['sqlmi.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_pip: - # runs-on: ubuntu-20.04 - # name: 'Deploy public IP addresses' - # env: - # namespace: 'Microsoft.Network\publicIPAddresses' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # [ - # 'apgw.parameters.json', - # 'bas.parameters.json', - # 'lb.parameters.json', - # 'lb.min.parameters.json', - # 'fw.parameters.json', - # ] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_appi: - # runs-on: ubuntu-20.04 - # name: 'Deploy application insight' - # env: - # namespace: 'Microsoft.Insights\components' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_aut: - # runs-on: ubuntu-20.04 - # name: 'Deploy automation account' - # env: - # namespace: 'Microsoft.Automation\automationAccounts' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_avdhp: - # runs-on: ubuntu-20.04 - # name: 'Deploy AVD host pool' - # env: - # namespace: 'Microsoft.DesktopVirtualization\hostpools' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_rsv: - # runs-on: ubuntu-20.04 - # name: 'Deploy recovery services vault' - # env: - # namespace: 'Microsoft.RecoveryServices\vaults' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # - job_deploy_msi - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - # customParameterFileTokens: '{"msiPrincipalId":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}' - - # job_deploy_kv: - # runs-on: ubuntu-20.04 - # name: 'Deploy key vaults' - # env: - # namespace: 'Microsoft.KeyVault\vaults' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # - job_deploy_msi - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json', 'pe.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - # customParameterFileTokens: '{"msiPrincipalId":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}' - - # job_deploy_kv_secrets: - # runs-on: ubuntu-20.04 - # name: 'Set key vault secrets keys and certificates' - # env: - # namespace: 'Microsoft.KeyVault\vaults' - # needs: - # - job_deploy_kv - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Setup agent' - # shell: pwsh - # run: | - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Define PS modules to install on the runner - # $Modules = @( - # @{ Name = 'Az.KeyVault' } - # ) - - # # Set agent up - # Set-EnvironmentOnAgent -PSModules $Modules - # - name: Azure Login - # uses: azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - # enable-AzPSSession: true - # - name: 'Set key vault secrets keys and certificates' - # uses: azure/powershell@v1 - # with: - # inlineScript: | - - # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'parameters.json' - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFile.ps1') - - # # Replace tokens in parameter file - # $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json -AsHashTable - # $ConvertTokensInputs = @{ - # FilePath = $parameterFilePath - # Tokens = @{} - # TokenPrefix = $Settings.parameterFileTokens.tokenPrefix - # TokenSuffix = $Settings.parameterFileTokens.tokenSuffix - # } - # if ($Settings.parameterFileTokens.localTokens) { - # $tokenMap = @{} - # foreach ($token in $Settings.parameterFileTokens.localTokens) { - # $tokenMap += @{ $token.name = $token.value } - # } - # Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose - # $ConvertTokensInputs.Tokens += $tokenMap - # } - # $null = Convert-TokensInFile @ConvertTokensInputs - - # # Get key vault name - # $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters - # $keyVaultName = $keyVaultParameters.name.value - - # # Generate values - # $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length - # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - # $passwordString = (New-Guid).Guid.SubString(0, 19) - # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - # $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) - # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - - # # Set secrets - # # ------- - # @( - # @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS - # @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS - # @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer - # @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer - # @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway - # @{ name = 'apimClientId'; secretValue = $username } # API management - # @{ name = 'apimClientSecret'; secretValue = $password } # API management - # ) | ForEach-Object { - # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue - # Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - - # # Set certificates - # # ----------- - # $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal - # @( - # @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway - # ) | ForEach-Object { - # $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy - # Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - - # # Set keys - # # ---- - # @( - # @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS - # ) | ForEach-Object { - # $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination - # Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - # azPSVersion: 'latest' - - # job_deploy_sqlmi_kv: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi key vault' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # env: - # namespace: 'Microsoft.KeyVault\vaults' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # - job_deploy_msi - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['sqlmi.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - # customParameterFileTokens: '{"msiPrincipalId":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}' - - # job_deploy_sqlmi_kv_secrets: - # runs-on: ubuntu-20.04 - # name: 'Set sqlmi key vault secrets and keys' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # needs: - # - job_deploy_sqlmi_kv - # env: - # namespace: 'Microsoft.KeyVault\vaults' - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Setup agent' - # shell: pwsh - # run: | - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Define PS modules to install on the runner - # $Modules = @( - # @{ Name = 'Az.KeyVault' } - # ) - - # # Set agent up - # Set-EnvironmentOnAgent -PSModules $Modules - - # - name: Azure Login - # uses: azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - # enable-AzPSSession: true - # - name: 'Set sqlmi key vault secrets and keys' - # uses: azure/powershell@v1 - # with: - # inlineScript: | - # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'sqlmi.parameters.json' - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFile.ps1') - - # # Replace tokens in parameter file - # $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json -AsHashTable - # $ConvertTokensInputs = @{ - # FilePath = $parameterFilePath - # Tokens = @{} - # TokenPrefix = $Settings.parameterFileTokens.tokenPrefix - # TokenSuffix = $Settings.parameterFileTokens.tokenSuffix - # } - - # # Add local tokens - # if ($Settings.parameterFileTokens.localTokens) { - # $tokenMap = @{} - # foreach ($token in $Settings.parameterFileTokens.localTokens) { - # $tokenMap += @{ $token.name = $token.value } - # } - # Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose - # $ConvertTokensInputs.Tokens += $tokenMap - # } - - # $null = Convert-TokensInFile @ConvertTokensInputs - - # # Get key vault name - # $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters - # $keyVaultName = $keyVaultParameters.name.value - - # # Generate values - # $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length - # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - # $passwordString = (New-Guid).Guid.SubString(0, 19) - # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - - # # Set secrets - # # ------- - # @( - # @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances - # @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances - # ) | ForEach-Object { - # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue - # Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - - # # Set keys - # # ---- - # @( - # @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances - # ) | ForEach-Object { - # $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination - # Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - # azPSVersion: 'latest' - - # job_deploy_avdag: - # runs-on: ubuntu-20.04 - # name: 'Deploy AVD application group' - # env: - # namespace: 'Microsoft.DesktopVirtualization\applicationgroups' - # needs: - # - job_deploy_avdhp - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_rolea: - # runs-on: ubuntu-20.04 - # name: 'Deploy role assignments' - # env: - # namespace: 'Microsoft.Authorization\roleAssignments' - # needs: - # - job_deploy_msi - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/subscription/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - # customParameterFileTokens: '{"msiPrincipalId":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}' - - # job_deploy_vnet: - # runs-on: ubuntu-20.04 - # name: 'Deploy virtual networks' - # env: - # namespace: 'Microsoft.Network\virtualNetworks' - # needs: - # - job_deploy_nsg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # [ - # '1.bastion.parameters.json', - # '2.vnetpeer01.parameters.json', - # '3.vnetpeer02.parameters.json', - # '4.azfw.parameters.json', - # '5.aks.parameters.json', - # '7.virtualHubConnection.parameters.json', - # 'parameters.json', - # ] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_sqlmi_vnet: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi virtual network' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # env: - # namespace: 'Microsoft.Network\virtualNetworks' - # needs: - # - job_deploy_sqlmi_udr - # - job_deploy_sqlmi_nsg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['6.sqlmi.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_dnszone: - # runs-on: ubuntu-20.04 - # name: 'Deploy private DNS zones' - # env: - # namespace: 'Microsoft.Network\privateDnsZones' - # needs: - # - job_deploy_vnet - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_vm: - # runs-on: ubuntu-20.04 - # name: 'Deploy virtual machines' - # env: - # namespace: 'Microsoft.Compute\virtualMachines' - # needs: - # - job_deploy_kv_secrets - # - job_deploy_vnet - # - job_deploy_rsv - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_rg: + runs-on: ubuntu-20.04 + name: 'Deploy resource group' + env: + namespace: 'Microsoft.Resources\resourceGroups' + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['validation.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_ppg: + runs-on: ubuntu-20.04 + name: 'Deploy proximity placement group' + env: + namespace: 'Microsoft.Compute\proximityPlacementGroups' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_msi: + runs-on: ubuntu-20.04 + name: 'Deploy user assigned identity' + env: + namespace: 'Microsoft.ManagedIdentity\userAssignedIdentities' + needs: + - job_deploy_rg + outputs: + msiPrincipalId: ${{ steps.print_msi_prinId.outputs.msiPrincipalId }} + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + id: deploy_msi + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + - name: Set msi principal ID output + id: print_msi_prinId + uses: azure/powershell@v1 + with: + inlineScript: | + $deploymentOutput = '${{ steps.deploy_msi.outputs.deploymentOutput }}' + $msiPrincipalId = (ConvertFrom-Json $deploymentOutput).principalId + Write-Verbose "msiPrincipalId: $msiPrincipalId" -Verbose + Write-Output ('::set-output name={0}::{1}' -f 'msiPrincipalId', $msiPrincipalId) + azPSVersion: 'latest' + + job_deploy_pa: + runs-on: ubuntu-20.04 + name: 'Deploy policy assignment' + env: + namespace: 'Microsoft.Authorization\policyAssignments' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['mg.parameters.json', 'sub.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_evh: + runs-on: ubuntu-20.04 + name: 'Deploy eventhub' + env: + namespace: 'Microsoft.EventHub\namespaces' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_law: + runs-on: ubuntu-20.04 + name: 'Deploy log analytics workspace' + env: + namespace: 'Microsoft.OperationalInsights\workspaces' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['appi.parameters.json', 'aut.parameters.json', 'parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_sa: + runs-on: ubuntu-20.04 + name: 'Deploy storage account' + env: + namespace: 'Microsoft.Storage\storageAccounts' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: + ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_sa_upload_storage_files: + runs-on: ubuntu-20.04 + name: 'Upload files to storage account' + env: + namespace: 'Microsoft.Storage\storageAccounts' + needs: + - job_deploy_sa + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Setup agent' + shell: pwsh + run: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.Storage' } + ) + + # Set agent up + Set-EnvironmentOnAgent -PSModules $Modules + - name: Azure Login + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + enable-AzPSSession: true + - name: Run PowerShell + uses: azure/powershell@v1 + with: + inlineScript: | + $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'parameters' 'parameters.json' + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFile.ps1') + + # Replace tokens in parameter file + $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json -AsHashTable + $ConvertTokensInputs = @{ + FilePath = $parameterFilePath + Tokens = @{} + TokenPrefix = $Settings.parameterFileTokens.tokenPrefix + TokenSuffix = $Settings.parameterFileTokens.tokenSuffix + } + + # Add local tokens + if ($Settings.parameterFileTokens.localTokens) { + $tokenMap = @{} + foreach ($token in $Settings.parameterFileTokens.localTokens) { + $tokenMap += @{ $token.name = $token.value } + } + Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose + $ConvertTokensInputs.Tokens += $tokenMap + } + + $null = Convert-TokensInFile @ConvertTokensInputs + + # Get storage account name + $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # Upload files to storage account + $functionInput = @{ + ResourceGroupName = '${{ env.defaultResourceGroupName }}' + StorageAccountName = $storageAccountParameters.name.value + contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'uploads' + targetContainer = $storageAccountParameters.blobServices.value.containers[0].name + } + + Write-Verbose "Invoke task with" -Verbose + Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + Export-ContentToBlob @functionInput -Verbose + azPSVersion: 'latest' + + job_deploy_sig: + runs-on: ubuntu-20.04 + name: 'Deploy shared image gallery and definition' + env: + namespace: 'Microsoft.Compute\galleries' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_imgt: + runs-on: ubuntu-20.04 + name: 'Deploy image template' + if: github.event.inputs.deployVhdDependencies == 'true' + env: + namespace: 'Microsoft.VirtualMachineImages\imageTemplates' + needs: + - job_deploy_rolea + - job_deploy_sig + outputs: + imageTemplateName: ${{ steps.print_imgt_output.outputs.imageTemplateName }} + imageTemplateResourceGroup: ${{ steps.print_imgt_output.outputs.imageTemplateResourceGroup }} + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + id: deploy_imgt + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + - name: 'Set image template output' + id: print_imgt_output + uses: azure/powershell@v1 + with: + inlineScript: | + $deploymentOutput = '${{ steps.deploy_imgt.outputs.deploymentOutput }}' + $imageTemplateName = (ConvertFrom-Json $deploymentOutput).name + $imageTemplateResourceGroup = (ConvertFrom-Json $deploymentOutput).resourceGroupName + Write-Verbose "imageTemplateName: $imageTemplateName" -Verbose + Write-Verbose "imageTemplateResourceGroup: $imageTemplateResourceGroup" -Verbose + Write-Output ('::set-output name={0}::{1}' -f 'imageTemplateName', $imageTemplateName) + Write-Output ('::set-output name={0}::{1}' -f 'imageTemplateResourceGroup', $imageTemplateResourceGroup) + azPSVersion: 'latest' + + job_deploy_vhd_to_sa: + runs-on: ubuntu-20.04 + name: 'Trigger vhd build and store it to a storage account blob container' + if: github.event.inputs.deployVhdDependencies == 'true' + env: + imgtNamespace: 'Microsoft.VirtualMachineImages\imageTemplates' + saNamespace: 'Microsoft.Storage\storageAccounts' + needs: + - job_deploy_imgt + - job_deploy_sa + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Setup agent' + shell: pwsh + run: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.ImageBuilder' }, + @{ Name = 'Az.Storage' } + ) + + # Set agent up + Set-EnvironmentOnAgent -PSModules $Modules + - name: Azure Login + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + enable-AzPSSession: true + - name: 'Trigger building new image' + uses: azure/powershell@v1 + with: + inlineScript: | + Write-Verbose "Retrieving output from previous job" -Verbose + $imageTemplateName = '${{ needs.job_deploy_imgt.outputs.imageTemplateName }}' + $imageTemplateResourceGroup = '${{ needs.job_deploy_imgt.outputs.imageTemplateResourceGroup }}' + + Write-Verbose "Trigger new image creation with imageTemplateName $imageTemplateName and imageTemplateResourceGroup $imageTemplateResourceGroup" -Verbose + Start-AzImageBuilderTemplate -ImageTemplateName $imageTemplateName -ResourceGroupName $imageTemplateResourceGroup + azPSVersion: 'latest' + - name: 'Copy baked vhd to a storage account' + uses: azure/powershell@v1 + with: + inlineScript: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFile.ps1') + + # Prepare replace tokens in parameter file + $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json -AsHashTable + $ConvertTokensInputs = @{ + Tokens = @{} + TokenPrefix = $Settings.parameterFileTokens.tokenPrefix + TokenSuffix = $Settings.parameterFileTokens.tokenSuffix + } + + # Add local tokens + if ($Settings.parameterFileTokens.localTokens) { + $tokenMap = @{} + foreach ($token in $Settings.parameterFileTokens.localTokens) { + $tokenMap += @{ $token.name = $token.value } + } + Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose + $ConvertTokensInputs.Tokens += $tokenMap + } + + # Retrieving parameters from previous job outputs and parameter files + Write-Verbose "Retrieving parameters from previous job outputs" -Verbose + $imageTemplateName = '${{ needs.job_deploy_imgt.outputs.imageTemplateName }}' + $imageTemplateResourceGroup = '${{ needs.job_deploy_imgt.outputs.imageTemplateResourceGroup }}' + + Write-Verbose "Retrieving parameters from storage account parameter files" -Verbose + $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.saNamespace }}' 'parameters' 'parameters.json' + $null = Convert-TokensInFile @ConvertTokensInputs -FilePath $parameterFilePath -Verbose + $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + Write-Verbose "Retrieving parameters from image template parameter files" -Verbose + $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.imgtNamespace }}' 'parameters' 'parameters.json' + $null = Convert-TokensInFile @ConvertTokensInputs -FilePath $parameterFilePath -Verbose + $imageTemplateParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # Initializing parameters before the blob copy + Write-Verbose "Initializing source storage account parameters before the blob copy" -Verbose + $imgtRunOutput = Get-AzImageBuilderRunOutput -ImageTemplateName $imageTemplateName -ResourceGroupName $imageTemplateResourceGroup | Where-Object ArtifactUri -NE $null + $sourceUri = $imgtRunOutput.ArtifactUri + $sourceStorageAccountName = $sourceUri.Split('//')[1].Split('.')[0] + $sourceStorageAccount = Get-AzStorageAccount | Where-Object StorageAccountName -EQ $sourceStorageAccountName + $sourceStorageAccountContext = $sourceStorageAccount.Context + $sourceStorageAccountRGName = $sourceStorageAccount.ResourceGroupName + Write-Verbose "Retrieving artifact uri $sourceUri stored in resource group $sourceStorageAccountRGName" -Verbose + + Write-Verbose "Initializing destination storage account parameters before the blob copy" -Verbose + $destinationStorageAccountName = $storageAccountParameters.name.value + $destinationStorageAccount = Get-AzStorageAccount | Where-Object StorageAccountName -EQ $destinationStorageAccountName + $destinationStorageAccountContext = $destinationStorageAccount.Context + $destinationContainerName = 'vhds' + $destinationBlobName = $imageTemplateParameters.name.value + $destinationBlobName = "$destinationBlobName.vhd" + Write-Verbose "Planning for destination blob name $destinationBlobName in container $destinationContainerName and storage account $destinationStorageAccountName" -Verbose + + # Copying the vhd to a destination blob container + Write-Verbose "Copying the vhd to a destination blob container" -Verbose + $resourceActionInputObject = @{ + AbsoluteUri = $sourceUri + Context = $sourceStorageAccountContext + DestContext = $destinationStorageAccountContext + DestBlob = $destinationBlobName + DestContainer = $destinationContainerName + Force = $true + } + Start-AzStorageBlobCopy @resourceActionInputObject + azPSVersion: 'latest' + + job_deploy_ag: + runs-on: ubuntu-20.04 + name: 'Deploy action groups' + env: + namespace: 'Microsoft.Insights\actionGroups' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_asg: + runs-on: ubuntu-20.04 + name: 'Deploy application security groups' + env: + namespace: 'Microsoft.Network\applicationSecurityGroups' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_udr: + runs-on: ubuntu-20.04 + name: 'Deploy route tables' + env: + namespace: 'Microsoft.Network\routeTables' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_sqlmi_udr: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi route tables' + if: github.event.inputs.deploySqlMiDependencies == 'true' + env: + namespace: 'Microsoft.Network\routeTables' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['sqlMi.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_nsg: + runs-on: ubuntu-20.04 + name: 'Deploy network security groups' + env: + namespace: 'Microsoft.Network\networkSecurityGroups' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: + [ + 'apgw.parameters.json', + 'ase.parameters.json', + 'bastion.parameters.json', + 'parameters.json', + ] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_sqlmi_nsg: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi network security group' + if: github.event.inputs.deploySqlMiDependencies == 'true' + env: + namespace: 'Microsoft.Network\networkSecurityGroups' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['sqlmi.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_pip: + runs-on: ubuntu-20.04 + name: 'Deploy public IP addresses' + env: + namespace: 'Microsoft.Network\publicIPAddresses' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: + [ + 'apgw.parameters.json', + 'bas.parameters.json', + 'lb.parameters.json', + 'lb.min.parameters.json', + 'fw.parameters.json', + ] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_appi: + runs-on: ubuntu-20.04 + name: 'Deploy application insight' + env: + namespace: 'Microsoft.Insights\components' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_aut: + runs-on: ubuntu-20.04 + name: 'Deploy automation account' + env: + namespace: 'Microsoft.Automation\automationAccounts' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_avdhp: + runs-on: ubuntu-20.04 + name: 'Deploy AVD host pool' + env: + namespace: 'Microsoft.DesktopVirtualization\hostpools' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_rsv: + runs-on: ubuntu-20.04 + name: 'Deploy recovery services vault' + env: + namespace: 'Microsoft.RecoveryServices\vaults' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + - job_deploy_msi + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + customParameterFileTokens: '{"msiPrincipalId":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}' + + job_deploy_kv: + runs-on: ubuntu-20.04 + name: 'Deploy key vaults' + env: + namespace: 'Microsoft.KeyVault\vaults' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + - job_deploy_msi + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json', 'pe.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + customParameterFileTokens: '{"msiPrincipalId":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}' + + job_deploy_kv_secrets: + runs-on: ubuntu-20.04 + name: 'Set key vault secrets keys and certificates' + env: + namespace: 'Microsoft.KeyVault\vaults' + needs: + - job_deploy_kv + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Setup agent' + shell: pwsh + run: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.KeyVault' } + ) + + # Set agent up + Set-EnvironmentOnAgent -PSModules $Modules + - name: Azure Login + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + enable-AzPSSession: true + - name: 'Set key vault secrets keys and certificates' + uses: azure/powershell@v1 + with: + inlineScript: | + + $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'parameters.json' + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFile.ps1') + + # Replace tokens in parameter file + $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json -AsHashTable + $ConvertTokensInputs = @{ + FilePath = $parameterFilePath + Tokens = @{} + TokenPrefix = $Settings.parameterFileTokens.tokenPrefix + TokenSuffix = $Settings.parameterFileTokens.tokenSuffix + } + if ($Settings.parameterFileTokens.localTokens) { + $tokenMap = @{} + foreach ($token in $Settings.parameterFileTokens.localTokens) { + $tokenMap += @{ $token.name = $token.value } + } + Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose + $ConvertTokensInputs.Tokens += $tokenMap + } + $null = Convert-TokensInFile @ConvertTokensInputs + + # Get key vault name + $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + $keyVaultName = $keyVaultParameters.name.value + + # Generate values + $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $passwordString = (New-Guid).Guid.SubString(0, 19) + $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) + $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + + # Set secrets + # ------- + @( + @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS + @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS + @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer + @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer + @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway + @{ name = 'apimClientId'; secretValue = $username } # API management + @{ name = 'apimClientSecret'; secretValue = $password } # API management + ) | ForEach-Object { + $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + + # Set certificates + # ----------- + $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal + @( + @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway + ) | ForEach-Object { + $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy + Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + + # Set keys + # ---- + @( + @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS + ) | ForEach-Object { + $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + azPSVersion: 'latest' + + job_deploy_sqlmi_kv: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi key vault' + if: github.event.inputs.deploySqlMiDependencies == 'true' + env: + namespace: 'Microsoft.KeyVault\vaults' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + - job_deploy_msi + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['sqlmi.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + customParameterFileTokens: '{"msiPrincipalId":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}' + + job_deploy_sqlmi_kv_secrets: + runs-on: ubuntu-20.04 + name: 'Set sqlmi key vault secrets and keys' + if: github.event.inputs.deploySqlMiDependencies == 'true' + needs: + - job_deploy_sqlmi_kv + env: + namespace: 'Microsoft.KeyVault\vaults' + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Setup agent' + shell: pwsh + run: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.KeyVault' } + ) + + # Set agent up + Set-EnvironmentOnAgent -PSModules $Modules + + - name: Azure Login + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + enable-AzPSSession: true + - name: 'Set sqlmi key vault secrets and keys' + uses: azure/powershell@v1 + with: + inlineScript: | + $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'sqlmi.parameters.json' + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInFile.ps1') + + # Replace tokens in parameter file + $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json -AsHashTable + $ConvertTokensInputs = @{ + FilePath = $parameterFilePath + Tokens = @{} + TokenPrefix = $Settings.parameterFileTokens.tokenPrefix + TokenSuffix = $Settings.parameterFileTokens.tokenSuffix + } + + # Add local tokens + if ($Settings.parameterFileTokens.localTokens) { + $tokenMap = @{} + foreach ($token in $Settings.parameterFileTokens.localTokens) { + $tokenMap += @{ $token.name = $token.value } + } + Write-Verbose ('Using local tokens [{0}]' -f ($tokenMap.Keys -join ', ')) -Verbose + $ConvertTokensInputs.Tokens += $tokenMap + } + + $null = Convert-TokensInFile @ConvertTokensInputs + + # Get key vault name + $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + $keyVaultName = $keyVaultParameters.name.value + + # Generate values + $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $passwordString = (New-Guid).Guid.SubString(0, 19) + $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + + # Set secrets + # ------- + @( + @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances + @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances + ) | ForEach-Object { + $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + + # Set keys + # ---- + @( + @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances + ) | ForEach-Object { + $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + azPSVersion: 'latest' + + job_deploy_avdag: + runs-on: ubuntu-20.04 + name: 'Deploy AVD application group' + env: + namespace: 'Microsoft.DesktopVirtualization\applicationgroups' + needs: + - job_deploy_avdhp + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_rolea: + runs-on: ubuntu-20.04 + name: 'Deploy role assignments' + env: + namespace: 'Microsoft.Authorization\roleAssignments' + needs: + - job_deploy_msi + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/subscription/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + customParameterFileTokens: '{"msiPrincipalId":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}' + + job_deploy_vnet: + runs-on: ubuntu-20.04 + name: 'Deploy virtual networks' + env: + namespace: 'Microsoft.Network\virtualNetworks' + needs: + - job_deploy_nsg + strategy: + fail-fast: false + matrix: + parameterFilePaths: + [ + '1.bastion.parameters.json', + '2.vnetpeer01.parameters.json', + '3.vnetpeer02.parameters.json', + '4.azfw.parameters.json', + '5.aks.parameters.json', + '7.virtualHubConnection.parameters.json', + 'parameters.json', + ] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_sqlmi_vnet: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi virtual network' + if: github.event.inputs.deploySqlMiDependencies == 'true' + env: + namespace: 'Microsoft.Network\virtualNetworks' + needs: + - job_deploy_sqlmi_udr + - job_deploy_sqlmi_nsg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['6.sqlmi.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_dnszone: + runs-on: ubuntu-20.04 + name: 'Deploy private DNS zones' + env: + namespace: 'Microsoft.Network\privateDnsZones' + needs: + - job_deploy_vnet + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_vm: + runs-on: ubuntu-20.04 + name: 'Deploy virtual machines' + env: + namespace: 'Microsoft.Compute\virtualMachines' + needs: + - job_deploy_kv_secrets + - job_deploy_vnet + - job_deploy_rsv + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' job_deploy_lb: runs-on: ubuntu-20.04 name: 'Deploy load balancers' env: namespace: 'Microsoft.Network\loadBalancers' - # needs: - # - job_deploy_vnet - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law + needs: + - job_deploy_vnet + - job_deploy_sa + - job_deploy_evh + - job_deploy_law strategy: fail-fast: false matrix: From 5c1288584aeb0db3f9959b1f688d7f4c62ae2240 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sun, 6 Mar 2022 11:01:00 +0100 Subject: [PATCH 17/24] Update arm/Microsoft.Network/loadBalancers/.parameters/internal.parameters.json Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .../loadBalancers/.parameters/internal.parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Network/loadBalancers/.parameters/internal.parameters.json b/arm/Microsoft.Network/loadBalancers/.parameters/internal.parameters.json index 4fa665c3dc..4c3ffb022f 100644 --- a/arm/Microsoft.Network/loadBalancers/.parameters/internal.parameters.json +++ b/arm/Microsoft.Network/loadBalancers/.parameters/internal.parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "<>-az-lb-x-002" + "value": "<>-az-lb-internal-001" }, "loadBalancerSku": { "value": "Standard" From 63cedaedf208e120ce16a13dc3acaffeb093ffd6 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sun, 6 Mar 2022 11:02:17 +0100 Subject: [PATCH 18/24] Update utilities/pipelines/dependencies/Microsoft.Network/loadBalancers/parameters/internal.parameters.json Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .../loadBalancers/parameters/internal.parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utilities/pipelines/dependencies/Microsoft.Network/loadBalancers/parameters/internal.parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/loadBalancers/parameters/internal.parameters.json index 83de86890d..09f33d5978 100644 --- a/utilities/pipelines/dependencies/Microsoft.Network/loadBalancers/parameters/internal.parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.Network/loadBalancers/parameters/internal.parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "name": { - "value": "adp-<>-az-lb-x-001" + "value": "adp-<>-az-lb-internal-001" }, "loadBalancerSku": { "value": "Standard" From 85aa9cd0323eb62e2d838a714e08de824ba23fdf Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sun, 6 Mar 2022 11:04:06 +0100 Subject: [PATCH 19/24] simplify dependency params --- .../parameters/internal.parameters.json | 25 ------------------- 1 file changed, 25 deletions(-) diff --git a/utilities/pipelines/dependencies/Microsoft.Network/loadBalancers/parameters/internal.parameters.json b/utilities/pipelines/dependencies/Microsoft.Network/loadBalancers/parameters/internal.parameters.json index 09f33d5978..341c6db81b 100644 --- a/utilities/pipelines/dependencies/Microsoft.Network/loadBalancers/parameters/internal.parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.Network/loadBalancers/parameters/internal.parameters.json @@ -71,31 +71,6 @@ "backendPort": 3389 } ] - }, - "roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "<>" - ] - } - ] - }, - "diagnosticLogsRetentionInDays": { - "value": 7 - }, - "diagnosticStorageAccountId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<>azsax001" - }, - "diagnosticWorkspaceId": { - "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<>-az-law-x-001" - }, - "diagnosticEventHubAuthorizationRuleId": { - "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" - }, - "diagnosticEventHubName": { - "value": "adp-<>-az-evh-x-001" } } } From e79244df18d43438fd1a6db6b499510e54bfcba1 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sun, 6 Mar 2022 11:06:09 +0100 Subject: [PATCH 20/24] Update .github/workflows/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .github/workflows/platform.dependencies.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index bbb1039d35..71fc0fc97e 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -1273,7 +1273,6 @@ jobs: namespace: 'Microsoft.Network\loadBalancers' needs: - job_deploy_vnet - - job_deploy_sa - job_deploy_evh - job_deploy_law strategy: From a2449608482ff9fe5dc755541a85d9097c76e6d0 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sun, 6 Mar 2022 11:06:17 +0100 Subject: [PATCH 21/24] Update .azuredevops/platformPipelines/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .azuredevops/platformPipelines/platform.dependencies.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index a64871143e..60021793a8 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -891,7 +891,6 @@ stages: - deploy_vnet - deploy_sa - deploy_evh - - deploy_law variables: resourceType: 'Microsoft.Network/loadBalancers' templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep From 5476e13ed362fd085124dc3b2fdd0868293962eb Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sun, 6 Mar 2022 11:06:22 +0100 Subject: [PATCH 22/24] Update .azuredevops/platformPipelines/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .azuredevops/platformPipelines/platform.dependencies.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 60021793a8..1a65b2b91c 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -890,7 +890,6 @@ stages: dependsOn: - deploy_vnet - deploy_sa - - deploy_evh variables: resourceType: 'Microsoft.Network/loadBalancers' templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep From 73acaf82d0a3431f59f7521127201c7895747f20 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sun, 6 Mar 2022 11:06:29 +0100 Subject: [PATCH 23/24] Update .azuredevops/platformPipelines/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .azuredevops/platformPipelines/platform.dependencies.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 1a65b2b91c..bb09bf9cc7 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -889,7 +889,6 @@ stages: displayName: Deploy load balancers dependsOn: - deploy_vnet - - deploy_sa variables: resourceType: 'Microsoft.Network/loadBalancers' templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep From 720bc13e0c0c62eb51ba0af6dead1f8101c76c60 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sun, 6 Mar 2022 11:08:03 +0100 Subject: [PATCH 24/24] remove dependencies on workflow file as its no longer required by the lb itself --- .github/workflows/platform.dependencies.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 71fc0fc97e..fc34d7c707 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -1273,8 +1273,6 @@ jobs: namespace: 'Microsoft.Network\loadBalancers' needs: - job_deploy_vnet - - job_deploy_evh - - job_deploy_law strategy: fail-fast: false matrix: