From e7e45dfa9709b72c19d7349efa1655e8e7d337b6 Mon Sep 17 00:00:00 2001 From: Shawn Meyer Date: Mon, 28 Nov 2022 19:40:33 -0500 Subject: [PATCH 01/16] added aadloginforWindows extension --- .../virtualMachines/deploy.bicep | 24 +++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/modules/Microsoft.Compute/virtualMachines/deploy.bicep b/modules/Microsoft.Compute/virtualMachines/deploy.bicep index b0c78e8a22..f795e48e66 100644 --- a/modules/Microsoft.Compute/virtualMachines/deploy.bicep +++ b/modules/Microsoft.Compute/virtualMachines/deploy.bicep @@ -172,6 +172,11 @@ param extensionDomainJoinConfig object = { enabled: false } +@description('Optional. The configuration for the [AAD Join] extension. Must at least contain the ["enabled": true] property to be executed.') +param extensionAadJoinConfig object = { + enabled: false +} + @description('Optional. The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed.') param extensionAntiMalwareConfig object = { enabled: false @@ -325,8 +330,9 @@ var accountSasProperties = { signedResourceTypes: 'o' signedProtocol: 'https' } - -var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +// change SystemAssignedIdentity to True if AADJoin is enabled. +var varsystemAssignedIdentity = extensionAadJoinConfig.enabled ? true : systemAssignedIdentity +var identityType = varsystemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { type: identityType @@ -480,6 +486,20 @@ resource vm_configurationProfileAssignment 'Microsoft.Automanage/configurationPr scope: vm } +module vm_aadJoinExtension 'extensions/deploy.bicep' = if (extensionAadJoinConfig.enabled) { + name: '${uniqueString(deployment().name, location)}-VM-AADLoginForWindows' + params: { + virtualMachineName: vm.name + name: 'AADLoginForWindows' + publisher: 'Microsoft.Azure.ActiveDirectory' + type: 'AADLoginForWindows' + typeHandlerVersion: contains(extensionAadJoinConfig, 'typeHandlerVersion') ? extensionAadJoinConfig.typeHandlerVersion : '1.0' + autoUpgradeMinorVersion: contains(extensionAadJoinConfig, 'autoUpgradeMinorVersion') ? extensionAadJoinConfig.autoUpgradeMinorVersion : true + enableAutomaticUpgrade: contains(extensionAadJoinConfig, 'enableAutomaticUpgrade') ? extensionAadJoinConfig.enableAutomaticUpgrade : false + settings: extensionAadJoinConfig.settings + } +} + module vm_domainJoinExtension 'extensions/deploy.bicep' = if (extensionDomainJoinConfig.enabled) { name: '${uniqueString(deployment().name, location)}-VM-DomainJoin' params: { From b02df0d17e3b9182f22ad7ceebdee2f4d2614cf4 Mon Sep 17 00:00:00 2001 From: Shawn Meyer Date: Mon, 28 Nov 2022 20:29:06 -0500 Subject: [PATCH 02/16] updated VirtualMachines readme.md with extensionAadJoinConfig --- .../virtualMachines/readme.md | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/modules/Microsoft.Compute/virtualMachines/readme.md b/modules/Microsoft.Compute/virtualMachines/readme.md index 3cdff22a42..94ce8da80a 100644 --- a/modules/Microsoft.Compute/virtualMachines/readme.md +++ b/modules/Microsoft.Compute/virtualMachines/readme.md @@ -73,6 +73,7 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally | `extensionCustomScriptConfig` | object | `{object}` | | The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. | | `extensionCustomScriptProtectedSetting` | secureObject | `{object}` | | Any object that contains the extension specific protected settings. | | `extensionDependencyAgentConfig` | object | `{object}` | | The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed. | +| `extensionAadJoinConfig` | object | `{object}` | | The configuration for the [AADLoginforWindows] extension. Must at least contain the ["enabled": true] property to be executed. Automatically enables the System Assigned Managed Identity. | | `extensionDomainJoinConfig` | object | `{object}` | | The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed. | | `extensionDomainJoinPassword` | secureString | `''` | | Required if name is specified. Password of the user specified in user parameter. | | `extensionDSCConfig` | object | `{object}` | | The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed. | @@ -500,6 +501,42 @@ configurationProfileAssignments: [

+### Parameter Usage: `extensionAadJoinConfig` + +

+ +Parameter JSON format + +```json +"extensionAadJoinConfig": { + "value": { + "enabled": true, + "settings": { + "mdmId": "0000000a-0000-0000-c000-000000000000" // This enables Intune Enrollment., Do not set mdmId to disable Intune Enrollment. + } + } +} +``` + +
+ +
+ +Bicep format + +```bicep +extensionAadJoinConfig: { + enabled: true + settings: { + mdmId: '0000000a-0000-0000-c000-000000000000' // This enables Intune Enrollment., Do not set mdmId to disable Intune Enrollment. + } +} + +``` + +
+

+ ### Parameter Usage: `extensionDomainJoinConfig`

From 87fe3dcb1273a833d5d67a4ac0cdfe5d647eda22 Mon Sep 17 00:00:00 2001 From: Shawn Meyer Date: Wed, 30 Nov 2022 09:22:15 -0500 Subject: [PATCH 03/16] changed varSystemAssignedIdentity to systemAssignedIdentityVar --- modules/Microsoft.Compute/virtualMachines/deploy.bicep | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/modules/Microsoft.Compute/virtualMachines/deploy.bicep b/modules/Microsoft.Compute/virtualMachines/deploy.bicep index f795e48e66..a37f33eb4e 100644 --- a/modules/Microsoft.Compute/virtualMachines/deploy.bicep +++ b/modules/Microsoft.Compute/virtualMachines/deploy.bicep @@ -330,9 +330,10 @@ var accountSasProperties = { signedResourceTypes: 'o' signedProtocol: 'https' } -// change SystemAssignedIdentity to True if AADJoin is enabled. -var varsystemAssignedIdentity = extensionAadJoinConfig.enabled ? true : systemAssignedIdentity -var identityType = varsystemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') + +@description('change SystemAssignedIdentity to True if AADJoin is enabled.') +var systemAssignedIdentityVar = extensionAadJoinConfig.enabled ? true : systemAssignedIdentity +var identityType = systemAssignedIdentityVar ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { type: identityType @@ -656,6 +657,7 @@ module vm_backup '../../Microsoft.RecoveryServices/vaults/protectionContainers/p } scope: az.resourceGroup(backupVaultResourceGroup) dependsOn: [ + vm_aadJoinExtension vm_domainJoinExtension vm_microsoftMonitoringAgentExtension vm_microsoftAntiMalwareExtension From f4969c4f27155ba105b69ddbda088a386e1aaa24 Mon Sep 17 00:00:00 2001 From: Shawn Meyer Date: Tue, 6 Dec 2022 06:55:25 -0500 Subject: [PATCH 04/16] added aadlogonforLinux Ext --- modules/Microsoft.Compute/virtualMachines/deploy.bicep | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/Microsoft.Compute/virtualMachines/deploy.bicep b/modules/Microsoft.Compute/virtualMachines/deploy.bicep index a37f33eb4e..e44d989b01 100644 --- a/modules/Microsoft.Compute/virtualMachines/deploy.bicep +++ b/modules/Microsoft.Compute/virtualMachines/deploy.bicep @@ -488,12 +488,12 @@ resource vm_configurationProfileAssignment 'Microsoft.Automanage/configurationPr } module vm_aadJoinExtension 'extensions/deploy.bicep' = if (extensionAadJoinConfig.enabled) { - name: '${uniqueString(deployment().name, location)}-VM-AADLoginForWindows' + name: '${uniqueString(deployment().name, location)}-VM-AADLogin' params: { virtualMachineName: vm.name - name: 'AADLoginForWindows' + name: 'AADLogin' publisher: 'Microsoft.Azure.ActiveDirectory' - type: 'AADLoginForWindows' + type: osType == 'Windows' ? 'AADLoginForWindows' : 'AADSSHLoginforLinux' typeHandlerVersion: contains(extensionAadJoinConfig, 'typeHandlerVersion') ? extensionAadJoinConfig.typeHandlerVersion : '1.0' autoUpgradeMinorVersion: contains(extensionAadJoinConfig, 'autoUpgradeMinorVersion') ? extensionAadJoinConfig.autoUpgradeMinorVersion : true enableAutomaticUpgrade: contains(extensionAadJoinConfig, 'enableAutomaticUpgrade') ? extensionAadJoinConfig.enableAutomaticUpgrade : false From 8ee9658eb0fc69f7a097a7be0c91114e24203899 Mon Sep 17 00:00:00 2001 From: Shawn Meyer Date: Fri, 9 Dec 2022 09:16:58 -0500 Subject: [PATCH 05/16] added extensionaadjoin to test --- .../virtualMachines/.test/linux/deploy.test.bicep | 3 +++ .../virtualMachines/.test/windows/deploy.test.bicep | 3 +++ 2 files changed, 6 insertions(+) diff --git a/modules/Microsoft.Compute/virtualMachines/.test/linux/deploy.test.bicep b/modules/Microsoft.Compute/virtualMachines/.test/linux/deploy.test.bicep index 7e0a6bd7ca..fcf6470328 100644 --- a/modules/Microsoft.Compute/virtualMachines/.test/linux/deploy.test.bicep +++ b/modules/Microsoft.Compute/virtualMachines/.test/linux/deploy.test.bicep @@ -190,6 +190,9 @@ module testDeployment '../../deploy.bicep' = { VolumeType: 'All' } } + extensionAadJoinConfig: { + enabled: true + } extensionDSCConfig: { enabled: false } diff --git a/modules/Microsoft.Compute/virtualMachines/.test/windows/deploy.test.bicep b/modules/Microsoft.Compute/virtualMachines/.test/windows/deploy.test.bicep index 9ed0f6f0a7..184ea8367c 100644 --- a/modules/Microsoft.Compute/virtualMachines/.test/windows/deploy.test.bicep +++ b/modules/Microsoft.Compute/virtualMachines/.test/windows/deploy.test.bicep @@ -211,6 +211,9 @@ module testDeployment '../../deploy.bicep' = { VolumeType: 'All' } } + extensionAadJoinConfig: { + enabled: true + } extensionDSCConfig: { enabled: true } From 4ebf931de8076d81cc2755d994b4b4897ddd8d64 Mon Sep 17 00:00:00 2001 From: Shawn Meyer Date: Fri, 16 Dec 2022 07:23:08 -0500 Subject: [PATCH 06/16] ran the set-readme utility --- .../virtualMachines/readme.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/modules/Microsoft.Compute/virtualMachines/readme.md b/modules/Microsoft.Compute/virtualMachines/readme.md index 94ce8da80a..883e03d8f5 100644 --- a/modules/Microsoft.Compute/virtualMachines/readme.md +++ b/modules/Microsoft.Compute/virtualMachines/readme.md @@ -68,12 +68,12 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `enableEvictionPolicy` | bool | `False` | | Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | | `encryptionAtHost` | bool | `True` | | This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | +| `extensionAadJoinConfig` | object | `{object}` | | The configuration for the [AAD Join] extension. Must at least contain the ["enabled": true] property to be executed. | | `extensionAntiMalwareConfig` | object | `{object}` | | The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. | | `extensionAzureDiskEncryptionConfig` | object | `{object}` | | The configuration for the [Azure Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. | | `extensionCustomScriptConfig` | object | `{object}` | | The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. | | `extensionCustomScriptProtectedSetting` | secureObject | `{object}` | | Any object that contains the extension specific protected settings. | | `extensionDependencyAgentConfig` | object | `{object}` | | The configuration for the [Dependency Agent] extension. Must at least contain the ["enabled": true] property to be executed. | -| `extensionAadJoinConfig` | object | `{object}` | | The configuration for the [AADLoginforWindows] extension. Must at least contain the ["enabled": true] property to be executed. Automatically enables the System Assigned Managed Identity. | | `extensionDomainJoinConfig` | object | `{object}` | | The configuration for the [Domain Join] extension. Must at least contain the ["enabled": true] property to be executed. | | `extensionDomainJoinPassword` | secureString | `''` | | Required if name is specified. Password of the user specified in user parameter. | | `extensionDSCConfig` | object | `{object}` | | The configuration for the [Desired State Configuration] extension. Must at least contain the ["enabled": true] property to be executed. | @@ -1176,6 +1176,9 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { disablePasswordAuthentication: true enableDefaultTelemetry: '' encryptionAtHost: false + extensionAadJoinConfig: { + enabled: true + } extensionAzureDiskEncryptionConfig: { enabled: true settings: { @@ -1385,6 +1388,11 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "encryptionAtHost": { "value": false }, + "extensionAadJoinConfig": { + "value": { + "enabled": true + } + }, "extensionAzureDiskEncryptionConfig": { "value": { "enabled": true, @@ -1865,6 +1873,9 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { diagnosticWorkspaceId: '' enableDefaultTelemetry: '' encryptionAtHost: false + extensionAadJoinConfig: { + enabled: true + } extensionAntiMalwareConfig: { enabled: true settings: { @@ -2087,6 +2098,11 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "encryptionAtHost": { "value": false }, + "extensionAadJoinConfig": { + "value": { + "enabled": true + } + }, "extensionAntiMalwareConfig": { "value": { "enabled": true, From 5a5fa4bc7ff5cb4dc3213303212ae50ccfc54cdc Mon Sep 17 00:00:00 2001 From: Shawn Meyer Date: Fri, 16 Dec 2022 11:13:44 -0500 Subject: [PATCH 07/16] created Gallery-Application --- .../.bicep/nested_roleAssignments.bicep | 87 ++++++ .../galleries/application/deploy.bicep | 100 +++++++ .../galleries/application/readme.md | 258 ++++++++++++++++++ .../galleries/application/version.json | 4 + .../.test/linux/deploy.test.bicep | 3 - .../.test/windows/deploy.test.bicep | 3 - .../virtualMachines/deploy.bicep | 26 +- .../virtualMachines/readme.md | 55 +--- 8 files changed, 452 insertions(+), 84 deletions(-) create mode 100644 modules/Microsoft.Compute/galleries/application/.bicep/nested_roleAssignments.bicep create mode 100644 modules/Microsoft.Compute/galleries/application/deploy.bicep create mode 100644 modules/Microsoft.Compute/galleries/application/readme.md create mode 100644 modules/Microsoft.Compute/galleries/application/version.json diff --git a/modules/Microsoft.Compute/galleries/application/.bicep/nested_roleAssignments.bicep b/modules/Microsoft.Compute/galleries/application/.bicep/nested_roleAssignments.bicep new file mode 100644 index 0000000000..a57665c1ee --- /dev/null +++ b/modules/Microsoft.Compute/galleries/application/.bicep/nested_roleAssignments.bicep @@ -0,0 +1,87 @@ +@sys.description('Required. The IDs of the principals to assign the role to.') +param principalIds array + +@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.') +param roleDefinitionIdOrName string + +@sys.description('Required. The resource ID of the resource to apply the role assignment to.') +param resourceId string + +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' + +@sys.description('Optional. The description of the role assignment.') +param description string = '' + +@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') +param condition string = '' + +@sys.description('Optional. Version of the condition.') +@allowed([ + '2.0' +]) +param conditionVersion string = '2.0' + +@sys.description('Optional. Id of the delegated managed identity resource.') +param delegatedManagedIdentityResourceId string = '' + +var builtInRoleNames = { + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') + 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18ed5180-3e48-46fd-8541-4ea054d57064') + 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','1ef6a3be-d0ac-425d-8c01-acb62866290b') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','959f8984-c045-4866-89c7-12bf9737be2e') + 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','489581de-a3bd-480d-9518-53dea7416b33') + 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','40c5ff49-9181-41f8-ae61-143b0e78555e') + 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','a959dbd1-f747-45e3-8ba6-dd80f235f97c') + 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','76283e04-6283-4c54-8f91-bcf1374a3c64') + 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') + 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','60fc6e62-5479-42d4-8bf4-67625fcc2840') + 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b50d9833-a0cb-478e-945f-707fcc997c13') + 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','7efff54f-a5b4-42b5-a1c5-5411624893ce') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','f7b75c60-3036-4b75-91c3-6b41c27c1689') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','1c0163c0-47e6-4577-8991-ea5c82e286e4') + 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','9980e02c-c2be-4d73-94e8-173b1dc7cf3c') + 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','fb879df8-f326-4884-b1cf-06f3ad86be52') + 'VM Scanner Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','d24ecba3-c1f4-40fa-a7bb-4588a071e8fd') + 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','a6333a3e-0164-44c3-b281-7a577aff287f') +} + +resource galleryImage 'Microsoft.Compute/galleries/images@2021-10-01' existing = { + name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { + name: guid(galleryImage.id, principalId, roleDefinitionIdOrName) + properties: { + description: description + roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName + principalId: principalId + principalType: !empty(principalType) ? any(principalType) : null + condition: !empty(condition) ? condition : null + conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null + delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null + } + scope: galleryImage +}] diff --git a/modules/Microsoft.Compute/galleries/application/deploy.bicep b/modules/Microsoft.Compute/galleries/application/deploy.bicep new file mode 100644 index 0000000000..bed63d215b --- /dev/null +++ b/modules/Microsoft.Compute/galleries/application/deploy.bicep @@ -0,0 +1,100 @@ +@description('Required. Name of the application definition.') +param name string + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + +@description('Conditional. The name of the parent Azure Compute Gallery. Required if the template is used in a standalone deployment.') +@minLength(1) +param galleryName string + +@description('Optional. The description of this gallery Application Definition resource. This property is updatable.') +param applicationDefinitionDescription string = '' + +@description('Optional. The Eula agreement for the gallery Application Definition. Has to be a valid URL.') +param eula string = '' + +@description('Optional. The privacy statement uri. Has to be a valid URL.') +param privacyStatementUri string = '' + +@description('Optional. The release note uri. Has to be a valid URL.') +param releaseNoteUri string = '' + +@description('Optional. This property allows you to specify the supported type of the OS that application is built for.') +@allowed([ + 'Windows' + 'Linux' +]) +param supportedOSType string = 'Windows' + +@description('Optional. The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z.') +param endOfLife string = '' + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') +param roleAssignments array = [] + +@description('Optional. Tags for all resources.') +param tags object = {} + +@description('Optional. A list of custom actions that can be performed with all of the Gallery Application Versions within this Gallery Application.') +param customActions object = {} + +resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { + name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + } + } +} + +resource gallery 'Microsoft.Compute/galleries@2022-03-03' existing = { + name: galleryName +} + +resource application 'Microsoft.Compute/galleries/applications@2022-03-03' = { + name: name + parent: gallery + location: location + tags: tags + properties: { + customActions: !empty(customActions) ? [ customActions ] : null + description: applicationDefinitionDescription + endOfLifeDate: endOfLife + eula: eula + privacyStatementUri: privacyStatementUri + releaseNoteUri: releaseNoteUri + supportedOSType: supportedOSType + } +} + +module galleryApplication_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: '${deployment().name}-Rbac-${index}' + params: { + description: contains(roleAssignment, 'description') ? roleAssignment.description : '' + principalIds: roleAssignment.principalIds + principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : '' + roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName + condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : '' + delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : '' + resourceId: application.id + } +}] + +@description('The resource group the image was deployed into.') +output resourceGroupName string = resourceGroup().name + +@description('The resource ID of the image.') +output resourceId string = application.id + +@description('The name of the image.') +output name string = application.name + +@description('The location the resource was deployed into.') +output location string = application.location diff --git a/modules/Microsoft.Compute/galleries/application/readme.md b/modules/Microsoft.Compute/galleries/application/readme.md new file mode 100644 index 0000000000..8fcc2e4951 --- /dev/null +++ b/modules/Microsoft.Compute/galleries/application/readme.md @@ -0,0 +1,258 @@ +# Application `[Microsoft.Compute/galleries/application]` + +This module deploys an Application in a Azure Compute Gallery. + +## Navigation + +- [Resource types](#Resource-types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) + +## Resource types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | +| `Microsoft.Compute/galleries/applications` | [2022-03-03](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-03-03/galleries/applications) | + +## Parameters + +**Required parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `name` | string | Name of the application definition. | + +**Conditional parameters** + +| Parameter Name | Type | Description | +| :-- | :-- | :-- | +| `galleryName` | string | The name of the parent Azure Compute Gallery. Required if the template is used in a standalone deployment. | + +**Optional parameters** + +| Parameter Name | Type | Default Value | Allowed Values | Description | +| :-- | :-- | :-- | :-- | :-- | +| `applicationDefinitionDescription` | string | `''` | | The description of this gallery Application resource. This property is updatable. | +| `customActions` | object | `{object}` | | A list of custom actions that can be performed with all of the Gallery Application Versions within this Gallery Application. | +| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `endOfLife` | string | `''` | | The end of life date of the gallery Application. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z. | +| `eula` | string | `''` | | The Eula agreement for the gallery Application. Has to be a valid URL. | +| `location` | string | `[resourceGroup().location]` | | Location for all resources. | +| `privacyStatementUri` | string | `''` | | The privacy statement uri. Has to be a valid URL. | +| `releaseNoteUri` | string | `''` | | The release note uri. Has to be a valid URL. | +| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | +| `supportedOSType` | string | `'Windows'` | `[Linux, Windows]` | Supported OS type of the application. | +| `tags` | object | `{object}` | | Tags for all resources. | + +### Parameter Usage: `roleAssignments` + +Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure. + +
+ +Parameter JSON format + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Reader", + "description": "Reader Role Assignment", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ], + "principalType": "ServicePrincipal" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + description: 'Reader Role Assignment' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + '78945612-1234-1234-1234-123456789012' // object 2 + ] + } + { + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + principalIds: [ + '12345678-1234-1234-1234-123456789012' // object 1 + ] + principalType: 'ServicePrincipal' + } +] +``` + +
+

+ +### Parameter Usage: `tags` + +Tag names and tag values can be provided as needed. A tag can be left without a value. + +

+ +Parameter JSON format + +```json +"tags": { + "value": { + "Environment": "Non-Prod", + "Contact": "test.user@testcompany.com", + "PurchaseOrder": "1234", + "CostCenter": "7890", + "ServiceName": "DeploymentValidation", + "Role": "DeploymentValidation" + } +} +``` + +
+ +
+ +Bicep format + +```bicep +tags: { + Environment: 'Non-Prod' + Contact: 'test.user@testcompany.com' + PurchaseOrder: '1234' + CostCenter: '7890' + ServiceName: 'DeploymentValidation' + Role: 'DeploymentValidation' +} +``` + +
+

+### Parameter Usage: `customActions` + +Create a list of custom actions that can be performed with all of the Gallery Application Versions within this Gallery Application. + +

+ +Parameter JSON format + +```json +"customActions": { + "value": [ + { + "description": "This is a sample custom action", + "name": "Name of the custom action 1 (Required). Must be unique within the Compute Gallery", + "parameters": [ + { + "defaultValue": "Default Value of Parameter1. Only applies to string types.", + "description": "a description value to help others understands what it means.", + "name": "The parameter name. (Required)", + "required": True, + "type": "ConfigurationDataBlob, LogOutputBlob, or String" + }, + { + "defaultValue": "Default Value of Parameter2. Only applies to string types.", + "description": "a description value to help others understands what it means.", + "name": "The parameter name. (Required)", + "required": False, + "type": "ConfigurationDataBlob, LogOutputBlob, or String" + } + ], + "script": "The script to run when executing this custom action. (Required)" + }, + { + "description": "This is another sample custom action", + "name": "Name of the custom action 2 (Required). Must be unique within the Compute Gallery", + "parameters": [ + { + "defaultValue": "Default Value of Parameter1. Only applies to string types.", + "description": "a description value to help others understands what it means.", + "name": "The parameter name. (Required)", + "required": True, + "type": "ConfigurationDataBlob, LogOutputBlob, or String" + } + ], + "script": "The script to run when executing this custom action. (Required)" + } + ] +} +``` + +
+ +
+ +Bicep format + +```bicep +customActions: [ + { + description: "This is a sample custom action" + name: "Name of the custom action 1 (Required). Must be unique within the Compute Gallery" + parameters: [ + { + defaultValue: "Default Value of Parameter 1. Only applies to string types." + description: "a description value to help others understands what it means." + name: "The parameter name. (Required)" + required: True, + type: "ConfigurationDataBlob, LogOutputBlob, or String" + } + { + defaultValue: "Default Value of Parameter 2. Only applies to string types." + description: "a description value to help others understands what it means." + name: "The parameter name. (Required)" + required: True, + type: "ConfigurationDataBlob, LogOutputBlob, or String" + } + ] + script: "The script to run when executing this custom action. (Required)" + } + { + description: "This is another sample custom action" + name: "Name of the custom action 2 (Required). Must be unique within the Compute Gallery" + parameters: [ + { + defaultValue: "Default Value of Parameter. Only applies to string types." + description: "a description value to help others understands what it means." + name: "The paramter name. (Required)" + required: True, + type: "ConfigurationDataBlob, LogOutputBlob, or String" + } + ] + script: "The script to run when executing this custom action. (Required)" + } +] +``` + +
+

+ +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `location` | string | The location the resource was deployed into. | +| `name` | string | The name of the image. | +| `resourceGroupName` | string | The resource group the image was deployed into. | +| `resourceId` | string | The resource ID of the image. | + +## Cross-referenced modules + +_None_ diff --git a/modules/Microsoft.Compute/galleries/application/version.json b/modules/Microsoft.Compute/galleries/application/version.json new file mode 100644 index 0000000000..56f8d9ca40 --- /dev/null +++ b/modules/Microsoft.Compute/galleries/application/version.json @@ -0,0 +1,4 @@ +{ + "$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json", + "version": "0.4" +} diff --git a/modules/Microsoft.Compute/virtualMachines/.test/linux/deploy.test.bicep b/modules/Microsoft.Compute/virtualMachines/.test/linux/deploy.test.bicep index fcf6470328..7e0a6bd7ca 100644 --- a/modules/Microsoft.Compute/virtualMachines/.test/linux/deploy.test.bicep +++ b/modules/Microsoft.Compute/virtualMachines/.test/linux/deploy.test.bicep @@ -190,9 +190,6 @@ module testDeployment '../../deploy.bicep' = { VolumeType: 'All' } } - extensionAadJoinConfig: { - enabled: true - } extensionDSCConfig: { enabled: false } diff --git a/modules/Microsoft.Compute/virtualMachines/.test/windows/deploy.test.bicep b/modules/Microsoft.Compute/virtualMachines/.test/windows/deploy.test.bicep index 184ea8367c..9ed0f6f0a7 100644 --- a/modules/Microsoft.Compute/virtualMachines/.test/windows/deploy.test.bicep +++ b/modules/Microsoft.Compute/virtualMachines/.test/windows/deploy.test.bicep @@ -211,9 +211,6 @@ module testDeployment '../../deploy.bicep' = { VolumeType: 'All' } } - extensionAadJoinConfig: { - enabled: true - } extensionDSCConfig: { enabled: true } diff --git a/modules/Microsoft.Compute/virtualMachines/deploy.bicep b/modules/Microsoft.Compute/virtualMachines/deploy.bicep index e44d989b01..90e86fb3fc 100644 --- a/modules/Microsoft.Compute/virtualMachines/deploy.bicep +++ b/modules/Microsoft.Compute/virtualMachines/deploy.bicep @@ -172,11 +172,6 @@ param extensionDomainJoinConfig object = { enabled: false } -@description('Optional. The configuration for the [AAD Join] extension. Must at least contain the ["enabled": true] property to be executed.') -param extensionAadJoinConfig object = { - enabled: false -} - @description('Optional. The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed.') param extensionAntiMalwareConfig object = { enabled: false @@ -331,9 +326,7 @@ var accountSasProperties = { signedProtocol: 'https' } -@description('change SystemAssignedIdentity to True if AADJoin is enabled.') -var systemAssignedIdentityVar = extensionAadJoinConfig.enabled ? true : systemAssignedIdentity -var identityType = systemAssignedIdentityVar ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') +var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None') var identity = identityType != 'None' ? { type: identityType @@ -487,20 +480,6 @@ resource vm_configurationProfileAssignment 'Microsoft.Automanage/configurationPr scope: vm } -module vm_aadJoinExtension 'extensions/deploy.bicep' = if (extensionAadJoinConfig.enabled) { - name: '${uniqueString(deployment().name, location)}-VM-AADLogin' - params: { - virtualMachineName: vm.name - name: 'AADLogin' - publisher: 'Microsoft.Azure.ActiveDirectory' - type: osType == 'Windows' ? 'AADLoginForWindows' : 'AADSSHLoginforLinux' - typeHandlerVersion: contains(extensionAadJoinConfig, 'typeHandlerVersion') ? extensionAadJoinConfig.typeHandlerVersion : '1.0' - autoUpgradeMinorVersion: contains(extensionAadJoinConfig, 'autoUpgradeMinorVersion') ? extensionAadJoinConfig.autoUpgradeMinorVersion : true - enableAutomaticUpgrade: contains(extensionAadJoinConfig, 'enableAutomaticUpgrade') ? extensionAadJoinConfig.enableAutomaticUpgrade : false - settings: extensionAadJoinConfig.settings - } -} - module vm_domainJoinExtension 'extensions/deploy.bicep' = if (extensionDomainJoinConfig.enabled) { name: '${uniqueString(deployment().name, location)}-VM-DomainJoin' params: { @@ -657,7 +636,6 @@ module vm_backup '../../Microsoft.RecoveryServices/vaults/protectionContainers/p } scope: az.resourceGroup(backupVaultResourceGroup) dependsOn: [ - vm_aadJoinExtension vm_domainJoinExtension vm_microsoftMonitoringAgentExtension vm_microsoftAntiMalwareExtension @@ -668,7 +646,7 @@ module vm_backup '../../Microsoft.RecoveryServices/vaults/protectionContainers/p ] } -resource vm_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { +resource vm_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { name: '${vm.name}-${lock}-lock' properties: { level: any(lock) diff --git a/modules/Microsoft.Compute/virtualMachines/readme.md b/modules/Microsoft.Compute/virtualMachines/readme.md index 883e03d8f5..8be20528ab 100644 --- a/modules/Microsoft.Compute/virtualMachines/readme.md +++ b/modules/Microsoft.Compute/virtualMachines/readme.md @@ -15,7 +15,7 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | +| `Microsoft.Authorization/locks` | [2020-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Automanage/configurationProfileAssignments` | [2021-04-30-preview](https://docs.microsoft.com/en-us/azure/templates) | | `Microsoft.Compute/virtualMachines` | [2021-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-07-01/virtualMachines) | @@ -68,7 +68,6 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `enableEvictionPolicy` | bool | `False` | | Specifies the eviction policy for the low priority virtual machine. Will result in 'Deallocate' eviction policy. | | `encryptionAtHost` | bool | `True` | | This property can be used by user in the request to enable or disable the Host Encryption for the virtual machine. This will enable the encryption for all the disks including Resource/Temp disk at host itself. For security reasons, it is recommended to set encryptionAtHost to True. Restrictions: Cannot be enabled if Azure Disk Encryption (guest-VM encryption using bitlocker/DM-Crypt) is enabled on your VMs. | -| `extensionAadJoinConfig` | object | `{object}` | | The configuration for the [AAD Join] extension. Must at least contain the ["enabled": true] property to be executed. | | `extensionAntiMalwareConfig` | object | `{object}` | | The configuration for the [Anti Malware] extension. Must at least contain the ["enabled": true] property to be executed. | | `extensionAzureDiskEncryptionConfig` | object | `{object}` | | The configuration for the [Azure Disk Encryption] extension. Must at least contain the ["enabled": true] property to be executed. Restrictions: Cannot be enabled on disks that have encryption at host enabled. Managed disks encrypted using Azure Disk Encryption cannot be encrypted using customer-managed keys. | | `extensionCustomScriptConfig` | object | `{object}` | | The configuration for the [Custom Script] extension. Must at least contain the ["enabled": true] property to be executed. | @@ -501,42 +500,6 @@ configurationProfileAssignments: [

-### Parameter Usage: `extensionAadJoinConfig` - -

- -Parameter JSON format - -```json -"extensionAadJoinConfig": { - "value": { - "enabled": true, - "settings": { - "mdmId": "0000000a-0000-0000-c000-000000000000" // This enables Intune Enrollment., Do not set mdmId to disable Intune Enrollment. - } - } -} -``` - -
- -
- -Bicep format - -```bicep -extensionAadJoinConfig: { - enabled: true - settings: { - mdmId: '0000000a-0000-0000-c000-000000000000' // This enables Intune Enrollment., Do not set mdmId to disable Intune Enrollment. - } -} - -``` - -
-

- ### Parameter Usage: `extensionDomainJoinConfig`

@@ -1176,9 +1139,6 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { disablePasswordAuthentication: true enableDefaultTelemetry: '' encryptionAtHost: false - extensionAadJoinConfig: { - enabled: true - } extensionAzureDiskEncryptionConfig: { enabled: true settings: { @@ -1388,11 +1348,6 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "encryptionAtHost": { "value": false }, - "extensionAadJoinConfig": { - "value": { - "enabled": true - } - }, "extensionAzureDiskEncryptionConfig": { "value": { "enabled": true, @@ -1873,9 +1828,6 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { diagnosticWorkspaceId: '' enableDefaultTelemetry: '' encryptionAtHost: false - extensionAadJoinConfig: { - enabled: true - } extensionAntiMalwareConfig: { enabled: true settings: { @@ -2098,11 +2050,6 @@ module virtualMachines './Microsoft.Compute/virtualMachines/deploy.bicep' = { "encryptionAtHost": { "value": false }, - "extensionAadJoinConfig": { - "value": { - "enabled": true - } - }, "extensionAntiMalwareConfig": { "value": { "enabled": true, From b0fb25c5e7f2fba5deba7d857ea421ccfae2b934 Mon Sep 17 00:00:00 2001 From: Shawn Meyer Date: Fri, 16 Dec 2022 12:17:51 -0500 Subject: [PATCH 08/16] reverting these files to match current main --- modules/Microsoft.Compute/virtualMachines/deploy.bicep | 2 +- modules/Microsoft.Compute/virtualMachines/readme.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/Microsoft.Compute/virtualMachines/deploy.bicep b/modules/Microsoft.Compute/virtualMachines/deploy.bicep index 90e86fb3fc..b0c78e8a22 100644 --- a/modules/Microsoft.Compute/virtualMachines/deploy.bicep +++ b/modules/Microsoft.Compute/virtualMachines/deploy.bicep @@ -646,7 +646,7 @@ module vm_backup '../../Microsoft.RecoveryServices/vaults/protectionContainers/p ] } -resource vm_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock)) { +resource vm_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) { name: '${vm.name}-${lock}-lock' properties: { level: any(lock) diff --git a/modules/Microsoft.Compute/virtualMachines/readme.md b/modules/Microsoft.Compute/virtualMachines/readme.md index 8be20528ab..89107df974 100644 --- a/modules/Microsoft.Compute/virtualMachines/readme.md +++ b/modules/Microsoft.Compute/virtualMachines/readme.md @@ -15,7 +15,7 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Authorization/locks` | [2020-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | +| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Automanage/configurationProfileAssignments` | [2021-04-30-preview](https://docs.microsoft.com/en-us/azure/templates) | | `Microsoft.Compute/virtualMachines` | [2021-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-07-01/virtualMachines) | From aba028b9f1ca743336219e6346e3c88c5e5fff5b Mon Sep 17 00:00:00 2001 From: Shawn Meyer Date: Fri, 16 Dec 2022 12:20:20 -0500 Subject: [PATCH 09/16] fixing link --- modules/Microsoft.Compute/virtualMachines/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/Microsoft.Compute/virtualMachines/readme.md b/modules/Microsoft.Compute/virtualMachines/readme.md index 89107df974..3cdff22a42 100644 --- a/modules/Microsoft.Compute/virtualMachines/readme.md +++ b/modules/Microsoft.Compute/virtualMachines/readme.md @@ -15,7 +15,7 @@ This module deploys one Virtual Machine with one or multiple NICs and optionally | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | +| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Automanage/configurationProfileAssignments` | [2021-04-30-preview](https://docs.microsoft.com/en-us/azure/templates) | | `Microsoft.Compute/virtualMachines` | [2021-07-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-07-01/virtualMachines) | From 21e5b49bfcd97036783b64722fe640b495f25c01 Mon Sep 17 00:00:00 2001 From: Shawn Meyer Date: Sat, 17 Dec 2022 17:33:23 -0500 Subject: [PATCH 10/16] fixed role Assignments --- .../.bicep/nested_roleAssignments.bicep | 57 +++++++------------ 1 file changed, 22 insertions(+), 35 deletions(-) diff --git a/modules/Microsoft.Compute/galleries/application/.bicep/nested_roleAssignments.bicep b/modules/Microsoft.Compute/galleries/application/.bicep/nested_roleAssignments.bicep index a57665c1ee..eb88dc5cbf 100644 --- a/modules/Microsoft.Compute/galleries/application/.bicep/nested_roleAssignments.bicep +++ b/modules/Microsoft.Compute/galleries/application/.bicep/nested_roleAssignments.bicep @@ -34,46 +34,33 @@ param conditionVersion string = '2.0' param delegatedManagedIdentityResourceId string = '' var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') - 'Azure Kubernetes Service Policy Add-on Deployment': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18ed5180-3e48-46fd-8541-4ea054d57064') - 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','1ef6a3be-d0ac-425d-8c01-acb62866290b') - Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Data Operator for Managed Disks': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','959f8984-c045-4866-89c7-12bf9737be2e') - 'Desktop Virtualization Power On Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','489581de-a3bd-480d-9518-53dea7416b33') - 'Desktop Virtualization Power On Off Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','40c5ff49-9181-41f8-ae61-143b0e78555e') - 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','a959dbd1-f747-45e3-8ba6-dd80f235f97c') - 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','76283e04-6283-4c54-8f91-bcf1374a3c64') - 'Disk Backup Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3e5e47e6-65f7-47ef-90b5-e5dd4d455f24') - 'Disk Pool Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','60fc6e62-5479-42d4-8bf4-67625fcc2840') - 'Disk Restore Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b50d9833-a0cb-478e-945f-707fcc997c13') - 'Disk Snapshot Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','7efff54f-a5b4-42b5-a1c5-5411624893ce') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05') - Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','f7b75c60-3036-4b75-91c3-6b41c27c1689') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608') - 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','f58310d9-a9f6-439a-9e8d-f62e7b41a168') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','1c0163c0-47e6-4577-8991-ea5c82e286e4') - 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','9980e02c-c2be-4d73-94e8-173b1dc7cf3c') - 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','fb879df8-f326-4884-b1cf-06f3ad86be52') - 'VM Scanner Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','d24ecba3-c1f4-40fa-a7bb-4588a071e8fd') - 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','a6333a3e-0164-44c3-b281-7a577aff287f') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') + 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b') + Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } -resource galleryImage 'Microsoft.Compute/galleries/images@2021-10-01' existing = { +resource galleryApplication 'Microsoft.Compute/galleries/applications@2022-03-03' existing = { name: '${split(resourceId, '/')[8]}/${split(resourceId, '/')[10]}' } resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: { - name: guid(galleryImage.id, principalId, roleDefinitionIdOrName) + name: guid(galleryApplication.id, principalId, roleDefinitionIdOrName) properties: { description: description roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName @@ -83,5 +70,5 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [ conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null } - scope: galleryImage + scope: galleryApplication }] From cf9a0c51d8cb538bdfbcb618292607d622845e04 Mon Sep 17 00:00:00 2001 From: Shawn Meyer Date: Sat, 17 Dec 2022 17:43:43 -0500 Subject: [PATCH 11/16] ran update-roleassignmentList --- .../application/.bicep/nested_roleAssignments.bicep | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/modules/Microsoft.Compute/galleries/application/.bicep/nested_roleAssignments.bicep b/modules/Microsoft.Compute/galleries/application/.bicep/nested_roleAssignments.bicep index eb88dc5cbf..47d04db055 100644 --- a/modules/Microsoft.Compute/galleries/application/.bicep/nested_roleAssignments.bicep +++ b/modules/Microsoft.Compute/galleries/application/.bicep/nested_roleAssignments.bicep @@ -34,8 +34,6 @@ param conditionVersion string = '2.0' param delegatedManagedIdentityResourceId string = '' var builtInRoleNames = { - 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a') - 'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9') 'Compute Gallery Sharing Admin': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1ef6a3be-d0ac-425d-8c01-acb62866290b') Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') 'Desktop Virtualization Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c') @@ -45,14 +43,13 @@ var builtInRoleNames = { 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Reservation Purchaser': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f7b75c60-3036-4b75-91c3-6b41c27c1689') 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Windows Admin Center Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f') } resource galleryApplication 'Microsoft.Compute/galleries/applications@2022-03-03' existing = { From e81752ac25adcfca03808fce01b7cf2aadfa5439 Mon Sep 17 00:00:00 2001 From: Shawn Meyer Date: Sat, 17 Dec 2022 17:47:09 -0500 Subject: [PATCH 12/16] changed endofLife to endOfLifeDate --- modules/Microsoft.Compute/galleries/application/deploy.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/Microsoft.Compute/galleries/application/deploy.bicep b/modules/Microsoft.Compute/galleries/application/deploy.bicep index bed63d215b..9942ddea62 100644 --- a/modules/Microsoft.Compute/galleries/application/deploy.bicep +++ b/modules/Microsoft.Compute/galleries/application/deploy.bicep @@ -31,7 +31,7 @@ param releaseNoteUri string = '' param supportedOSType string = 'Windows' @description('Optional. The end of life date of the gallery Image Definition. This property can be used for decommissioning purposes. This property is updatable. Allowed format: 2020-01-10T23:00:00.000Z.') -param endOfLife string = '' +param endOfLifeDate string = '' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] @@ -66,7 +66,7 @@ resource application 'Microsoft.Compute/galleries/applications@2022-03-03' = { properties: { customActions: !empty(customActions) ? [ customActions ] : null description: applicationDefinitionDescription - endOfLifeDate: endOfLife + endOfLifeDate: endOfLifeDate eula: eula privacyStatementUri: privacyStatementUri releaseNoteUri: releaseNoteUri From 89cb063480effcc58455914e0a8264b1248aa136 Mon Sep 17 00:00:00 2001 From: Shawn Meyer Date: Sat, 17 Dec 2022 21:30:30 -0500 Subject: [PATCH 13/16] added test and child resource to gallery module --- .../.test/applications/dependencies.bicep | 14 +++ .../.test/applications/deploy.test.bicep | 107 ++++++++++++++++++ .../.bicep/nested_roleAssignments.bicep | 0 .../deploy.bicep | 0 .../{application => applications}/readme.md | 0 .../version.json | 0 .../Microsoft.Compute/galleries/deploy.bicep | 26 ++++- 7 files changed, 145 insertions(+), 2 deletions(-) create mode 100644 modules/Microsoft.Compute/galleries/.test/applications/dependencies.bicep create mode 100644 modules/Microsoft.Compute/galleries/.test/applications/deploy.test.bicep rename modules/Microsoft.Compute/galleries/{application => applications}/.bicep/nested_roleAssignments.bicep (100%) rename modules/Microsoft.Compute/galleries/{application => applications}/deploy.bicep (100%) rename modules/Microsoft.Compute/galleries/{application => applications}/readme.md (100%) rename modules/Microsoft.Compute/galleries/{application => applications}/version.json (100%) diff --git a/modules/Microsoft.Compute/galleries/.test/applications/dependencies.bicep b/modules/Microsoft.Compute/galleries/.test/applications/dependencies.bicep new file mode 100644 index 0000000000..7371d4437b --- /dev/null +++ b/modules/Microsoft.Compute/galleries/.test/applications/dependencies.bicep @@ -0,0 +1,14 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + diff --git a/modules/Microsoft.Compute/galleries/.test/applications/deploy.test.bicep b/modules/Microsoft.Compute/galleries/.test/applications/deploy.test.bicep new file mode 100644 index 0000000000..a9d86fd8ad --- /dev/null +++ b/modules/Microsoft.Compute/galleries/.test/applications/deploy.test.bicep @@ -0,0 +1,107 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'ms.compute.galleries-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cgimages' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module resourceGroupResources 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + managedIdentityName: 'dep-<>-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../deploy.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '<>${serviceShort}001' + applications: [ + { + name: '<>-${serviceShort}-appd-001' + } + { + name: '<>-az-appd-x-001' + supportedOSType: 'Windows' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalIds: [ + resourceGroupResources.outputs.managedIdentityPrincipalId + ] + principalType: 'ServicePrincipal' + } + ] + } + ] + images: [ + { + name: '<>-${serviceShort}-imgd-001' + } + { + hyperVGeneration: 'V1' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 8 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: '<>-az-imgd-x-001' + offer: 'WindowsServer' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsServer' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalIds: [ + resourceGroupResources.outputs.managedIdentityPrincipalId + ] + principalType: 'ServicePrincipal' + } + ] + sku: '2022-datacenter-azure-edition' + } + { + hyperVGeneration: 'V2' + maxRecommendedMemory: 32 + maxRecommendedvCPUs: 4 + minRecommendedMemory: 4 + minRecommendedvCPUs: 1 + name: '<>-az-imgd-x-002' + offer: '0001-com-ubuntu-server-focal' + osState: 'Generalized' + osType: 'Linux' + publisher: 'canonical' + sku: '20_04-lts-gen2' + } + ] + } +} diff --git a/modules/Microsoft.Compute/galleries/application/.bicep/nested_roleAssignments.bicep b/modules/Microsoft.Compute/galleries/applications/.bicep/nested_roleAssignments.bicep similarity index 100% rename from modules/Microsoft.Compute/galleries/application/.bicep/nested_roleAssignments.bicep rename to modules/Microsoft.Compute/galleries/applications/.bicep/nested_roleAssignments.bicep diff --git a/modules/Microsoft.Compute/galleries/application/deploy.bicep b/modules/Microsoft.Compute/galleries/applications/deploy.bicep similarity index 100% rename from modules/Microsoft.Compute/galleries/application/deploy.bicep rename to modules/Microsoft.Compute/galleries/applications/deploy.bicep diff --git a/modules/Microsoft.Compute/galleries/application/readme.md b/modules/Microsoft.Compute/galleries/applications/readme.md similarity index 100% rename from modules/Microsoft.Compute/galleries/application/readme.md rename to modules/Microsoft.Compute/galleries/applications/readme.md diff --git a/modules/Microsoft.Compute/galleries/application/version.json b/modules/Microsoft.Compute/galleries/applications/version.json similarity index 100% rename from modules/Microsoft.Compute/galleries/application/version.json rename to modules/Microsoft.Compute/galleries/applications/version.json diff --git a/modules/Microsoft.Compute/galleries/deploy.bicep b/modules/Microsoft.Compute/galleries/deploy.bicep index 8a47cdf126..88320348ca 100644 --- a/modules/Microsoft.Compute/galleries/deploy.bicep +++ b/modules/Microsoft.Compute/galleries/deploy.bicep @@ -1,5 +1,5 @@ @minLength(1) -@description('Required. Name of the Azure Shared Image Gallery.') +@description('Required. Name of the Azure Compute Gallery.') param name string @description('Optional. Location for all resources.') @@ -8,6 +8,9 @@ param location string = resourceGroup().location @description('Optional. Description of the Azure Shared Image Gallery.') param galleryDescription string = '' +@description('Optional. Applications to create.') +param applications array = [] + @description('Optional. Images to create.') param images array = [] @@ -42,7 +45,7 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource gallery 'Microsoft.Compute/galleries@2021-10-01' = { +resource gallery 'Microsoft.Compute/galleries@2022-03-03' = { name: name location: location tags: tags @@ -74,6 +77,25 @@ module gallery_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (rol } }] +// Applications +module galleries_applications 'applications/deploy.bicep' = [for (application, index) in applications: { + name: '${uniqueString(deployment().name, location)}-Gallery-Application-${index}' + params: { + name: application.name + galleryName: gallery.name + supportedOSType: contains(application, 'supportOSType') ? application.supportedOSType : 'Windows' + applicationDefinitionDescription: contains(application, 'applicationDefinitionDescription') ? application.applicationDefinitionDescription : '' + eula: contains(application, 'eula') ? application.eula : '' + privacyStatementUri: contains(application, 'privacyStatementUri') ? application.privacyStatementUri : '' + releaseNoteUri: contains(application, 'releaseNoteUri') ? application.releaseNoteUri : '' + endOfLifeDate: contains(application, 'endOfLifeDate') ? application.endOfLifeDate : '' + roleAssignments: contains(application, 'roleAssignments') ? application.roleAssignments : [] + customActions: contains(application, 'customActions') ? application.customActions : [] + tags: contains(application, 'tags') ? application.tags : {} + enableDefaultTelemetry: enableReferencedModulesTelemetry + } +}] + // Images module galleries_images 'images/deploy.bicep' = [for (image, index) in images: { name: '${uniqueString(deployment().name, location)}-Gallery-Image-${index}' From 9d49772d8848a1b5fb4ad41ef0b35cdfd6538841 Mon Sep 17 00:00:00 2001 From: Shawn Meyer Date: Sat, 17 Dec 2022 21:41:27 -0500 Subject: [PATCH 14/16] updated readme and applications test --- .../.test/applications/deploy.test.bicep | 40 ------------------- modules/Microsoft.Compute/galleries/readme.md | 3 +- 2 files changed, 2 insertions(+), 41 deletions(-) diff --git a/modules/Microsoft.Compute/galleries/.test/applications/deploy.test.bicep b/modules/Microsoft.Compute/galleries/.test/applications/deploy.test.bicep index a9d86fd8ad..c5e953fcf0 100644 --- a/modules/Microsoft.Compute/galleries/.test/applications/deploy.test.bicep +++ b/modules/Microsoft.Compute/galleries/.test/applications/deploy.test.bicep @@ -63,45 +63,5 @@ module testDeployment '../../deploy.bicep' = { ] } ] - images: [ - { - name: '<>-${serviceShort}-imgd-001' - } - { - hyperVGeneration: 'V1' - maxRecommendedMemory: 16 - maxRecommendedvCPUs: 8 - minRecommendedMemory: 4 - minRecommendedvCPUs: 2 - name: '<>-az-imgd-x-001' - offer: 'WindowsServer' - osState: 'Generalized' - osType: 'Windows' - publisher: 'MicrosoftWindowsServer' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - resourceGroupResources.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - sku: '2022-datacenter-azure-edition' - } - { - hyperVGeneration: 'V2' - maxRecommendedMemory: 32 - maxRecommendedvCPUs: 4 - minRecommendedMemory: 4 - minRecommendedvCPUs: 1 - name: '<>-az-imgd-x-002' - offer: '0001-com-ubuntu-server-focal' - osState: 'Generalized' - osType: 'Linux' - publisher: 'canonical' - sku: '20_04-lts-gen2' - } - ] } } diff --git a/modules/Microsoft.Compute/galleries/readme.md b/modules/Microsoft.Compute/galleries/readme.md index 081dfc396a..d35a7fddff 100644 --- a/modules/Microsoft.Compute/galleries/readme.md +++ b/modules/Microsoft.Compute/galleries/readme.md @@ -16,7 +16,8 @@ This module deploys an Azure compute gallery (formerly known as shared image gal | :-- | :-- | | `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Compute/galleries` | [2021-10-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-10-01/galleries) | +| `Microsoft.Compute/galleries` | [2022-03-03](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-03-03/galleries) | +| `Microsoft.Compute/galleries/applications` | [2022-03-03](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2022-03-03/galleries/applications) | | `Microsoft.Compute/galleries/images` | [2021-10-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2021-10-01/galleries/images) | ## Parameters From 98682eabcd2b8dbb834caac0ced3847d16171a6a Mon Sep 17 00:00:00 2001 From: Shawn Meyer Date: Mon, 19 Dec 2022 07:55:25 -0500 Subject: [PATCH 15/16] added application test to common test --- .../galleries/.test/common/deploy.test.bicep | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/modules/Microsoft.Compute/galleries/.test/common/deploy.test.bicep b/modules/Microsoft.Compute/galleries/.test/common/deploy.test.bicep index 9078e48221..6ccd217d26 100644 --- a/modules/Microsoft.Compute/galleries/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Compute/galleries/.test/common/deploy.test.bicep @@ -55,5 +55,23 @@ module testDeployment '../../deploy.bicep' = { principalType: 'ServicePrincipal' } ] + applications: [ + { + name: '<>-${serviceShort}-appd-001' + } + { + name: '<>-az-appd-x-001' + supportedOSType: 'Windows' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalIds: [ + resourceGroupResources.outputs.managedIdentityPrincipalId + ] + principalType: 'ServicePrincipal' + } + ] + } + ] } } From e25352358d2c5a6a1208b33c3bc25da0db20dbb4 Mon Sep 17 00:00:00 2001 From: Shawn Meyer Date: Mon, 19 Dec 2022 11:13:49 -0500 Subject: [PATCH 16/16] updated readme and deleted .applicatons from test --- .../.test/applications/dependencies.bicep | 14 ---- .../.test/applications/deploy.test.bicep | 67 ------------------- .../galleries/.test/common/deploy.test.bicep | 2 +- modules/Microsoft.Compute/galleries/readme.md | 41 +++++++++++- 4 files changed, 41 insertions(+), 83 deletions(-) delete mode 100644 modules/Microsoft.Compute/galleries/.test/applications/dependencies.bicep delete mode 100644 modules/Microsoft.Compute/galleries/.test/applications/deploy.test.bicep diff --git a/modules/Microsoft.Compute/galleries/.test/applications/dependencies.bicep b/modules/Microsoft.Compute/galleries/.test/applications/dependencies.bicep deleted file mode 100644 index 7371d4437b..0000000000 --- a/modules/Microsoft.Compute/galleries/.test/applications/dependencies.bicep +++ /dev/null @@ -1,14 +0,0 @@ -@description('Optional. The location to deploy to.') -param location string = resourceGroup().location - -@description('Required. The name of the Managed Identity to create.') -param managedIdentityName string - -resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location -} - -@description('The principal ID of the created Managed Identity.') -output managedIdentityPrincipalId string = managedIdentity.properties.principalId - diff --git a/modules/Microsoft.Compute/galleries/.test/applications/deploy.test.bicep b/modules/Microsoft.Compute/galleries/.test/applications/deploy.test.bicep deleted file mode 100644 index c5e953fcf0..0000000000 --- a/modules/Microsoft.Compute/galleries/.test/applications/deploy.test.bicep +++ /dev/null @@ -1,67 +0,0 @@ -targetScope = 'subscription' - -// ========== // -// Parameters // -// ========== // -@description('Optional. The name of the resource group to deploy for testing purposes.') -@maxLength(90) -param resourceGroupName string = 'ms.compute.galleries-${serviceShort}-rg' - -@description('Optional. The location to deploy resources to.') -param location string = deployment().location - -@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cgimages' - -@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') -param enableDefaultTelemetry bool = true - -// =========== // -// Deployments // -// =========== // - -// General resources -// ================= -resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { - name: resourceGroupName - location: location -} - -module resourceGroupResources 'dependencies.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name, location)}-paramNested' - params: { - managedIdentityName: 'dep-<>-msi-${serviceShort}' - } -} - -// ============== // -// Test Execution // -// ============== // - -module testDeployment '../../deploy.bicep' = { - scope: resourceGroup - name: '${uniqueString(deployment().name)}-test-${serviceShort}' - params: { - enableDefaultTelemetry: enableDefaultTelemetry - name: '<>${serviceShort}001' - applications: [ - { - name: '<>-${serviceShort}-appd-001' - } - { - name: '<>-az-appd-x-001' - supportedOSType: 'Windows' - roleAssignments: [ - { - roleDefinitionIdOrName: 'Reader' - principalIds: [ - resourceGroupResources.outputs.managedIdentityPrincipalId - ] - principalType: 'ServicePrincipal' - } - ] - } - ] - } -} diff --git a/modules/Microsoft.Compute/galleries/.test/common/deploy.test.bicep b/modules/Microsoft.Compute/galleries/.test/common/deploy.test.bicep index 6ccd217d26..97fe520939 100644 --- a/modules/Microsoft.Compute/galleries/.test/common/deploy.test.bicep +++ b/modules/Microsoft.Compute/galleries/.test/common/deploy.test.bicep @@ -60,7 +60,7 @@ module testDeployment '../../deploy.bicep' = { name: '<>-${serviceShort}-appd-001' } { - name: '<>-az-appd-x-001' + name: '<>-appd-002' supportedOSType: 'Windows' roleAssignments: [ { diff --git a/modules/Microsoft.Compute/galleries/readme.md b/modules/Microsoft.Compute/galleries/readme.md index d35a7fddff..7455b074f9 100644 --- a/modules/Microsoft.Compute/galleries/readme.md +++ b/modules/Microsoft.Compute/galleries/readme.md @@ -26,12 +26,13 @@ This module deploys an Azure compute gallery (formerly known as shared image gal | Parameter Name | Type | Description | | :-- | :-- | :-- | -| `name` | string | Name of the Azure Shared Image Gallery. | +| `name` | string | Name of the Azure Compute Gallery. | **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | +| `applications` | _[applications](applications/readme.md)_ array | `[]` | | Applications to create. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | | `galleryDescription` | string | `''` | | Description of the Azure Shared Image Gallery. | | `images` | _[images](images/readme.md)_ array | `[]` | | Images to create. | @@ -174,6 +175,24 @@ module galleries './Microsoft.Compute/galleries/deploy.bicep' = { // Required parameters name: '<>cgcom001' // Non-required parameters + applications: [ + { + name: '<>-cgcom-appd-001' + } + { + name: '<>-appd-002' + roleAssignments: [ + { + principalIds: [ + '' + ] + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + supportedOSType: 'Windows' + } + ] enableDefaultTelemetry: '' lock: 'CanNotDelete' roleAssignments: [ @@ -206,6 +225,26 @@ module galleries './Microsoft.Compute/galleries/deploy.bicep' = { "value": "<>cgcom001" }, // Non-required parameters + "applications": { + "value": [ + { + "name": "<>-cgcom-appd-001" + }, + { + "name": "<>-appd-002", + "roleAssignments": [ + { + "principalIds": [ + "" + ], + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "supportedOSType": "Windows" + } + ] + }, "enableDefaultTelemetry": { "value": "" },