From 43d3dfb583e64d20a649d08143969226e2d3c411 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 24 Dec 2021 14:20:09 +0100 Subject: [PATCH 01/72] Added first deployment (RG) --- .../platform.dependencies.yml | 34 +++++++++++++++++++ .github/workflows/platform.dependencies.yml | 2 +- 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 .azuredevops/platformPipelines/platform.dependencies.yml diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml new file mode 100644 index 0000000000..3d9e19c796 --- /dev/null +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -0,0 +1,34 @@ +name: '.Platform: Dependencies' + +# trigger: +# batch: true +# branches: +# include: +# - main +# paths: +# include: +# - '.azuredevops/pipelineTemplates/module.jobs.deploy.yml' +# - '.azuredevops/platformPipelines/platform.dependencies.yml' +# - 'utilities/pipelines/dependencies/**' + +variables: + - template: '/.azuredevops/pipelineVariables/global.variables.yml' + - group: 'PLATFORM_VARIABLES' + - name: dependencyPath + value: 'utilities/pipelines/dependencies' + - name: modulesPath + value: 'arm' + +stages: + - stage: ResourceGroups + displayName: Resource Groups + variables: + - templateFilePath: $(modulesPath)/Microsoft.Resources/resourceGroups/deploy.json + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/Microsoft.Resources/resourceGroups/parameters/artifacts.parameters.json + templateFilePath: $(templateFilePath) + - path: $(dependencyPath)/Microsoft.Resources/resourceGroups/parameters/validation.parameters.json + templateFilePath: $(templateFilePath) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index fdce96ce03..1e486258db 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -13,7 +13,7 @@ on: # branches: # - main # paths: - # - '.github/actions/templates/**' + # - '.github/actions/templates/validateModuleDeployment/**' # - '.github/workflows/platform.dependencies.yml' # - 'utilities/pipelines/dependencies/**' From 01e5019543d4840dced6c7acefdc7b95b8c18950 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 24 Dec 2021 14:29:14 +0100 Subject: [PATCH 02/72] Update to latest --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 3d9e19c796..8d7906505f 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -23,7 +23,7 @@ stages: - stage: ResourceGroups displayName: Resource Groups variables: - - templateFilePath: $(modulesPath)/Microsoft.Resources/resourceGroups/deploy.json + templateFilePath: $(modulesPath)/Microsoft.Resources/resourceGroups/deploy.json jobs: - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml parameters: From 848896c9d5cba680c2c885c2f406e73632a03a89 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 24 Dec 2021 14:31:52 +0100 Subject: [PATCH 03/72] Update to latest --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 8d7906505f..2adbf183f7 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -30,5 +30,7 @@ stages: deploymentBlocks: - path: $(dependencyPath)/Microsoft.Resources/resourceGroups/parameters/artifacts.parameters.json templateFilePath: $(templateFilePath) + displayName: Artifacts Resource Group - path: $(dependencyPath)/Microsoft.Resources/resourceGroups/parameters/validation.parameters.json templateFilePath: $(templateFilePath) + displayName: Validation Resource Group From f79dc81cc1f0c333b277252b141abccadb6df81b Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 24 Dec 2021 14:32:14 +0100 Subject: [PATCH 04/72] Update to latest --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 2adbf183f7..127063156c 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -1,4 +1,4 @@ -name: '.Platform: Dependencies' +name: '.Platform - Dependencies' # trigger: # batch: true From b7133821021c886adbe0519ae0918baebe7a0551 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 24 Dec 2021 14:36:56 +0100 Subject: [PATCH 05/72] Update to latest --- .../platformPipelines/platform.dependencies.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 127063156c..0a18d00501 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -20,8 +20,8 @@ variables: value: 'arm' stages: - - stage: ResourceGroups - displayName: Resource Groups + - stage: deploy_rg + displayName: Deploy resource group variables: templateFilePath: $(modulesPath)/Microsoft.Resources/resourceGroups/deploy.json jobs: @@ -34,3 +34,15 @@ stages: - path: $(dependencyPath)/Microsoft.Resources/resourceGroups/parameters/validation.parameters.json templateFilePath: $(templateFilePath) displayName: Validation Resource Group + + - stage: deploy_msi + displayName: Deploy user assigned identity + variables: + templateFilePath: $(modulesPath)/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.json + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/Microsoft.Resources/resourceGroups/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: User Assigned Identity From f604cad82f8f2f6dffb139ff04f4f453a45a6d84 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 24 Dec 2021 14:38:42 +0100 Subject: [PATCH 06/72] Update to latest --- .azuredevops/platformPipelines/platform.dependencies.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 0a18d00501..307ebc3959 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -23,7 +23,7 @@ stages: - stage: deploy_rg displayName: Deploy resource group variables: - templateFilePath: $(modulesPath)/Microsoft.Resources/resourceGroups/deploy.json + templateFilePath: $(modulesPath)/Microsoft.Resources/resourceGroups/deploy.bicep jobs: - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml parameters: @@ -38,7 +38,7 @@ stages: - stage: deploy_msi displayName: Deploy user assigned identity variables: - templateFilePath: $(modulesPath)/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.json + templateFilePath: $(modulesPath)/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep jobs: - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml parameters: From 67d410fd3d1aebd1d0b70e765cf4af36377c42ba Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 24 Dec 2021 14:42:34 +0100 Subject: [PATCH 07/72] Update to latest --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 307ebc3959..92abab7788 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -46,3 +46,5 @@ stages: - path: $(dependencyPath)/Microsoft.Resources/resourceGroups/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: User Assigned Identity + dependsOn: + - deploy_rg From c4ad02910bb4087e8a10bf5a12e5526da130b15a Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 24 Dec 2021 16:49:21 +0100 Subject: [PATCH 08/72] Update to latest --- .../platformPipelines/platform.dependencies.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 92abab7788..8d0904c963 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -23,27 +23,29 @@ stages: - stage: deploy_rg displayName: Deploy resource group variables: - templateFilePath: $(modulesPath)/Microsoft.Resources/resourceGroups/deploy.bicep + resourceType: 'Microsoft.Resources/resourceGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep jobs: - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml parameters: deploymentBlocks: - - path: $(dependencyPath)/Microsoft.Resources/resourceGroups/parameters/artifacts.parameters.json + - path: $(dependencyPath)/$(resourceType)/parameters/artifacts.parameters.json templateFilePath: $(templateFilePath) displayName: Artifacts Resource Group - - path: $(dependencyPath)/Microsoft.Resources/resourceGroups/parameters/validation.parameters.json + - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json templateFilePath: $(templateFilePath) displayName: Validation Resource Group - stage: deploy_msi displayName: Deploy user assigned identity variables: - templateFilePath: $(modulesPath)/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep + resourceType: 'Microsoft.ManagedIdentity/userAssignedIdentities' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep jobs: - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml parameters: deploymentBlocks: - - path: $(dependencyPath)/Microsoft.Resources/resourceGroups/parameters/parameters.json + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: User Assigned Identity dependsOn: From e390d5b8a64e216dd324e4ea4482a397e93b9785 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 24 Dec 2021 17:24:27 +0100 Subject: [PATCH 09/72] Update to latest --- .../platform.dependencies.yml | 110 +++++++++++++++++- .github/workflows/platform.dependencies.yml | 32 +---- .../registries/parameters/parameters.json | 12 -- .../parameters/artifacts.parameters.json | 9 -- 4 files changed, 109 insertions(+), 54 deletions(-) delete mode 100644 utilities/pipelines/dependencies/Microsoft.ContainerRegistry/registries/parameters/parameters.json delete mode 100644 utilities/pipelines/dependencies/Microsoft.Resources/resourceGroups/parameters/artifacts.parameters.json diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 8d0904c963..46de752033 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -29,9 +29,6 @@ stages: - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml parameters: deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/artifacts.parameters.json - templateFilePath: $(templateFilePath) - displayName: Artifacts Resource Group - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json templateFilePath: $(templateFilePath) displayName: Validation Resource Group @@ -50,3 +47,110 @@ stages: displayName: User Assigned Identity dependsOn: - deploy_rg + + - stage: deploy_pa + displayName: Deploy policy assignment + variables: + resourceType: 'Microsoft.Authorization/policyAssignments' + templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Policy assignment + dependsOn: + - deploy_rg + + - stage: deploy_evh + displayName: Deploy event hub + variables: + resourceType: 'Microsoft.EventHub/namespaces' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: EventHub + dependsOn: + - deploy_rg + + - stage: deploy_law + displayName: Deploy log analytics workspace + variables: + resourceType: 'Microsoft.OperationalInsights/workspaces' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default LAW + - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json + templateFilePath: $(templateFilePath) + displayName: AppInsights LAW + dependsOn: + - deploy_rg + + - stage: deploy_sa + displayName: Deploy storage account + variables: + resourceType: 'Microsoft.Storage/storageAccounts' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default storage account + jobName: default_sa + - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json + templateFilePath: $(templateFilePath) + displayName: LAW storage account + - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json + templateFilePath: $(templateFilePath) + displayName: FunctionApp storage account + - job: + displayName: Upload files to storage account + pool: + ${{ if eq(variables['vmImage'], '') }}: + name: $(poolName) + ${{ if eq(variables['poolName'], '') }}: + vmImage: $(vmImage) + steps: + - task: AzureCLI@2 + enabled: true + displayName: Upload files to storage account + inputs: + azureSubscription: $(serviceConnection) + scriptType: 'pscore' + scriptLocation: 'inlineScript' + inlineScript: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + + # Get storage account name + $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' 'Microsoft.Storage/storageAccounts' 'parameters' 'parameters.json' + $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # Upload files to storage account + $functionInput = @{ + ResourceGroupName = '${{ env.resourceGroupName }}' + StorageAccountName = $storageAccountParameters.name.value + contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' 'Microsoft.Storage/storageAccounts' 'uploads' + targetContainer = $storageAccountParameters.blobServices.value.containers[0].name + } + + Write-Verbose "Invoke task with" -Verbose + Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + Export-ContentToBlob @functionInput -Verbose + dependsOn: + - default_sa + dependsOn: + - deploy_rg diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 1e486258db..f1635b303e 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -38,8 +38,7 @@ jobs: strategy: fail-fast: false matrix: - parameterFilePaths: - ['artifacts.parameters.json', 'validation.parameters.json'] + parameterFilePaths: ['validation.parameters.json'] steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -110,33 +109,6 @@ jobs: managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' - job_deploy_privateBicepRegistry: - runs-on: ubuntu-20.04 - name: 'Deploy private bicep registry' - env: - namespace: 'Microsoft.ContainerRegistry\registries' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupNameArtifacts }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - job_deploy_evh: runs-on: ubuntu-20.04 name: 'Deploy eventhub' @@ -219,7 +191,7 @@ jobs: managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' - job_upload_storage_files: + job_sa_upload_storage_files: runs-on: ubuntu-20.04 name: 'Upload files to storage account' needs: diff --git a/utilities/pipelines/dependencies/Microsoft.ContainerRegistry/registries/parameters/parameters.json b/utilities/pipelines/dependencies/Microsoft.ContainerRegistry/registries/parameters/parameters.json deleted file mode 100644 index 52597e8a27..0000000000 --- a/utilities/pipelines/dependencies/Microsoft.ContainerRegistry/registries/parameters/parameters.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "adpsxxazacrx001" - }, - "acrAdminUserEnabled": { - "value": false - } - } -} diff --git a/utilities/pipelines/dependencies/Microsoft.Resources/resourceGroups/parameters/artifacts.parameters.json b/utilities/pipelines/dependencies/Microsoft.Resources/resourceGroups/parameters/artifacts.parameters.json deleted file mode 100644 index eacecdf787..0000000000 --- a/utilities/pipelines/dependencies/Microsoft.Resources/resourceGroups/parameters/artifacts.parameters.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "name": { - "value": "artifacts-rg" - } - } -} From 3cb7e9d39e7213761a5282d587c12a435b8d48ca Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 24 Dec 2021 17:35:47 +0100 Subject: [PATCH 10/72] Update to latest --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 46de752033..a23d1027de 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -115,7 +115,7 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json templateFilePath: $(templateFilePath) displayName: FunctionApp storage account - - job: + - job: sa_upload displayName: Upload files to storage account pool: ${{ if eq(variables['vmImage'], '') }}: From 659564819225b690a9174a43bfe7090a8f6826ca Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 24 Dec 2021 17:38:55 +0100 Subject: [PATCH 11/72] Update to latest --- .../platform.dependencies.yml | 66 +++++++++---------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index a23d1027de..0ec8bd7dc4 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -115,42 +115,42 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json templateFilePath: $(templateFilePath) displayName: FunctionApp storage account - - job: sa_upload - displayName: Upload files to storage account - pool: - ${{ if eq(variables['vmImage'], '') }}: - name: $(poolName) - ${{ if eq(variables['poolName'], '') }}: - vmImage: $(vmImage) - steps: - - task: AzureCLI@2 - enabled: true - displayName: Upload files to storage account - inputs: - azureSubscription: $(serviceConnection) - scriptType: 'pscore' - scriptLocation: 'inlineScript' - inlineScript: | - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + - job: + displayName: Upload files to storage account + pool: + ${{ if eq(variables['vmImage'], '') }}: + name: $(poolName) + ${{ if eq(variables['poolName'], '') }}: + vmImage: $(vmImage) + steps: + - task: AzureCLI@2 + enabled: true + displayName: Upload files to storage account + inputs: + azureSubscription: $(serviceConnection) + scriptType: 'pscore' + scriptLocation: 'inlineScript' + inlineScript: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') - # Get storage account name - $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' 'Microsoft.Storage/storageAccounts' 'parameters' 'parameters.json' - $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + # Get storage account name + $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' 'Microsoft.Storage/storageAccounts' 'parameters' 'parameters.json' + $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - # Upload files to storage account - $functionInput = @{ - ResourceGroupName = '${{ env.resourceGroupName }}' - StorageAccountName = $storageAccountParameters.name.value - contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' 'Microsoft.Storage/storageAccounts' 'uploads' - targetContainer = $storageAccountParameters.blobServices.value.containers[0].name - } + # Upload files to storage account + $functionInput = @{ + ResourceGroupName = '${{ env.resourceGroupName }}' + StorageAccountName = $storageAccountParameters.name.value + contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' 'Microsoft.Storage/storageAccounts' 'uploads' + targetContainer = $storageAccountParameters.blobServices.value.containers[0].name + } - Write-Verbose "Invoke task with" -Verbose - Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + Write-Verbose "Invoke task with" -Verbose + Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - Export-ContentToBlob @functionInput -Verbose - dependsOn: - - default_sa + Export-ContentToBlob @functionInput -Verbose + dependsOn: + - default_sa dependsOn: - deploy_rg From 37efcd743e6c2eda2e15e6ac9b4d5bc4845a3bc7 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 24 Dec 2021 17:42:03 +0100 Subject: [PATCH 12/72] Update to latest --- .azuredevops/platformPipelines/platform.dependencies.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 0ec8bd7dc4..876f5cf28f 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -132,17 +132,17 @@ stages: scriptLocation: 'inlineScript' inlineScript: | # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') # Get storage account name - $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' 'Microsoft.Storage/storageAccounts' 'parameters' 'parameters.json' + $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'parameters' 'parameters.json' $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters # Upload files to storage account $functionInput = @{ ResourceGroupName = '${{ env.resourceGroupName }}' StorageAccountName = $storageAccountParameters.name.value - contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' 'Microsoft.Storage/storageAccounts' 'uploads' + contentDirectories = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'uploads' targetContainer = $storageAccountParameters.blobServices.value.containers[0].name } From 63cacbc8d20505aa27038a355ddbacf63b448099 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 24 Dec 2021 17:43:57 +0100 Subject: [PATCH 13/72] Update to latest --- .../platform.dependencies.yml | 4 +- .github/workflows/platform.dependencies.yml | 56 +++++++++---------- 2 files changed, 31 insertions(+), 29 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 876f5cf28f..586a3d0e4b 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -18,6 +18,8 @@ variables: value: 'utilities/pipelines/dependencies' - name: modulesPath value: 'arm' + - name: defaultResourceGroupName + value: 'validation-rg' stages: - stage: deploy_rg @@ -140,7 +142,7 @@ stages: # Upload files to storage account $functionInput = @{ - ResourceGroupName = '${{ env.resourceGroupName }}' + ResourceGroupName = '$(defaultResourceGroupName)' StorageAccountName = $storageAccountParameters.name.value contentDirectories = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'uploads' targetContainer = $storageAccountParameters.blobServices.value.containers[0].name diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index f1635b303e..17cc75bfec 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -19,7 +19,7 @@ on: env: defaultLocation: 'WestEurope' - resourceGroupName: 'validation-rg' + defaultResourceGroupName: 'validation-rg' resourceGroupNameArtifacts: 'artifacts-rg' removeDeployment: 'false' dependencyPath: 'utilities/pipelines/dependencies' @@ -50,7 +50,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -77,7 +77,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -104,7 +104,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_policyAssignments_sub.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -131,7 +131,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -158,7 +158,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -186,7 +186,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -219,7 +219,7 @@ jobs: # Upload files to storage account $functionInput = @{ - ResourceGroupName = '${{ env.resourceGroupName }}' + ResourceGroupName = '${{ env.defaultResourceGroupName }}' StorageAccountName = $storageAccountParameters.name.value contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' 'Microsoft.Storage/storageAccounts' 'uploads' targetContainer = $storageAccountParameters.blobServices.value.containers[0].name @@ -253,7 +253,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -280,7 +280,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -307,7 +307,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -334,7 +334,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -362,7 +362,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -397,7 +397,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -427,7 +427,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -457,7 +457,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -486,7 +486,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -515,7 +515,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -544,7 +544,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -573,7 +573,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -602,7 +602,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -676,7 +676,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -737,7 +737,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -764,7 +764,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_rbac_sub.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -799,7 +799,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -828,7 +828,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -855,7 +855,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' @@ -884,7 +884,7 @@ jobs: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' From d335d521765a141f3734ae54ad17bee7dd570968 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Fri, 24 Dec 2021 17:51:37 +0100 Subject: [PATCH 14/72] Update to latest --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 586a3d0e4b..4aeba2c30f 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -54,7 +54,7 @@ stages: displayName: Deploy policy assignment variables: resourceType: 'Microsoft.Authorization/policyAssignments' - templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub + templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep jobs: - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml parameters: From 7509f5b0e73e4945bb49f947ba34dd1f9a65997c Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 01:00:22 +0100 Subject: [PATCH 15/72] Update to latest --- .../platform.dependencies.yml | 137 ++++++++++++++++++ .github/workflows/platform.dependencies.yml | 2 +- 2 files changed, 138 insertions(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 4aeba2c30f..df242dbf9c 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -1,5 +1,11 @@ name: '.Platform - Dependencies' +parameters: + - name: deploySqlMiDependencies + displayName: Enable SqlMi dependencies deployment + type: boolean + default: false + # trigger: # batch: true # branches: @@ -125,6 +131,17 @@ stages: ${{ if eq(variables['poolName'], '') }}: vmImage: $(vmImage) steps: + - task: PowerShell@2 + displayName: 'Setup agent' + inputs: + targetType: inline + pwsh: true + script: | + # Load used functions + . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Set agent up + Set-EnvironmentOnAgent - task: AzureCLI@2 enabled: true displayName: Upload files to storage account @@ -156,3 +173,123 @@ stages: - default_sa dependsOn: - deploy_rg + + - stage: deploy_sig + displayName: Deploy shared image gallery and definition + variables: + resourceType: 'Microsoft.Compute/galleries' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default SIG and SID + dependsOn: + - deploy_rg + + - stage: deploy_ag + displayName: Deploy action groups + variables: + resourceType: 'Microsoft.Compute/galleries' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Action Group + dependsOn: + - deploy_rg + + - stage: deploy_asg + displayName: Deploy application security groups + variables: + resourceType: 'Microsoft.Network/applicationSecurityGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Application Security Groups + dependsOn: + - deploy_rg + + - stage: deploy_udr + displayName: Deploy route tables + variables: + resourceType: 'Microsoft.Network/routeTables' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default User Defined Routes + dependsOn: + - deploy_rg + + - stage: deploy_sqlmi_udr + displayName: Deploy sqlmi route tables + condition: eq(${{ parameters.deploySqlMiDependencies }}, true) + variables: + resourceType: 'Microsoft.Network/routeTables' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI User Defined Routes + dependsOn: + - deploy_rg + + - stage: deploy_nsg + displayName: Deploy network security groups + variables: + resourceType: 'Microsoft.Network/networkSecurityGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default NSG + - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + templateFilePath: $(templateFilePath) + displayName: App Gateway NSG + - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json + templateFilePath: $(templateFilePath) + displayName: ASE NSG + - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json + templateFilePath: $(templateFilePath) + displayName: Bastion NSG + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_sqlmi_nsg + displayName: Deploy sqlmi network security group + condition: eq(${{ parameters.deploySqlMiDependencies }}, true) + variables: + resourceType: 'Microsoft.Network/networkSecurityGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json + templateFilePath: $(templateFilePath) + displayName: Default NSG + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 17cc75bfec..51c6328961 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -314,7 +314,7 @@ jobs: job_deploy_udr: runs-on: ubuntu-20.04 - name: 'Deploy sqlmi route tables' + name: 'Deploy route tables' env: namespace: 'Microsoft.Network\routeTables' needs: From aa2e1f1b5f5a651c20bf7df41d099f23ceb85658 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 01:20:44 +0100 Subject: [PATCH 16/72] Update to latest --- .../platform.dependencies.yml | 170 +++++++++++++++++- 1 file changed, 169 insertions(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index df242dbf9c..806041a98e 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -288,7 +288,175 @@ stages: deploymentBlocks: - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json templateFilePath: $(templateFilePath) - displayName: Default NSG + displayName: SQLMI NSG + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_pip + displayName: Deploy public IP addresses + variables: + resourceType: 'Microsoft.Network\publicIPAddresses' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + templateFilePath: $(templateFilePath) + displayName: App Gateway Public IP + - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json + templateFilePath: $(templateFilePath) + displayName: Bastion Public IP + - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json + templateFilePath: $(templateFilePath) + displayName: Load balancer Public IP + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_appi + displayName: Deploy application insight + variables: + resourceType: 'Microsoft.Insights/components' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Application Insights + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_aut + displayName: Deploy automation account + variables: + resourceType: 'Microsoft.Automation/automationAccounts' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Automation Account + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_avdhp + displayName: Deploy AVD host pool + variables: + resourceType: 'Microsoft.DesktopVirtualization/hostpools' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default AVD Host Pool + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_rsv + displayName: Deploy recovery services vault + variables: + resourceType: 'Microsoft.RecoveryServices/vaults' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default recovery services vault + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_kv + displayName: Deploy key vaults + variables: + resourceType: 'Microsoft.KeyVault/vaults' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Key Vault + jobName: default_kv + - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json + templateFilePath: $(templateFilePath) + displayName: Private Endpoint Key Vault + ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI key vault + - job: + displayName: Set key vault secrets keys and certificates + pool: + ${{ if eq(variables['vmImage'], '') }}: + name: $(poolName) + ${{ if eq(variables['poolName'], '') }}: + vmImage: $(vmImage) + steps: + - task: PowerShell@2 + displayName: 'Setup agent' + inputs: + targetType: inline + pwsh: true + script: | + # Load used functions + . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Set agent up + Set-EnvironmentOnAgent + - task: AzureCLI@2 + enabled: true + displayName: Set key vault secrets keys and certificates + inputs: + azureSubscription: $(serviceConnection) + scriptType: 'pscore' + scriptLocation: 'inlineScript' + inlineScript: | + $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length + $passwordString = (New-Guid).Guid.SubString(0,19) + $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) + $keyVaultName = 'adp-sxx-az-kv-x-001' + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + # VirtualMachines and VMSS + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminUsername' -SecretValue $username + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminPassword' -SecretValue $password + # Azure SQLServer + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password + # VirtualNetworkGateway + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'vpnSharedKey' -SecretValue $vpnSharedKey + # DiskEncryptionSet, VirtualMachines and VMSS + az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKey' + # ApplicationGateway + $apgwCertPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal + Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name 'applicationGatewaySslCertificate' -CertificatePolicy $apgwCertPolicy + # API management + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientid' -SecretValue $username + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientsecret' -SecretValue $password + dependsOn: + - default_kv dependsOn: - deploy_sa - deploy_evh From 4edd8d8f053b6df64385967940d0d94204ebe030 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 01:22:39 +0100 Subject: [PATCH 17/72] Update to latest --- .azuredevops/platformPipelines/platform.dependencies.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 806041a98e..fbf63cc54f 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -394,6 +394,10 @@ stages: - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml parameters: deploymentBlocks: + ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI key vault - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: Default Key Vault @@ -401,10 +405,6 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json templateFilePath: $(templateFilePath) displayName: Private Endpoint Key Vault - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: SQLMI key vault - job: displayName: Set key vault secrets keys and certificates pool: From 0d87cae466c27b416c70c85b81df64032022afe9 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 01:25:13 +0100 Subject: [PATCH 18/72] Update to latest --- .azuredevops/platformPipelines/platform.dependencies.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index fbf63cc54f..9fa5a01238 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -394,10 +394,6 @@ stages: - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml parameters: deploymentBlocks: - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: SQLMI key vault - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: Default Key Vault @@ -405,6 +401,10 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json templateFilePath: $(templateFilePath) displayName: Private Endpoint Key Vault + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI key vault - job: displayName: Set key vault secrets keys and certificates pool: From 9cd6ded51b6ade06cd40292f5e698914c7ebae16 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 01:27:33 +0100 Subject: [PATCH 19/72] Update to latest --- .../platform.dependencies.yml | 22 ++++--------------- 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 9fa5a01238..ee5719c254 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -271,24 +271,10 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json templateFilePath: $(templateFilePath) displayName: Bastion NSG - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - - - stage: deploy_sqlmi_nsg - displayName: Deploy sqlmi network security group - condition: eq(${{ parameters.deploySqlMiDependencies }}, true) - variables: - resourceType: 'Microsoft.Network/networkSecurityGroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json - templateFilePath: $(templateFilePath) - displayName: SQLMI NSG + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI NSG dependsOn: - deploy_sa - deploy_evh From 3dcc022544898e395cf7b8d0285ab23ee6857c04 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 01:46:10 +0100 Subject: [PATCH 20/72] Update to latest --- .../platform.dependencies.yml | 161 ++++++++++++++++-- 1 file changed, 145 insertions(+), 16 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index ee5719c254..bfe4179fc1 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -231,22 +231,10 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: Default User Defined Routes - dependsOn: - - deploy_rg - - - stage: deploy_sqlmi_udr - displayName: Deploy sqlmi route tables - condition: eq(${{ parameters.deploySqlMiDependencies }}, true) - variables: - resourceType: 'Microsoft.Network/routeTables' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json - templateFilePath: $(templateFilePath) - displayName: SQLMI User Defined Routes + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI User Defined Routes dependsOn: - deploy_rg @@ -391,6 +379,7 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: SQLMI key vault + jobName: sqlmi_kv - job: displayName: Set key vault secrets keys and certificates pool: @@ -443,7 +432,147 @@ stages: Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientsecret' -SecretValue $password dependsOn: - default_kv + - job: + displayName: Set sqlmi key vault secrets and keys + condition: eq(${{ parameters.deploySqlMiDependencies }}, true) + pool: + ${{ if eq(variables['vmImage'], '') }}: + name: $(poolName) + ${{ if eq(variables['poolName'], '') }}: + vmImage: $(vmImage) + steps: + - task: PowerShell@2 + displayName: 'Setup agent' + inputs: + targetType: inline + pwsh: true + script: | + # Load used functions + . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Set agent up + Set-EnvironmentOnAgent + - task: AzureCLI@2 + enabled: true + displayName: Set sqlmi key vault secrets and keys + inputs: + azureSubscription: $(serviceConnection) + scriptType: 'pscore' + scriptLocation: 'inlineScript' + inlineScript: | + $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length + $passwordString = (New-Guid).Guid.SubString(0,19) + $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) + $keyVaultName = 'adp-sxx-az-kv-x-sqlmi' + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + # SQLManagedInstances secrets + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password + # SQLManagedInstances Keys + az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKeySqlMi' + dependsOn: + - sqlmi_kv dependsOn: - deploy_sa - deploy_evh - deploy_law + + - stage: deploy_avdag + displayName: Deploy AVD application group + variables: + resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Application Group + dependsOn: + - deploy_avdhp + + - stage: deploy_rolea + displayName: Deploy role assignments + variables: + resourceType: 'Microsoft.Authorization\roleAssignments' + templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: MSI Role Assignment + dependsOn: + - deploy_msi + + - stage: deploy_vnet + displayName: Deploy virtual networks + variables: + resourceType: 'Microsoft.Network/virtualNetworks' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json + templateFilePath: $(templateFilePath) + displayName: Bastion Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json + templateFilePath: $(templateFilePath) + displayName: VNET PEering 1 Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json + templateFilePath: $(templateFilePath) + displayName: VNET Peering 2 Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json + templateFilePath: $(templateFilePath) + displayName: Azure Firewall Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json + templateFilePath: $(templateFilePath) + displayName: AKS Virtual Network + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQL MI Virtual Network + dependsOn: + - deploy_nsg + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - deploy_udr + + - stage: deploy_dnszone + displayName: Deploy private DNS zones + variables: + resourceType: 'Microsoft.Network/privateDnsZones' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Private DNS Zones + dependsOn: + - job_deploy_vnet + + - stage: deploy_vm + displayName: Deploy virtual machines + variables: + resourceType: 'Microsoft.Compute/virtualMachines' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Virtual Machine + dependsOn: + - job_deploy_vnet + - deploy_rsv + - deploy_kv From 4c9dd922da8d35ac56184a6da066b718642db3d1 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 01:46:55 +0100 Subject: [PATCH 21/72] Update to latest --- .azuredevops/platformPipelines/platform.dependencies.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index bfe4179fc1..18fdfa0f45 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -558,7 +558,7 @@ stages: templateFilePath: $(templateFilePath) displayName: Default Private DNS Zones dependsOn: - - job_deploy_vnet + - deploy_vnet - stage: deploy_vm displayName: Deploy virtual machines @@ -573,6 +573,6 @@ stages: templateFilePath: $(templateFilePath) displayName: Default Virtual Machine dependsOn: - - job_deploy_vnet + - deploy_vnet - deploy_rsv - deploy_kv From d0eeeaf426982e7f0c641057e60320447485fbe3 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 12:20:52 +0100 Subject: [PATCH 22/72] Update to latest --- utilities/pipelines/sharedScripts/Set-EnvironmentOnAgent.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/utilities/pipelines/sharedScripts/Set-EnvironmentOnAgent.ps1 b/utilities/pipelines/sharedScripts/Set-EnvironmentOnAgent.ps1 index 8e9cf515b2..35f6d99f40 100644 --- a/utilities/pipelines/sharedScripts/Set-EnvironmentOnAgent.ps1 +++ b/utilities/pipelines/sharedScripts/Set-EnvironmentOnAgent.ps1 @@ -107,6 +107,7 @@ function Set-EnvironmentOnAgent { @{ Name = 'Az.Monitor' }, @{ Name = 'Az.CognitiveServices' }, @{ Name = 'Az.OperationalInsights' }, + @{ Name = 'Az.Storage' }, @{ Name = 'Pester'; Version = '5.3.0' } ) ) From 86f50b50a6b35d9e2859d15fe8a41db941bc5bbb Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 12:49:46 +0100 Subject: [PATCH 23/72] Test upload --- .../platform.dependencies.yml | 965 +++++++++--------- 1 file changed, 482 insertions(+), 483 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 18fdfa0f45..1632083289 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -28,81 +28,81 @@ variables: value: 'validation-rg' stages: - - stage: deploy_rg - displayName: Deploy resource group - variables: - resourceType: 'Microsoft.Resources/resourceGroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json - templateFilePath: $(templateFilePath) - displayName: Validation Resource Group - - - stage: deploy_msi - displayName: Deploy user assigned identity - variables: - resourceType: 'Microsoft.ManagedIdentity/userAssignedIdentities' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: User Assigned Identity - dependsOn: - - deploy_rg - - - stage: deploy_pa - displayName: Deploy policy assignment - variables: - resourceType: 'Microsoft.Authorization/policyAssignments' - templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Policy assignment - dependsOn: - - deploy_rg - - - stage: deploy_evh - displayName: Deploy event hub - variables: - resourceType: 'Microsoft.EventHub/namespaces' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: EventHub - dependsOn: - - deploy_rg - - - stage: deploy_law - displayName: Deploy log analytics workspace - variables: - resourceType: 'Microsoft.OperationalInsights/workspaces' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default LAW - - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json - templateFilePath: $(templateFilePath) - displayName: AppInsights LAW - dependsOn: - - deploy_rg + # - stage: deploy_rg + # displayName: Deploy resource group + # variables: + # resourceType: 'Microsoft.Resources/resourceGroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Validation Resource Group + + # - stage: deploy_msi + # displayName: Deploy user assigned identity + # variables: + # resourceType: 'Microsoft.ManagedIdentity/userAssignedIdentities' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: User Assigned Identity + # dependsOn: + # - deploy_rg + + # - stage: deploy_pa + # displayName: Deploy policy assignment + # variables: + # resourceType: 'Microsoft.Authorization/policyAssignments' + # templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Policy assignment + # dependsOn: + # - deploy_rg + + # - stage: deploy_evh + # displayName: Deploy event hub + # variables: + # resourceType: 'Microsoft.EventHub/namespaces' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: EventHub + # dependsOn: + # - deploy_rg + + # - stage: deploy_law + # displayName: Deploy log analytics workspace + # variables: + # resourceType: 'Microsoft.OperationalInsights/workspaces' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default LAW + # - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: AppInsights LAW + # dependsOn: + # - deploy_rg - stage: deploy_sa displayName: Deploy storage account @@ -142,14 +142,13 @@ stages: # Set agent up Set-EnvironmentOnAgent - - task: AzureCLI@2 + - task: AzurePowerShell@4 enabled: true displayName: Upload files to storage account inputs: azureSubscription: $(serviceConnection) - scriptType: 'pscore' - scriptLocation: 'inlineScript' - inlineScript: | + scriptType: InlineScript + inline: | # Load used functions . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') @@ -172,407 +171,407 @@ stages: dependsOn: - default_sa dependsOn: - - deploy_rg - - - stage: deploy_sig - displayName: Deploy shared image gallery and definition - variables: - resourceType: 'Microsoft.Compute/galleries' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default SIG and SID - dependsOn: - - deploy_rg - - - stage: deploy_ag - displayName: Deploy action groups - variables: - resourceType: 'Microsoft.Compute/galleries' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Action Group - dependsOn: - - deploy_rg - - - stage: deploy_asg - displayName: Deploy application security groups - variables: - resourceType: 'Microsoft.Network/applicationSecurityGroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Application Security Groups - dependsOn: - - deploy_rg - - - stage: deploy_udr - displayName: Deploy route tables - variables: - resourceType: 'Microsoft.Network/routeTables' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default User Defined Routes - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json - templateFilePath: $(templateFilePath) - displayName: SQLMI User Defined Routes - dependsOn: - - deploy_rg - - - stage: deploy_nsg - displayName: Deploy network security groups - variables: - resourceType: 'Microsoft.Network/networkSecurityGroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default NSG - - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json - templateFilePath: $(templateFilePath) - displayName: App Gateway NSG - - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json - templateFilePath: $(templateFilePath) - displayName: ASE NSG - - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json - templateFilePath: $(templateFilePath) - displayName: Bastion NSG - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json - templateFilePath: $(templateFilePath) - displayName: SQLMI NSG - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - - - stage: deploy_pip - displayName: Deploy public IP addresses - variables: - resourceType: 'Microsoft.Network\publicIPAddresses' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json - templateFilePath: $(templateFilePath) - displayName: App Gateway Public IP - - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json - templateFilePath: $(templateFilePath) - displayName: Bastion Public IP - - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json - templateFilePath: $(templateFilePath) - displayName: Load balancer Public IP - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - - - stage: deploy_appi - displayName: Deploy application insight - variables: - resourceType: 'Microsoft.Insights/components' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Application Insights - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - - - stage: deploy_aut - displayName: Deploy automation account - variables: - resourceType: 'Microsoft.Automation/automationAccounts' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Automation Account - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - - - stage: deploy_avdhp - displayName: Deploy AVD host pool - variables: - resourceType: 'Microsoft.DesktopVirtualization/hostpools' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default AVD Host Pool - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - - - stage: deploy_rsv - displayName: Deploy recovery services vault - variables: - resourceType: 'Microsoft.RecoveryServices/vaults' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default recovery services vault - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - - - stage: deploy_kv - displayName: Deploy key vaults - variables: - resourceType: 'Microsoft.KeyVault/vaults' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Key Vault - jobName: default_kv - - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json - templateFilePath: $(templateFilePath) - displayName: Private Endpoint Key Vault - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: SQLMI key vault - jobName: sqlmi_kv - - job: - displayName: Set key vault secrets keys and certificates - pool: - ${{ if eq(variables['vmImage'], '') }}: - name: $(poolName) - ${{ if eq(variables['poolName'], '') }}: - vmImage: $(vmImage) - steps: - - task: PowerShell@2 - displayName: 'Setup agent' - inputs: - targetType: inline - pwsh: true - script: | - # Load used functions - . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Set agent up - Set-EnvironmentOnAgent - - task: AzureCLI@2 - enabled: true - displayName: Set key vault secrets keys and certificates - inputs: - azureSubscription: $(serviceConnection) - scriptType: 'pscore' - scriptLocation: 'inlineScript' - inlineScript: | - $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length - $passwordString = (New-Guid).Guid.SubString(0,19) - $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) - $keyVaultName = 'adp-sxx-az-kv-x-001' - $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - # VirtualMachines and VMSS - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminUsername' -SecretValue $username - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminPassword' -SecretValue $password - # Azure SQLServer - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password - # VirtualNetworkGateway - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'vpnSharedKey' -SecretValue $vpnSharedKey - # DiskEncryptionSet, VirtualMachines and VMSS - az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKey' - # ApplicationGateway - $apgwCertPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal - Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name 'applicationGatewaySslCertificate' -CertificatePolicy $apgwCertPolicy - # API management - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientid' -SecretValue $username - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientsecret' -SecretValue $password - dependsOn: - - default_kv - - job: - displayName: Set sqlmi key vault secrets and keys - condition: eq(${{ parameters.deploySqlMiDependencies }}, true) - pool: - ${{ if eq(variables['vmImage'], '') }}: - name: $(poolName) - ${{ if eq(variables['poolName'], '') }}: - vmImage: $(vmImage) - steps: - - task: PowerShell@2 - displayName: 'Setup agent' - inputs: - targetType: inline - pwsh: true - script: | - # Load used functions - . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Set agent up - Set-EnvironmentOnAgent - - task: AzureCLI@2 - enabled: true - displayName: Set sqlmi key vault secrets and keys - inputs: - azureSubscription: $(serviceConnection) - scriptType: 'pscore' - scriptLocation: 'inlineScript' - inlineScript: | - $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length - $passwordString = (New-Guid).Guid.SubString(0,19) - $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) - $keyVaultName = 'adp-sxx-az-kv-x-sqlmi' - $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - # SQLManagedInstances secrets - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password - # SQLManagedInstances Keys - az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKeySqlMi' - dependsOn: - - sqlmi_kv - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - - - stage: deploy_avdag - displayName: Deploy AVD application group - variables: - resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Application Group - dependsOn: - - deploy_avdhp - - - stage: deploy_rolea - displayName: Deploy role assignments - variables: - resourceType: 'Microsoft.Authorization\roleAssignments' - templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: MSI Role Assignment - dependsOn: - - deploy_msi - - - stage: deploy_vnet - displayName: Deploy virtual networks - variables: - resourceType: 'Microsoft.Network/virtualNetworks' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json - templateFilePath: $(templateFilePath) - displayName: Bastion Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json - templateFilePath: $(templateFilePath) - displayName: VNET PEering 1 Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json - templateFilePath: $(templateFilePath) - displayName: VNET Peering 2 Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json - templateFilePath: $(templateFilePath) - displayName: Azure Firewall Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json - templateFilePath: $(templateFilePath) - displayName: AKS Virtual Network - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json - templateFilePath: $(templateFilePath) - displayName: SQL MI Virtual Network - dependsOn: - - deploy_nsg - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - deploy_udr - - - stage: deploy_dnszone - displayName: Deploy private DNS zones - variables: - resourceType: 'Microsoft.Network/privateDnsZones' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Private DNS Zones - dependsOn: - - deploy_vnet - - - stage: deploy_vm - displayName: Deploy virtual machines - variables: - resourceType: 'Microsoft.Compute/virtualMachines' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Virtual Machine - dependsOn: - - deploy_vnet - - deploy_rsv - - deploy_kv + #- deploy_rg + + # - stage: deploy_sig + # displayName: Deploy shared image gallery and definition + # variables: + # resourceType: 'Microsoft.Compute/galleries' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default SIG and SID + # dependsOn: + # - deploy_rg + + # - stage: deploy_ag + # displayName: Deploy action groups + # variables: + # resourceType: 'Microsoft.Compute/galleries' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Action Group + # dependsOn: + # - deploy_rg + + # - stage: deploy_asg + # displayName: Deploy application security groups + # variables: + # resourceType: 'Microsoft.Network/applicationSecurityGroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Application Security Groups + # dependsOn: + # - deploy_rg + + # - stage: deploy_udr + # displayName: Deploy route tables + # variables: + # resourceType: 'Microsoft.Network/routeTables' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default User Defined Routes + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQLMI User Defined Routes + # dependsOn: + # - deploy_rg + + # - stage: deploy_nsg + # displayName: Deploy network security groups + # variables: + # resourceType: 'Microsoft.Network/networkSecurityGroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default NSG + # - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: App Gateway NSG + # - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: ASE NSG + # - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Bastion NSG + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQLMI NSG + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + + # - stage: deploy_pip + # displayName: Deploy public IP addresses + # variables: + # resourceType: 'Microsoft.Network\publicIPAddresses' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: App Gateway Public IP + # - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Bastion Public IP + # - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Load balancer Public IP + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + + # - stage: deploy_appi + # displayName: Deploy application insight + # variables: + # resourceType: 'Microsoft.Insights/components' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Application Insights + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + + # - stage: deploy_aut + # displayName: Deploy automation account + # variables: + # resourceType: 'Microsoft.Automation/automationAccounts' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Automation Account + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + + # - stage: deploy_avdhp + # displayName: Deploy AVD host pool + # variables: + # resourceType: 'Microsoft.DesktopVirtualization/hostpools' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default AVD Host Pool + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + + # - stage: deploy_rsv + # displayName: Deploy recovery services vault + # variables: + # resourceType: 'Microsoft.RecoveryServices/vaults' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default recovery services vault + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + + # - stage: deploy_kv + # displayName: Deploy key vaults + # variables: + # resourceType: 'Microsoft.KeyVault/vaults' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Key Vault + # jobName: default_kv + # - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Private Endpoint Key Vault + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQLMI key vault + # jobName: sqlmi_kv + # - job: + # displayName: Set key vault secrets keys and certificates + # pool: + # ${{ if eq(variables['vmImage'], '') }}: + # name: $(poolName) + # ${{ if eq(variables['poolName'], '') }}: + # vmImage: $(vmImage) + # steps: + # - task: PowerShell@2 + # displayName: 'Setup agent' + # inputs: + # targetType: inline + # pwsh: true + # script: | + # # Load used functions + # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # # Set agent up + # Set-EnvironmentOnAgent + # - task: AzureCLI@2 + # enabled: true + # displayName: Set key vault secrets keys and certificates + # inputs: + # azureSubscription: $(serviceConnection) + # scriptType: 'pscore' + # scriptLocation: 'inlineScript' + # inlineScript: | + # $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length + # $passwordString = (New-Guid).Guid.SubString(0,19) + # $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) + # $keyVaultName = 'adp-sxx-az-kv-x-001' + # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + # # VirtualMachines and VMSS + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminUsername' -SecretValue $username + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminPassword' -SecretValue $password + # # Azure SQLServer + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password + # # VirtualNetworkGateway + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'vpnSharedKey' -SecretValue $vpnSharedKey + # # DiskEncryptionSet, VirtualMachines and VMSS + # az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKey' + # # ApplicationGateway + # $apgwCertPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal + # Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name 'applicationGatewaySslCertificate' -CertificatePolicy $apgwCertPolicy + # # API management + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientid' -SecretValue $username + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientsecret' -SecretValue $password + # dependsOn: + # - default_kv + # - job: + # displayName: Set sqlmi key vault secrets and keys + # condition: eq(${{ parameters.deploySqlMiDependencies }}, true) + # pool: + # ${{ if eq(variables['vmImage'], '') }}: + # name: $(poolName) + # ${{ if eq(variables['poolName'], '') }}: + # vmImage: $(vmImage) + # steps: + # - task: PowerShell@2 + # displayName: 'Setup agent' + # inputs: + # targetType: inline + # pwsh: true + # script: | + # # Load used functions + # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # # Set agent up + # Set-EnvironmentOnAgent + # - task: AzureCLI@2 + # enabled: true + # displayName: Set sqlmi key vault secrets and keys + # inputs: + # azureSubscription: $(serviceConnection) + # scriptType: 'pscore' + # scriptLocation: 'inlineScript' + # inlineScript: | + # $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length + # $passwordString = (New-Guid).Guid.SubString(0,19) + # $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) + # $keyVaultName = 'adp-sxx-az-kv-x-sqlmi' + # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + # # SQLManagedInstances secrets + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password + # # SQLManagedInstances Keys + # az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKeySqlMi' + # dependsOn: + # - sqlmi_kv + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + + # - stage: deploy_avdag + # displayName: Deploy AVD application group + # variables: + # resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Application Group + # dependsOn: + # - deploy_avdhp + + # - stage: deploy_rolea + # displayName: Deploy role assignments + # variables: + # resourceType: 'Microsoft.Authorization\roleAssignments' + # templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: MSI Role Assignment + # dependsOn: + # - deploy_msi + + # - stage: deploy_vnet + # displayName: Deploy virtual networks + # variables: + # resourceType: 'Microsoft.Network/virtualNetworks' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Bastion Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: VNET PEering 1 Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: VNET Peering 2 Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Azure Firewall Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: AKS Virtual Network + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQL MI Virtual Network + # dependsOn: + # - deploy_nsg + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - deploy_udr + + # - stage: deploy_dnszone + # displayName: Deploy private DNS zones + # variables: + # resourceType: 'Microsoft.Network/privateDnsZones' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Private DNS Zones + # dependsOn: + # - deploy_vnet + + # - stage: deploy_vm + # displayName: Deploy virtual machines + # variables: + # resourceType: 'Microsoft.Compute/virtualMachines' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Virtual Machine + # dependsOn: + # - deploy_vnet + # - deploy_rsv + # - deploy_kv From 6a72bf0deb8396f7841f54610ddac808d24ed1ac Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 13:00:00 +0100 Subject: [PATCH 24/72] disabled more --- .../platformPipelines/platform.dependencies.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 1632083289..c5870ea495 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -117,12 +117,12 @@ stages: templateFilePath: $(templateFilePath) displayName: Default storage account jobName: default_sa - - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json - templateFilePath: $(templateFilePath) - displayName: LAW storage account - - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json - templateFilePath: $(templateFilePath) - displayName: FunctionApp storage account + # - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: LAW storage account + # - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: FunctionApp storage account - job: displayName: Upload files to storage account pool: From b4d21269be3a4105629fe4ddc9666a163d53fdba Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 13:11:37 +0100 Subject: [PATCH 25/72] Replaced task --- .../platform.dependencies.yml | 40 ++++++++++--------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index c5870ea495..53c0cf69b9 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -110,19 +110,19 @@ stages: resourceType: 'Microsoft.Storage/storageAccounts' templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default storage account - jobName: default_sa - # - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: LAW storage account - # - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: FunctionApp storage account + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default storage account + # jobName: default_sa + # - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: LAW storage account + # - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: FunctionApp storage account - job: displayName: Upload files to storage account pool: @@ -142,13 +142,13 @@ stages: # Set agent up Set-EnvironmentOnAgent - - task: AzurePowerShell@4 - enabled: true + + - task: AzurePowerShell@5 displayName: Upload files to storage account inputs: azureSubscription: $(serviceConnection) - scriptType: InlineScript - inline: | + ScriptType: 'InlineScript' + Inline: | # Load used functions . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') @@ -168,8 +168,10 @@ stages: Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose Export-ContentToBlob @functionInput -Verbose - dependsOn: - - default_sa + azurePowerShellVersion: 'LatestVersion' + pwsh: true + # dependsOn: + # - default_sa dependsOn: #- deploy_rg From f10bfa2f885c405892f288f40f1b5cee0dbb1264 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 13:17:19 +0100 Subject: [PATCH 26/72] Update to latest --- .../platform.dependencies.yml | 988 +++++++++--------- 1 file changed, 494 insertions(+), 494 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 53c0cf69b9..c18fad7c3a 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -28,81 +28,81 @@ variables: value: 'validation-rg' stages: - # - stage: deploy_rg - # displayName: Deploy resource group - # variables: - # resourceType: 'Microsoft.Resources/resourceGroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Validation Resource Group - - # - stage: deploy_msi - # displayName: Deploy user assigned identity - # variables: - # resourceType: 'Microsoft.ManagedIdentity/userAssignedIdentities' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: User Assigned Identity - # dependsOn: - # - deploy_rg - - # - stage: deploy_pa - # displayName: Deploy policy assignment - # variables: - # resourceType: 'Microsoft.Authorization/policyAssignments' - # templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Policy assignment - # dependsOn: - # - deploy_rg - - # - stage: deploy_evh - # displayName: Deploy event hub - # variables: - # resourceType: 'Microsoft.EventHub/namespaces' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: EventHub - # dependsOn: - # - deploy_rg - - # - stage: deploy_law - # displayName: Deploy log analytics workspace - # variables: - # resourceType: 'Microsoft.OperationalInsights/workspaces' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default LAW - # - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: AppInsights LAW - # dependsOn: - # - deploy_rg + - stage: deploy_rg + displayName: Deploy resource group + variables: + resourceType: 'Microsoft.Resources/resourceGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json + templateFilePath: $(templateFilePath) + displayName: Validation Resource Group + + - stage: deploy_msi + displayName: Deploy user assigned identity + variables: + resourceType: 'Microsoft.ManagedIdentity/userAssignedIdentities' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: User Assigned Identity + dependsOn: + - deploy_rg + + - stage: deploy_pa + displayName: Deploy policy assignment + variables: + resourceType: 'Microsoft.Authorization/policyAssignments' + templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Policy assignment + dependsOn: + - deploy_rg + + - stage: deploy_evh + displayName: Deploy event hub + variables: + resourceType: 'Microsoft.EventHub/namespaces' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: EventHub + dependsOn: + - deploy_rg + + - stage: deploy_law + displayName: Deploy log analytics workspace + variables: + resourceType: 'Microsoft.OperationalInsights/workspaces' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default LAW + - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json + templateFilePath: $(templateFilePath) + displayName: AppInsights LAW + dependsOn: + - deploy_rg - stage: deploy_sa displayName: Deploy storage account @@ -110,19 +110,19 @@ stages: resourceType: 'Microsoft.Storage/storageAccounts' templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default storage account - # jobName: default_sa - # - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: LAW storage account - # - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: FunctionApp storage account + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default storage account + jobName: default_sa + - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json + templateFilePath: $(templateFilePath) + displayName: LAW storage account + - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json + templateFilePath: $(templateFilePath) + displayName: FunctionApp storage account - job: displayName: Upload files to storage account pool: @@ -170,410 +170,410 @@ stages: Export-ContentToBlob @functionInput -Verbose azurePowerShellVersion: 'LatestVersion' pwsh: true - # dependsOn: - # - default_sa + dependsOn: + - default_sa + dependsOn: + - deploy_rg + + - stage: deploy_sig + displayName: Deploy shared image gallery and definition + variables: + resourceType: 'Microsoft.Compute/galleries' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default SIG and SID + dependsOn: + - deploy_rg + + - stage: deploy_ag + displayName: Deploy action groups + variables: + resourceType: 'Microsoft.Compute/galleries' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Action Group + dependsOn: + - deploy_rg + + - stage: deploy_asg + displayName: Deploy application security groups + variables: + resourceType: 'Microsoft.Network/applicationSecurityGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Application Security Groups + dependsOn: + - deploy_rg + + - stage: deploy_udr + displayName: Deploy route tables + variables: + resourceType: 'Microsoft.Network/routeTables' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default User Defined Routes + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI User Defined Routes + dependsOn: + - deploy_rg + + - stage: deploy_nsg + displayName: Deploy network security groups + variables: + resourceType: 'Microsoft.Network/networkSecurityGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default NSG + - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + templateFilePath: $(templateFilePath) + displayName: App Gateway NSG + - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json + templateFilePath: $(templateFilePath) + displayName: ASE NSG + - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json + templateFilePath: $(templateFilePath) + displayName: Bastion NSG + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI NSG + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_pip + displayName: Deploy public IP addresses + variables: + resourceType: 'Microsoft.Network\publicIPAddresses' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + templateFilePath: $(templateFilePath) + displayName: App Gateway Public IP + - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json + templateFilePath: $(templateFilePath) + displayName: Bastion Public IP + - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json + templateFilePath: $(templateFilePath) + displayName: Load balancer Public IP + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_appi + displayName: Deploy application insight + variables: + resourceType: 'Microsoft.Insights/components' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Application Insights + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_aut + displayName: Deploy automation account + variables: + resourceType: 'Microsoft.Automation/automationAccounts' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Automation Account + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_avdhp + displayName: Deploy AVD host pool + variables: + resourceType: 'Microsoft.DesktopVirtualization/hostpools' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default AVD Host Pool + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_rsv + displayName: Deploy recovery services vault + variables: + resourceType: 'Microsoft.RecoveryServices/vaults' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default recovery services vault + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_kv + displayName: Deploy key vaults + variables: + resourceType: 'Microsoft.KeyVault/vaults' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Key Vault + jobName: default_kv + - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json + templateFilePath: $(templateFilePath) + displayName: Private Endpoint Key Vault + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI key vault + jobName: sqlmi_kv + - job: + displayName: Set key vault secrets keys and certificates + pool: + ${{ if eq(variables['vmImage'], '') }}: + name: $(poolName) + ${{ if eq(variables['poolName'], '') }}: + vmImage: $(vmImage) + steps: + - task: PowerShell@2 + displayName: 'Setup agent' + inputs: + targetType: inline + pwsh: true + script: | + # Load used functions + . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Set agent up + Set-EnvironmentOnAgent + - task: AzureCLI@2 + enabled: true + displayName: Set key vault secrets keys and certificates + inputs: + azureSubscription: $(serviceConnection) + scriptType: 'pscore' + scriptLocation: 'inlineScript' + inlineScript: | + $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length + $passwordString = (New-Guid).Guid.SubString(0,19) + $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) + $keyVaultName = 'adp-sxx-az-kv-x-001' + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + # VirtualMachines and VMSS + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminUsername' -SecretValue $username + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminPassword' -SecretValue $password + # Azure SQLServer + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password + # VirtualNetworkGateway + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'vpnSharedKey' -SecretValue $vpnSharedKey + # DiskEncryptionSet, VirtualMachines and VMSS + az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKey' + # ApplicationGateway + $apgwCertPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal + Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name 'applicationGatewaySslCertificate' -CertificatePolicy $apgwCertPolicy + # API management + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientid' -SecretValue $username + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientsecret' -SecretValue $password + dependsOn: + - default_kv + - job: + displayName: Set sqlmi key vault secrets and keys + condition: eq(${{ parameters.deploySqlMiDependencies }}, true) + pool: + ${{ if eq(variables['vmImage'], '') }}: + name: $(poolName) + ${{ if eq(variables['poolName'], '') }}: + vmImage: $(vmImage) + steps: + - task: PowerShell@2 + displayName: 'Setup agent' + inputs: + targetType: inline + pwsh: true + script: | + # Load used functions + . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Set agent up + Set-EnvironmentOnAgent + - task: AzureCLI@2 + enabled: true + displayName: Set sqlmi key vault secrets and keys + inputs: + azureSubscription: $(serviceConnection) + scriptType: 'pscore' + scriptLocation: 'inlineScript' + inlineScript: | + $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length + $passwordString = (New-Guid).Guid.SubString(0,19) + $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) + $keyVaultName = 'adp-sxx-az-kv-x-sqlmi' + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + # SQLManagedInstances secrets + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password + # SQLManagedInstances Keys + az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKeySqlMi' + dependsOn: + - sqlmi_kv + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_avdag + displayName: Deploy AVD application group + variables: + resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Application Group + dependsOn: + - deploy_avdhp + + - stage: deploy_rolea + displayName: Deploy role assignments + variables: + resourceType: 'Microsoft.Authorization\roleAssignments' + templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: MSI Role Assignment + dependsOn: + - deploy_msi + + - stage: deploy_vnet + displayName: Deploy virtual networks + variables: + resourceType: 'Microsoft.Network/virtualNetworks' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json + templateFilePath: $(templateFilePath) + displayName: Bastion Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json + templateFilePath: $(templateFilePath) + displayName: VNET PEering 1 Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json + templateFilePath: $(templateFilePath) + displayName: VNET Peering 2 Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json + templateFilePath: $(templateFilePath) + displayName: Azure Firewall Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json + templateFilePath: $(templateFilePath) + displayName: AKS Virtual Network + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQL MI Virtual Network + dependsOn: + - deploy_nsg + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - deploy_udr + + - stage: deploy_dnszone + displayName: Deploy private DNS zones + variables: + resourceType: 'Microsoft.Network/privateDnsZones' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Private DNS Zones + dependsOn: + - deploy_vnet + + - stage: deploy_vm + displayName: Deploy virtual machines + variables: + resourceType: 'Microsoft.Compute/virtualMachines' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Virtual Machine dependsOn: - #- deploy_rg - - # - stage: deploy_sig - # displayName: Deploy shared image gallery and definition - # variables: - # resourceType: 'Microsoft.Compute/galleries' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default SIG and SID - # dependsOn: - # - deploy_rg - - # - stage: deploy_ag - # displayName: Deploy action groups - # variables: - # resourceType: 'Microsoft.Compute/galleries' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Action Group - # dependsOn: - # - deploy_rg - - # - stage: deploy_asg - # displayName: Deploy application security groups - # variables: - # resourceType: 'Microsoft.Network/applicationSecurityGroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Application Security Groups - # dependsOn: - # - deploy_rg - - # - stage: deploy_udr - # displayName: Deploy route tables - # variables: - # resourceType: 'Microsoft.Network/routeTables' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default User Defined Routes - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQLMI User Defined Routes - # dependsOn: - # - deploy_rg - - # - stage: deploy_nsg - # displayName: Deploy network security groups - # variables: - # resourceType: 'Microsoft.Network/networkSecurityGroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default NSG - # - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: App Gateway NSG - # - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: ASE NSG - # - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Bastion NSG - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQLMI NSG - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - - # - stage: deploy_pip - # displayName: Deploy public IP addresses - # variables: - # resourceType: 'Microsoft.Network\publicIPAddresses' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: App Gateway Public IP - # - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Bastion Public IP - # - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Load balancer Public IP - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - - # - stage: deploy_appi - # displayName: Deploy application insight - # variables: - # resourceType: 'Microsoft.Insights/components' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Application Insights - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - - # - stage: deploy_aut - # displayName: Deploy automation account - # variables: - # resourceType: 'Microsoft.Automation/automationAccounts' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Automation Account - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - - # - stage: deploy_avdhp - # displayName: Deploy AVD host pool - # variables: - # resourceType: 'Microsoft.DesktopVirtualization/hostpools' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default AVD Host Pool - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - - # - stage: deploy_rsv - # displayName: Deploy recovery services vault - # variables: - # resourceType: 'Microsoft.RecoveryServices/vaults' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default recovery services vault - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - - # - stage: deploy_kv - # displayName: Deploy key vaults - # variables: - # resourceType: 'Microsoft.KeyVault/vaults' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Key Vault - # jobName: default_kv - # - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Private Endpoint Key Vault - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQLMI key vault - # jobName: sqlmi_kv - # - job: - # displayName: Set key vault secrets keys and certificates - # pool: - # ${{ if eq(variables['vmImage'], '') }}: - # name: $(poolName) - # ${{ if eq(variables['poolName'], '') }}: - # vmImage: $(vmImage) - # steps: - # - task: PowerShell@2 - # displayName: 'Setup agent' - # inputs: - # targetType: inline - # pwsh: true - # script: | - # # Load used functions - # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Set agent up - # Set-EnvironmentOnAgent - # - task: AzureCLI@2 - # enabled: true - # displayName: Set key vault secrets keys and certificates - # inputs: - # azureSubscription: $(serviceConnection) - # scriptType: 'pscore' - # scriptLocation: 'inlineScript' - # inlineScript: | - # $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length - # $passwordString = (New-Guid).Guid.SubString(0,19) - # $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) - # $keyVaultName = 'adp-sxx-az-kv-x-001' - # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - # # VirtualMachines and VMSS - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminUsername' -SecretValue $username - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminPassword' -SecretValue $password - # # Azure SQLServer - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password - # # VirtualNetworkGateway - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'vpnSharedKey' -SecretValue $vpnSharedKey - # # DiskEncryptionSet, VirtualMachines and VMSS - # az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKey' - # # ApplicationGateway - # $apgwCertPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal - # Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name 'applicationGatewaySslCertificate' -CertificatePolicy $apgwCertPolicy - # # API management - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientid' -SecretValue $username - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientsecret' -SecretValue $password - # dependsOn: - # - default_kv - # - job: - # displayName: Set sqlmi key vault secrets and keys - # condition: eq(${{ parameters.deploySqlMiDependencies }}, true) - # pool: - # ${{ if eq(variables['vmImage'], '') }}: - # name: $(poolName) - # ${{ if eq(variables['poolName'], '') }}: - # vmImage: $(vmImage) - # steps: - # - task: PowerShell@2 - # displayName: 'Setup agent' - # inputs: - # targetType: inline - # pwsh: true - # script: | - # # Load used functions - # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Set agent up - # Set-EnvironmentOnAgent - # - task: AzureCLI@2 - # enabled: true - # displayName: Set sqlmi key vault secrets and keys - # inputs: - # azureSubscription: $(serviceConnection) - # scriptType: 'pscore' - # scriptLocation: 'inlineScript' - # inlineScript: | - # $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length - # $passwordString = (New-Guid).Guid.SubString(0,19) - # $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) - # $keyVaultName = 'adp-sxx-az-kv-x-sqlmi' - # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - # # SQLManagedInstances secrets - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password - # # SQLManagedInstances Keys - # az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKeySqlMi' - # dependsOn: - # - sqlmi_kv - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - - # - stage: deploy_avdag - # displayName: Deploy AVD application group - # variables: - # resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Application Group - # dependsOn: - # - deploy_avdhp - - # - stage: deploy_rolea - # displayName: Deploy role assignments - # variables: - # resourceType: 'Microsoft.Authorization\roleAssignments' - # templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: MSI Role Assignment - # dependsOn: - # - deploy_msi - - # - stage: deploy_vnet - # displayName: Deploy virtual networks - # variables: - # resourceType: 'Microsoft.Network/virtualNetworks' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Bastion Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: VNET PEering 1 Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: VNET Peering 2 Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Azure Firewall Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: AKS Virtual Network - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQL MI Virtual Network - # dependsOn: - # - deploy_nsg - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - deploy_udr - - # - stage: deploy_dnszone - # displayName: Deploy private DNS zones - # variables: - # resourceType: 'Microsoft.Network/privateDnsZones' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Private DNS Zones - # dependsOn: - # - deploy_vnet - - # - stage: deploy_vm - # displayName: Deploy virtual machines - # variables: - # resourceType: 'Microsoft.Compute/virtualMachines' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Virtual Machine - # dependsOn: - # - deploy_vnet - # - deploy_rsv - # - deploy_kv + - deploy_vnet + - deploy_rsv + - deploy_kv From a8b39cf03685b0f29ad1f3e627dac1bf67e01faf Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 14:02:12 +0100 Subject: [PATCH 27/72] Update to latest --- .../platform.dependencies.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index c18fad7c3a..62f0201dc2 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -142,7 +142,6 @@ stages: # Set agent up Set-EnvironmentOnAgent - - task: AzurePowerShell@5 displayName: Upload files to storage account inputs: @@ -400,14 +399,12 @@ stages: # Set agent up Set-EnvironmentOnAgent - - task: AzureCLI@2 - enabled: true + - task: AzurePowerShell@5 displayName: Set key vault secrets keys and certificates inputs: azureSubscription: $(serviceConnection) - scriptType: 'pscore' - scriptLocation: 'inlineScript' - inlineScript: | + ScriptType: 'InlineScript' + Inline: | $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length $passwordString = (New-Guid).Guid.SubString(0,19) $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) @@ -431,6 +428,9 @@ stages: # API management Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientid' -SecretValue $username Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientsecret' -SecretValue $password + azurePowerShellVersion: 'LatestVersion' + pwsh: true + dependsOn: - default_kv - job: @@ -453,14 +453,12 @@ stages: # Set agent up Set-EnvironmentOnAgent - - task: AzureCLI@2 - enabled: true + - task: AzurePowerShell@5 displayName: Set sqlmi key vault secrets and keys inputs: azureSubscription: $(serviceConnection) - scriptType: 'pscore' - scriptLocation: 'inlineScript' - inlineScript: | + ScriptType: 'InlineScript' + Inline: | $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length $passwordString = (New-Guid).Guid.SubString(0,19) $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) @@ -473,6 +471,8 @@ stages: Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password # SQLManagedInstances Keys az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKeySqlMi' + azurePowerShellVersion: 'LatestVersion' + pwsh: true dependsOn: - sqlmi_kv dependsOn: From 6599a828fa7c56c0577155d03879c8cfe3e678f4 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 15:27:08 +0100 Subject: [PATCH 28/72] Disabled non-failing jobs --- .../platform.dependencies.yml | 867 +++++++++--------- 1 file changed, 433 insertions(+), 434 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 62f0201dc2..57fcbcd2e3 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -28,336 +28,336 @@ variables: value: 'validation-rg' stages: - - stage: deploy_rg - displayName: Deploy resource group - variables: - resourceType: 'Microsoft.Resources/resourceGroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json - templateFilePath: $(templateFilePath) - displayName: Validation Resource Group - - - stage: deploy_msi - displayName: Deploy user assigned identity - variables: - resourceType: 'Microsoft.ManagedIdentity/userAssignedIdentities' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: User Assigned Identity - dependsOn: - - deploy_rg - - - stage: deploy_pa - displayName: Deploy policy assignment - variables: - resourceType: 'Microsoft.Authorization/policyAssignments' - templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Policy assignment - dependsOn: - - deploy_rg - - - stage: deploy_evh - displayName: Deploy event hub - variables: - resourceType: 'Microsoft.EventHub/namespaces' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: EventHub - dependsOn: - - deploy_rg - - - stage: deploy_law - displayName: Deploy log analytics workspace - variables: - resourceType: 'Microsoft.OperationalInsights/workspaces' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default LAW - - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json - templateFilePath: $(templateFilePath) - displayName: AppInsights LAW - dependsOn: - - deploy_rg - - - stage: deploy_sa - displayName: Deploy storage account - variables: - resourceType: 'Microsoft.Storage/storageAccounts' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default storage account - jobName: default_sa - - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json - templateFilePath: $(templateFilePath) - displayName: LAW storage account - - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json - templateFilePath: $(templateFilePath) - displayName: FunctionApp storage account - - job: - displayName: Upload files to storage account - pool: - ${{ if eq(variables['vmImage'], '') }}: - name: $(poolName) - ${{ if eq(variables['poolName'], '') }}: - vmImage: $(vmImage) - steps: - - task: PowerShell@2 - displayName: 'Setup agent' - inputs: - targetType: inline - pwsh: true - script: | - # Load used functions - . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Set agent up - Set-EnvironmentOnAgent - - task: AzurePowerShell@5 - displayName: Upload files to storage account - inputs: - azureSubscription: $(serviceConnection) - ScriptType: 'InlineScript' - Inline: | - # Load used functions - . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') - - # Get storage account name - $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'parameters' 'parameters.json' - $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # Upload files to storage account - $functionInput = @{ - ResourceGroupName = '$(defaultResourceGroupName)' - StorageAccountName = $storageAccountParameters.name.value - contentDirectories = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'uploads' - targetContainer = $storageAccountParameters.blobServices.value.containers[0].name - } - - Write-Verbose "Invoke task with" -Verbose - Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - Export-ContentToBlob @functionInput -Verbose - azurePowerShellVersion: 'LatestVersion' - pwsh: true - dependsOn: - - default_sa - dependsOn: - - deploy_rg - - - stage: deploy_sig - displayName: Deploy shared image gallery and definition - variables: - resourceType: 'Microsoft.Compute/galleries' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default SIG and SID - dependsOn: - - deploy_rg - - - stage: deploy_ag - displayName: Deploy action groups - variables: - resourceType: 'Microsoft.Compute/galleries' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Action Group - dependsOn: - - deploy_rg - - - stage: deploy_asg - displayName: Deploy application security groups - variables: - resourceType: 'Microsoft.Network/applicationSecurityGroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Application Security Groups - dependsOn: - - deploy_rg - - - stage: deploy_udr - displayName: Deploy route tables - variables: - resourceType: 'Microsoft.Network/routeTables' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default User Defined Routes - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json - templateFilePath: $(templateFilePath) - displayName: SQLMI User Defined Routes - dependsOn: - - deploy_rg - - - stage: deploy_nsg - displayName: Deploy network security groups - variables: - resourceType: 'Microsoft.Network/networkSecurityGroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default NSG - - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json - templateFilePath: $(templateFilePath) - displayName: App Gateway NSG - - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json - templateFilePath: $(templateFilePath) - displayName: ASE NSG - - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json - templateFilePath: $(templateFilePath) - displayName: Bastion NSG - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json - templateFilePath: $(templateFilePath) - displayName: SQLMI NSG - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - - - stage: deploy_pip - displayName: Deploy public IP addresses - variables: - resourceType: 'Microsoft.Network\publicIPAddresses' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json - templateFilePath: $(templateFilePath) - displayName: App Gateway Public IP - - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json - templateFilePath: $(templateFilePath) - displayName: Bastion Public IP - - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json - templateFilePath: $(templateFilePath) - displayName: Load balancer Public IP - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - - - stage: deploy_appi - displayName: Deploy application insight - variables: - resourceType: 'Microsoft.Insights/components' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Application Insights - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - - - stage: deploy_aut - displayName: Deploy automation account - variables: - resourceType: 'Microsoft.Automation/automationAccounts' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Automation Account - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - - - stage: deploy_avdhp - displayName: Deploy AVD host pool - variables: - resourceType: 'Microsoft.DesktopVirtualization/hostpools' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default AVD Host Pool - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - - - stage: deploy_rsv - displayName: Deploy recovery services vault - variables: - resourceType: 'Microsoft.RecoveryServices/vaults' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default recovery services vault - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law + # - stage: deploy_rg + # displayName: Deploy resource group + # variables: + # resourceType: 'Microsoft.Resources/resourceGroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Validation Resource Group + + # - stage: deploy_msi + # displayName: Deploy user assigned identity + # variables: + # resourceType: 'Microsoft.ManagedIdentity/userAssignedIdentities' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: User Assigned Identity + # dependsOn: + # - deploy_rg + + # - stage: deploy_pa + # displayName: Deploy policy assignment + # variables: + # resourceType: 'Microsoft.Authorization/policyAssignments' + # templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Policy assignment + # dependsOn: + # - deploy_rg + + # - stage: deploy_evh + # displayName: Deploy event hub + # variables: + # resourceType: 'Microsoft.EventHub/namespaces' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: EventHub + # dependsOn: + # - deploy_rg + + # - stage: deploy_law + # displayName: Deploy log analytics workspace + # variables: + # resourceType: 'Microsoft.OperationalInsights/workspaces' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default LAW + # - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: AppInsights LAW + # dependsOn: + # - deploy_rg + + # - stage: deploy_sa + # displayName: Deploy storage account + # variables: + # resourceType: 'Microsoft.Storage/storageAccounts' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default storage account + # jobName: default_sa + # - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: LAW storage account + # - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: FunctionApp storage account + # - job: + # displayName: Upload files to storage account + # pool: + # ${{ if eq(variables['vmImage'], '') }}: + # name: $(poolName) + # ${{ if eq(variables['poolName'], '') }}: + # vmImage: $(vmImage) + # steps: + # - task: PowerShell@2 + # displayName: 'Setup agent' + # inputs: + # targetType: inline + # pwsh: true + # script: | + # # Load used functions + # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # # Set agent up + # Set-EnvironmentOnAgent + # - task: AzurePowerShell@5 + # displayName: Upload files to storage account + # inputs: + # azureSubscription: $(serviceConnection) + # ScriptType: 'InlineScript' + # Inline: | + # # Load used functions + # . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + + # # Get storage account name + # $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'parameters' 'parameters.json' + # $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # # Upload files to storage account + # $functionInput = @{ + # ResourceGroupName = '$(defaultResourceGroupName)' + # StorageAccountName = $storageAccountParameters.name.value + # contentDirectories = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'uploads' + # targetContainer = $storageAccountParameters.blobServices.value.containers[0].name + # } + + # Write-Verbose "Invoke task with" -Verbose + # Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + # Export-ContentToBlob @functionInput -Verbose + # azurePowerShellVersion: 'LatestVersion' + # pwsh: true + # dependsOn: + # - default_sa + # dependsOn: + # - deploy_rg + + # - stage: deploy_sig + # displayName: Deploy shared image gallery and definition + # variables: + # resourceType: 'Microsoft.Compute/galleries' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default SIG and SID + # dependsOn: + # - deploy_rg + + # - stage: deploy_ag + # displayName: Deploy action groups + # variables: + # resourceType: 'Microsoft.Compute/galleries' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Action Group + # dependsOn: + # - deploy_rg + + # - stage: deploy_asg + # displayName: Deploy application security groups + # variables: + # resourceType: 'Microsoft.Network/applicationSecurityGroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Application Security Groups + # dependsOn: + # - deploy_rg + + # - stage: deploy_udr + # displayName: Deploy route tables + # variables: + # resourceType: 'Microsoft.Network/routeTables' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default User Defined Routes + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQLMI User Defined Routes + # dependsOn: + # - deploy_rg + + # - stage: deploy_nsg + # displayName: Deploy network security groups + # variables: + # resourceType: 'Microsoft.Network/networkSecurityGroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default NSG + # - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: App Gateway NSG + # - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: ASE NSG + # - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Bastion NSG + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQLMI NSG + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + + # - stage: deploy_pip + # displayName: Deploy public IP addresses + # variables: + # resourceType: 'Microsoft.Network\publicIPAddresses' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: App Gateway Public IP + # - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Bastion Public IP + # - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Load balancer Public IP + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + + # - stage: deploy_appi + # displayName: Deploy application insight + # variables: + # resourceType: 'Microsoft.Insights/components' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Application Insights + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + + # - stage: deploy_aut + # displayName: Deploy automation account + # variables: + # resourceType: 'Microsoft.Automation/automationAccounts' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Automation Account + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + + # - stage: deploy_avdhp + # displayName: Deploy AVD host pool + # variables: + # resourceType: 'Microsoft.DesktopVirtualization/hostpools' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default AVD Host Pool + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + + # - stage: deploy_rsv + # displayName: Deploy recovery services vault + # variables: + # resourceType: 'Microsoft.RecoveryServices/vaults' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default recovery services vault + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law - stage: deploy_kv displayName: Deploy key vaults @@ -365,21 +365,21 @@ stages: resourceType: 'Microsoft.KeyVault/vaults' templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Key Vault - jobName: default_kv - - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json - templateFilePath: $(templateFilePath) - displayName: Private Endpoint Key Vault - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: SQLMI key vault - jobName: sqlmi_kv + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Key Vault + # jobName: default_kv + # - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Private Endpoint Key Vault + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQLMI key vault + # jobName: sqlmi_kv - job: displayName: Set key vault secrets keys and certificates pool: @@ -430,9 +430,8 @@ stages: Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientsecret' -SecretValue $password azurePowerShellVersion: 'LatestVersion' pwsh: true - - dependsOn: - - default_kv + # dependsOn: + # - default_kv - job: displayName: Set sqlmi key vault secrets and keys condition: eq(${{ parameters.deploySqlMiDependencies }}, true) @@ -473,42 +472,42 @@ stages: az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKeySqlMi' azurePowerShellVersion: 'LatestVersion' pwsh: true - dependsOn: - - sqlmi_kv - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - - - stage: deploy_avdag - displayName: Deploy AVD application group - variables: - resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Application Group - dependsOn: - - deploy_avdhp - - - stage: deploy_rolea - displayName: Deploy role assignments - variables: - resourceType: 'Microsoft.Authorization\roleAssignments' - templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: MSI Role Assignment - dependsOn: - - deploy_msi + # dependsOn: + # - sqlmi_kv + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + + # - stage: deploy_avdag + # displayName: Deploy AVD application group + # variables: + # resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Application Group + # dependsOn: + # - deploy_avdhp + + # - stage: deploy_rolea + # displayName: Deploy role assignments + # variables: + # resourceType: 'Microsoft.Authorization\roleAssignments' + # templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: MSI Role Assignment + # dependsOn: + # - deploy_msi - stage: deploy_vnet displayName: Deploy virtual networks @@ -522,58 +521,58 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: Default Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json - templateFilePath: $(templateFilePath) - displayName: Bastion Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json - templateFilePath: $(templateFilePath) - displayName: VNET PEering 1 Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json - templateFilePath: $(templateFilePath) - displayName: VNET Peering 2 Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json - templateFilePath: $(templateFilePath) - displayName: Azure Firewall Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json - templateFilePath: $(templateFilePath) - displayName: AKS Virtual Network - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json - templateFilePath: $(templateFilePath) - displayName: SQL MI Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Bastion Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: VNET PEering 1 Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: VNET Peering 2 Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Azure Firewall Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: AKS Virtual Network + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQL MI Virtual Network dependsOn: - deploy_nsg - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - deploy_udr - - stage: deploy_dnszone - displayName: Deploy private DNS zones - variables: - resourceType: 'Microsoft.Network/privateDnsZones' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Private DNS Zones - dependsOn: - - deploy_vnet - - - stage: deploy_vm - displayName: Deploy virtual machines - variables: - resourceType: 'Microsoft.Compute/virtualMachines' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Virtual Machine - dependsOn: - - deploy_vnet - - deploy_rsv - - deploy_kv + # - stage: deploy_dnszone + # displayName: Deploy private DNS zones + # variables: + # resourceType: 'Microsoft.Network/privateDnsZones' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Private DNS Zones + # dependsOn: + # - deploy_vnet + + # - stage: deploy_vm + # displayName: Deploy virtual machines + # variables: + # resourceType: 'Microsoft.Compute/virtualMachines' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Virtual Machine + # dependsOn: + # - deploy_vnet + # - deploy_rsv + # - deploy_kv From ed3dba778fe6a2bebacddced984973e01798367e Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 15:27:35 +0100 Subject: [PATCH 29/72] Disabled non-failing jobs --- .../platform.dependencies.yml | 60 +++++++++---------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 57fcbcd2e3..9fb9eaab9f 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -545,34 +545,34 @@ stages: - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - deploy_udr - # - stage: deploy_dnszone - # displayName: Deploy private DNS zones - # variables: - # resourceType: 'Microsoft.Network/privateDnsZones' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Private DNS Zones - # dependsOn: - # - deploy_vnet + - stage: deploy_dnszone + displayName: Deploy private DNS zones + variables: + resourceType: 'Microsoft.Network/privateDnsZones' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Private DNS Zones + dependsOn: + - deploy_vnet - # - stage: deploy_vm - # displayName: Deploy virtual machines - # variables: - # resourceType: 'Microsoft.Compute/virtualMachines' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Virtual Machine - # dependsOn: - # - deploy_vnet - # - deploy_rsv - # - deploy_kv + - stage: deploy_vm + displayName: Deploy virtual machines + variables: + resourceType: 'Microsoft.Compute/virtualMachines' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Virtual Machine + dependsOn: + - deploy_vnet + # - deploy_rsv + - deploy_kv From ee6a6fbee50dc07323736f88d8ce78ee4bbce9be Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 15:30:25 +0100 Subject: [PATCH 30/72] Disabled non-failing jobs --- .../platformPipelines/platform.dependencies.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 9fb9eaab9f..161b234bb4 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -493,7 +493,6 @@ stages: # displayName: Default Application Group # dependsOn: # - deploy_avdhp - # - stage: deploy_rolea # displayName: Deploy role assignments # variables: @@ -508,7 +507,6 @@ stages: # displayName: MSI Role Assignment # dependsOn: # - deploy_msi - - stage: deploy_vnet displayName: Deploy virtual networks variables: @@ -540,10 +538,10 @@ stages: # - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json # templateFilePath: $(templateFilePath) # displayName: SQL MI Virtual Network - dependsOn: - - deploy_nsg - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - deploy_udr + # dependsOn: + # - deploy_nsg + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - deploy_udr - stage: deploy_dnszone displayName: Deploy private DNS zones From 1f36939543fe2201d3e7f45d35dbcca5d043b4be Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 15:46:15 +0100 Subject: [PATCH 31/72] Update to latest --- .../platform.dependencies.yml | 234 +++++++++--------- 1 file changed, 117 insertions(+), 117 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 161b234bb4..36c5276762 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -359,125 +359,125 @@ stages: # - deploy_evh # - deploy_law - - stage: deploy_kv - displayName: Deploy key vaults - variables: - resourceType: 'Microsoft.KeyVault/vaults' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Key Vault - # jobName: default_kv - # - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Private Endpoint Key Vault - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQLMI key vault - # jobName: sqlmi_kv - - job: - displayName: Set key vault secrets keys and certificates - pool: - ${{ if eq(variables['vmImage'], '') }}: - name: $(poolName) - ${{ if eq(variables['poolName'], '') }}: - vmImage: $(vmImage) - steps: - - task: PowerShell@2 - displayName: 'Setup agent' - inputs: - targetType: inline - pwsh: true - script: | - # Load used functions - . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + # - stage: deploy_kv + # displayName: Deploy key vaults + # variables: + # resourceType: 'Microsoft.KeyVault/vaults' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Key Vault + # jobName: default_kv + # - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Private Endpoint Key Vault + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQLMI key vault + # jobName: sqlmi_kv + # - job: + # displayName: Set key vault secrets keys and certificates + # pool: + # ${{ if eq(variables['vmImage'], '') }}: + # name: $(poolName) + # ${{ if eq(variables['poolName'], '') }}: + # vmImage: $(vmImage) + # steps: + # - task: PowerShell@2 + # displayName: 'Setup agent' + # inputs: + # targetType: inline + # pwsh: true + # script: | + # # Load used functions + # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - # Set agent up - Set-EnvironmentOnAgent - - task: AzurePowerShell@5 - displayName: Set key vault secrets keys and certificates - inputs: - azureSubscription: $(serviceConnection) - ScriptType: 'InlineScript' - Inline: | - $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length - $passwordString = (New-Guid).Guid.SubString(0,19) - $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) - $keyVaultName = 'adp-sxx-az-kv-x-001' - $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - # VirtualMachines and VMSS - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminUsername' -SecretValue $username - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminPassword' -SecretValue $password - # Azure SQLServer - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password - # VirtualNetworkGateway - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'vpnSharedKey' -SecretValue $vpnSharedKey - # DiskEncryptionSet, VirtualMachines and VMSS - az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKey' - # ApplicationGateway - $apgwCertPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal - Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name 'applicationGatewaySslCertificate' -CertificatePolicy $apgwCertPolicy - # API management - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientid' -SecretValue $username - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientsecret' -SecretValue $password - azurePowerShellVersion: 'LatestVersion' - pwsh: true - # dependsOn: - # - default_kv - - job: - displayName: Set sqlmi key vault secrets and keys - condition: eq(${{ parameters.deploySqlMiDependencies }}, true) - pool: - ${{ if eq(variables['vmImage'], '') }}: - name: $(poolName) - ${{ if eq(variables['poolName'], '') }}: - vmImage: $(vmImage) - steps: - - task: PowerShell@2 - displayName: 'Setup agent' - inputs: - targetType: inline - pwsh: true - script: | - # Load used functions - . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + # # Set agent up + # Set-EnvironmentOnAgent + # - task: AzurePowerShell@5 + # displayName: Set key vault secrets keys and certificates + # inputs: + # azureSubscription: $(serviceConnection) + # ScriptType: 'InlineScript' + # Inline: | + # $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length + # $passwordString = (New-Guid).Guid.SubString(0,19) + # $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) + # $keyVaultName = 'adp-sxx-az-kv-x-001' + # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + # # VirtualMachines and VMSS + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminUsername' -SecretValue $username + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminPassword' -SecretValue $password + # # Azure SQLServer + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password + # # VirtualNetworkGateway + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'vpnSharedKey' -SecretValue $vpnSharedKey + # # DiskEncryptionSet, VirtualMachines and VMSS + # az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKey' + # # ApplicationGateway + # $apgwCertPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal + # Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name 'applicationGatewaySslCertificate' -CertificatePolicy $apgwCertPolicy + # # API management + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientid' -SecretValue $username + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientsecret' -SecretValue $password + # azurePowerShellVersion: 'LatestVersion' + # pwsh: true + # dependsOn: + # - default_kv + # - job: + # displayName: Set sqlmi key vault secrets and keys + # condition: eq(${{ parameters.deploySqlMiDependencies }}, true) + # pool: + # ${{ if eq(variables['vmImage'], '') }}: + # name: $(poolName) + # ${{ if eq(variables['poolName'], '') }}: + # vmImage: $(vmImage) + # steps: + # - task: PowerShell@2 + # displayName: 'Setup agent' + # inputs: + # targetType: inline + # pwsh: true + # script: | + # # Load used functions + # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - # Set agent up - Set-EnvironmentOnAgent - - task: AzurePowerShell@5 - displayName: Set sqlmi key vault secrets and keys - inputs: - azureSubscription: $(serviceConnection) - ScriptType: 'InlineScript' - Inline: | - $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length - $passwordString = (New-Guid).Guid.SubString(0,19) - $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) - $keyVaultName = 'adp-sxx-az-kv-x-sqlmi' - $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - # SQLManagedInstances secrets - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password - # SQLManagedInstances Keys - az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKeySqlMi' - azurePowerShellVersion: 'LatestVersion' - pwsh: true - # dependsOn: - # - sqlmi_kv - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law + # # Set agent up + # Set-EnvironmentOnAgent + # - task: AzurePowerShell@5 + # displayName: Set sqlmi key vault secrets and keys + # inputs: + # azureSubscription: $(serviceConnection) + # ScriptType: 'InlineScript' + # Inline: | + # $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length + # $passwordString = (New-Guid).Guid.SubString(0,19) + # $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) + # $keyVaultName = 'adp-sxx-az-kv-x-sqlmi' + # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + # # SQLManagedInstances secrets + # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username + # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password + # # SQLManagedInstances Keys + # $null = az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKeySqlMi' + # azurePowerShellVersion: 'LatestVersion' + # pwsh: true + # dependsOn: + # - sqlmi_kv + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law # - stage: deploy_avdag # displayName: Deploy AVD application group From 46209403847a96d1c8e13a7886d9ae8145e49c6f Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 15:48:19 +0100 Subject: [PATCH 32/72] Update to latest --- arm/Microsoft.Network/virtualNetworks/deploy.bicep | 1 + 1 file changed, 1 insertion(+) diff --git a/arm/Microsoft.Network/virtualNetworks/deploy.bicep b/arm/Microsoft.Network/virtualNetworks/deploy.bicep index 8ec28fe037..8b50f3b27d 100644 --- a/arm/Microsoft.Network/virtualNetworks/deploy.bicep +++ b/arm/Microsoft.Network/virtualNetworks/deploy.bicep @@ -116,6 +116,7 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-03-01' = { name: subnet.name properties: { addressPrefix: subnet.addressPrefix + delegations: contains(subnet, 'delegations') ? subnet.delegations : [] } }] } From 0b30597195f0a8ade4149c9ff1a925854a144ef5 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 18:01:20 +0100 Subject: [PATCH 33/72] Added VNET fix --- arm/Microsoft.Network/virtualNetworks/deploy.bicep | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arm/Microsoft.Network/virtualNetworks/deploy.bicep b/arm/Microsoft.Network/virtualNetworks/deploy.bicep index 8b50f3b27d..960f4fa88a 100644 --- a/arm/Microsoft.Network/virtualNetworks/deploy.bicep +++ b/arm/Microsoft.Network/virtualNetworks/deploy.bicep @@ -116,7 +116,9 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-03-01' = { name: subnet.name properties: { addressPrefix: subnet.addressPrefix - delegations: contains(subnet, 'delegations') ? subnet.delegations : [] + delegations: contains(subnet, 'delegations') ? subnet.delegations : null + privateEndpointNetworkPolicies: contains(subnet, 'privateEndpointNetworkPolicies') ? subnet.privateEndpointNetworkPolicies : null + privateLinkServiceNetworkPolicies: contains(subnet, 'privateLinkServiceNetworkPolicies') ? subnet.privateLinkServiceNetworkPolicies : null } }] } From 8813d8b8205f8270ac4c9c198e69d5ab8bfd3bb6 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 18:02:35 +0100 Subject: [PATCH 34/72] Added VNET fix --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 36c5276762..d58877c4aa 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -573,4 +573,4 @@ stages: dependsOn: - deploy_vnet # - deploy_rsv - - deploy_kv + # - deploy_kv From 486732dadf9e13f13609cbc48cb441ac4aff3664 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Sat, 25 Dec 2021 18:26:26 +0100 Subject: [PATCH 35/72] Enabled end to end --- .../platform.dependencies.yml | 1010 +++++++++-------- 1 file changed, 506 insertions(+), 504 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index d58877c4aa..08c2ac3a0f 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -28,485 +28,487 @@ variables: value: 'validation-rg' stages: - # - stage: deploy_rg - # displayName: Deploy resource group - # variables: - # resourceType: 'Microsoft.Resources/resourceGroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Validation Resource Group - - # - stage: deploy_msi - # displayName: Deploy user assigned identity - # variables: - # resourceType: 'Microsoft.ManagedIdentity/userAssignedIdentities' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: User Assigned Identity - # dependsOn: - # - deploy_rg - - # - stage: deploy_pa - # displayName: Deploy policy assignment - # variables: - # resourceType: 'Microsoft.Authorization/policyAssignments' - # templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Policy assignment - # dependsOn: - # - deploy_rg - - # - stage: deploy_evh - # displayName: Deploy event hub - # variables: - # resourceType: 'Microsoft.EventHub/namespaces' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: EventHub - # dependsOn: - # - deploy_rg - - # - stage: deploy_law - # displayName: Deploy log analytics workspace - # variables: - # resourceType: 'Microsoft.OperationalInsights/workspaces' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default LAW - # - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: AppInsights LAW - # dependsOn: - # - deploy_rg - - # - stage: deploy_sa - # displayName: Deploy storage account - # variables: - # resourceType: 'Microsoft.Storage/storageAccounts' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default storage account - # jobName: default_sa - # - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: LAW storage account - # - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: FunctionApp storage account - # - job: - # displayName: Upload files to storage account - # pool: - # ${{ if eq(variables['vmImage'], '') }}: - # name: $(poolName) - # ${{ if eq(variables['poolName'], '') }}: - # vmImage: $(vmImage) - # steps: - # - task: PowerShell@2 - # displayName: 'Setup agent' - # inputs: - # targetType: inline - # pwsh: true - # script: | - # # Load used functions - # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Set agent up - # Set-EnvironmentOnAgent - # - task: AzurePowerShell@5 - # displayName: Upload files to storage account - # inputs: - # azureSubscription: $(serviceConnection) - # ScriptType: 'InlineScript' - # Inline: | - # # Load used functions - # . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') - - # # Get storage account name - # $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'parameters' 'parameters.json' - # $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # # Upload files to storage account - # $functionInput = @{ - # ResourceGroupName = '$(defaultResourceGroupName)' - # StorageAccountName = $storageAccountParameters.name.value - # contentDirectories = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'uploads' - # targetContainer = $storageAccountParameters.blobServices.value.containers[0].name - # } - - # Write-Verbose "Invoke task with" -Verbose - # Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - # Export-ContentToBlob @functionInput -Verbose - # azurePowerShellVersion: 'LatestVersion' - # pwsh: true - # dependsOn: - # - default_sa - # dependsOn: - # - deploy_rg - - # - stage: deploy_sig - # displayName: Deploy shared image gallery and definition - # variables: - # resourceType: 'Microsoft.Compute/galleries' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default SIG and SID - # dependsOn: - # - deploy_rg - - # - stage: deploy_ag - # displayName: Deploy action groups - # variables: - # resourceType: 'Microsoft.Compute/galleries' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Action Group - # dependsOn: - # - deploy_rg - - # - stage: deploy_asg - # displayName: Deploy application security groups - # variables: - # resourceType: 'Microsoft.Network/applicationSecurityGroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Application Security Groups - # dependsOn: - # - deploy_rg - - # - stage: deploy_udr - # displayName: Deploy route tables - # variables: - # resourceType: 'Microsoft.Network/routeTables' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default User Defined Routes - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQLMI User Defined Routes - # dependsOn: - # - deploy_rg - - # - stage: deploy_nsg - # displayName: Deploy network security groups - # variables: - # resourceType: 'Microsoft.Network/networkSecurityGroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default NSG - # - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: App Gateway NSG - # - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: ASE NSG - # - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Bastion NSG - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQLMI NSG - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - - # - stage: deploy_pip - # displayName: Deploy public IP addresses - # variables: - # resourceType: 'Microsoft.Network\publicIPAddresses' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: App Gateway Public IP - # - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Bastion Public IP - # - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Load balancer Public IP - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - - # - stage: deploy_appi - # displayName: Deploy application insight - # variables: - # resourceType: 'Microsoft.Insights/components' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Application Insights - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - - # - stage: deploy_aut - # displayName: Deploy automation account - # variables: - # resourceType: 'Microsoft.Automation/automationAccounts' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Automation Account - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - - # - stage: deploy_avdhp - # displayName: Deploy AVD host pool - # variables: - # resourceType: 'Microsoft.DesktopVirtualization/hostpools' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default AVD Host Pool - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - - # - stage: deploy_rsv - # displayName: Deploy recovery services vault - # variables: - # resourceType: 'Microsoft.RecoveryServices/vaults' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default recovery services vault - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - - # - stage: deploy_kv - # displayName: Deploy key vaults - # variables: - # resourceType: 'Microsoft.KeyVault/vaults' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Key Vault - # jobName: default_kv - # - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Private Endpoint Key Vault - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQLMI key vault - # jobName: sqlmi_kv - # - job: - # displayName: Set key vault secrets keys and certificates - # pool: - # ${{ if eq(variables['vmImage'], '') }}: - # name: $(poolName) - # ${{ if eq(variables['poolName'], '') }}: - # vmImage: $(vmImage) - # steps: - # - task: PowerShell@2 - # displayName: 'Setup agent' - # inputs: - # targetType: inline - # pwsh: true - # script: | - # # Load used functions - # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Set agent up - # Set-EnvironmentOnAgent - # - task: AzurePowerShell@5 - # displayName: Set key vault secrets keys and certificates - # inputs: - # azureSubscription: $(serviceConnection) - # ScriptType: 'InlineScript' - # Inline: | - # $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length - # $passwordString = (New-Guid).Guid.SubString(0,19) - # $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) - # $keyVaultName = 'adp-sxx-az-kv-x-001' - # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - # # VirtualMachines and VMSS - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminUsername' -SecretValue $username - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminPassword' -SecretValue $password - # # Azure SQLServer - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password - # # VirtualNetworkGateway - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'vpnSharedKey' -SecretValue $vpnSharedKey - # # DiskEncryptionSet, VirtualMachines and VMSS - # az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKey' - # # ApplicationGateway - # $apgwCertPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal - # Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name 'applicationGatewaySslCertificate' -CertificatePolicy $apgwCertPolicy - # # API management - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientid' -SecretValue $username - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientsecret' -SecretValue $password - # azurePowerShellVersion: 'LatestVersion' - # pwsh: true - # dependsOn: - # - default_kv - # - job: - # displayName: Set sqlmi key vault secrets and keys - # condition: eq(${{ parameters.deploySqlMiDependencies }}, true) - # pool: - # ${{ if eq(variables['vmImage'], '') }}: - # name: $(poolName) - # ${{ if eq(variables['poolName'], '') }}: - # vmImage: $(vmImage) - # steps: - # - task: PowerShell@2 - # displayName: 'Setup agent' - # inputs: - # targetType: inline - # pwsh: true - # script: | - # # Load used functions - # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Set agent up - # Set-EnvironmentOnAgent - # - task: AzurePowerShell@5 - # displayName: Set sqlmi key vault secrets and keys - # inputs: - # azureSubscription: $(serviceConnection) - # ScriptType: 'InlineScript' - # Inline: | - # $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length - # $passwordString = (New-Guid).Guid.SubString(0,19) - # $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) - # $keyVaultName = 'adp-sxx-az-kv-x-sqlmi' - # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - # # SQLManagedInstances secrets - # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username - # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password - # # SQLManagedInstances Keys - # $null = az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKeySqlMi' - # azurePowerShellVersion: 'LatestVersion' - # pwsh: true - # dependsOn: - # - sqlmi_kv - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - - # - stage: deploy_avdag - # displayName: Deploy AVD application group - # variables: - # resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Application Group - # dependsOn: - # - deploy_avdhp - # - stage: deploy_rolea - # displayName: Deploy role assignments - # variables: - # resourceType: 'Microsoft.Authorization\roleAssignments' - # templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: MSI Role Assignment - # dependsOn: - # - deploy_msi + - stage: deploy_rg + displayName: Deploy resource group + variables: + resourceType: 'Microsoft.Resources/resourceGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json + templateFilePath: $(templateFilePath) + displayName: Validation Resource Group + + - stage: deploy_msi + displayName: Deploy user assigned identity + variables: + resourceType: 'Microsoft.ManagedIdentity/userAssignedIdentities' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: User Assigned Identity + dependsOn: + - deploy_rg + + - stage: deploy_pa + displayName: Deploy policy assignment + variables: + resourceType: 'Microsoft.Authorization/policyAssignments' + templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Policy assignment + dependsOn: + - deploy_rg + + - stage: deploy_evh + displayName: Deploy event hub + variables: + resourceType: 'Microsoft.EventHub/namespaces' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: EventHub + dependsOn: + - deploy_rg + + - stage: deploy_law + displayName: Deploy log analytics workspace + variables: + resourceType: 'Microsoft.OperationalInsights/workspaces' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default LAW + - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json + templateFilePath: $(templateFilePath) + displayName: AppInsights LAW + dependsOn: + - deploy_rg + + - stage: deploy_sa + displayName: Deploy storage account + variables: + resourceType: 'Microsoft.Storage/storageAccounts' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default storage account + jobName: default_sa + - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json + templateFilePath: $(templateFilePath) + displayName: LAW storage account + - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json + templateFilePath: $(templateFilePath) + displayName: FunctionApp storage account + - job: + displayName: Upload files to storage account + pool: + ${{ if eq(variables['vmImage'], '') }}: + name: $(poolName) + ${{ if eq(variables['poolName'], '') }}: + vmImage: $(vmImage) + steps: + - task: PowerShell@2 + displayName: 'Setup agent' + inputs: + targetType: inline + pwsh: true + script: | + # Load used functions + . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Set agent up + Set-EnvironmentOnAgent + - task: AzurePowerShell@5 + displayName: Upload files to storage account + inputs: + azureSubscription: $(serviceConnection) + ScriptType: 'InlineScript' + Inline: | + # Load used functions + . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + + # Get storage account name + $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'parameters' 'parameters.json' + $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # Upload files to storage account + $functionInput = @{ + ResourceGroupName = '$(defaultResourceGroupName)' + StorageAccountName = $storageAccountParameters.name.value + contentDirectories = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'uploads' + targetContainer = $storageAccountParameters.blobServices.value.containers[0].name + } + + Write-Verbose "Invoke task with" -Verbose + Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + Export-ContentToBlob @functionInput -Verbose + azurePowerShellVersion: 'LatestVersion' + pwsh: true + dependsOn: + - default_sa + dependsOn: + - deploy_rg + + - stage: deploy_sig + displayName: Deploy shared image gallery and definition + variables: + resourceType: 'Microsoft.Compute/galleries' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default SIG and SID + dependsOn: + - deploy_rg + + - stage: deploy_ag + displayName: Deploy action groups + variables: + resourceType: 'Microsoft.Compute/galleries' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Action Group + dependsOn: + - deploy_rg + + - stage: deploy_asg + displayName: Deploy application security groups + variables: + resourceType: 'Microsoft.Network/applicationSecurityGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Application Security Groups + dependsOn: + - deploy_rg + + - stage: deploy_udr + displayName: Deploy route tables + variables: + resourceType: 'Microsoft.Network/routeTables' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default User Defined Routes + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI User Defined Routes + dependsOn: + - deploy_rg + + - stage: deploy_nsg + displayName: Deploy network security groups + variables: + resourceType: 'Microsoft.Network/networkSecurityGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default NSG + - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + templateFilePath: $(templateFilePath) + displayName: App Gateway NSG + - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json + templateFilePath: $(templateFilePath) + displayName: ASE NSG + - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json + templateFilePath: $(templateFilePath) + displayName: Bastion NSG + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI NSG + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_pip + displayName: Deploy public IP addresses + variables: + resourceType: 'Microsoft.Network\publicIPAddresses' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + templateFilePath: $(templateFilePath) + displayName: App Gateway Public IP + - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json + templateFilePath: $(templateFilePath) + displayName: Bastion Public IP + - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json + templateFilePath: $(templateFilePath) + displayName: Load balancer Public IP + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_appi + displayName: Deploy application insight + variables: + resourceType: 'Microsoft.Insights/components' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Application Insights + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_aut + displayName: Deploy automation account + variables: + resourceType: 'Microsoft.Automation/automationAccounts' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Automation Account + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_avdhp + displayName: Deploy AVD host pool + variables: + resourceType: 'Microsoft.DesktopVirtualization/hostpools' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default AVD Host Pool + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_rsv + displayName: Deploy recovery services vault + variables: + resourceType: 'Microsoft.RecoveryServices/vaults' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default recovery services vault + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_kv + displayName: Deploy key vaults + variables: + resourceType: 'Microsoft.KeyVault/vaults' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Key Vault + jobName: default_kv + - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json + templateFilePath: $(templateFilePath) + displayName: Private Endpoint Key Vault + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI key vault + jobName: sqlmi_kv + - job: + displayName: Set key vault secrets keys and certificates + pool: + ${{ if eq(variables['vmImage'], '') }}: + name: $(poolName) + ${{ if eq(variables['poolName'], '') }}: + vmImage: $(vmImage) + steps: + - task: PowerShell@2 + displayName: 'Setup agent' + inputs: + targetType: inline + pwsh: true + script: | + # Load used functions + . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Set agent up + Set-EnvironmentOnAgent + - task: AzurePowerShell@5 + displayName: Set key vault secrets keys and certificates + inputs: + azureSubscription: $(serviceConnection) + ScriptType: 'InlineScript' + Inline: | + $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length + $passwordString = (New-Guid).Guid.SubString(0,19) + $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) + $keyVaultName = 'adp-sxx-az-kv-x-001' + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + # VirtualMachines and VMSS + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminUsername' -SecretValue $username + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminPassword' -SecretValue $password + # Azure SQLServer + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password + # VirtualNetworkGateway + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'vpnSharedKey' -SecretValue $vpnSharedKey + # DiskEncryptionSet, VirtualMachines and VMSS + az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKey' + # ApplicationGateway + $apgwCertPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal + Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name 'applicationGatewaySslCertificate' -CertificatePolicy $apgwCertPolicy + # API management + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientid' -SecretValue $username + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientsecret' -SecretValue $password + azurePowerShellVersion: 'LatestVersion' + pwsh: true + dependsOn: + - default_kv + - job: + displayName: Set sqlmi key vault secrets and keys + condition: eq(${{ parameters.deploySqlMiDependencies }}, true) + pool: + ${{ if eq(variables['vmImage'], '') }}: + name: $(poolName) + ${{ if eq(variables['poolName'], '') }}: + vmImage: $(vmImage) + steps: + - task: PowerShell@2 + displayName: 'Setup agent' + inputs: + targetType: inline + pwsh: true + script: | + # Load used functions + . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Set agent up + Set-EnvironmentOnAgent + - task: AzurePowerShell@5 + displayName: Set sqlmi key vault secrets and keys + inputs: + azureSubscription: $(serviceConnection) + ScriptType: 'InlineScript' + Inline: | + $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length + $passwordString = (New-Guid).Guid.SubString(0,19) + $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) + $keyVaultName = 'adp-sxx-az-kv-x-sqlmi' + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + # SQLManagedInstances secrets + $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username + $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password + # SQLManagedInstances Keys + $null = az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKeySqlMi' + azurePowerShellVersion: 'LatestVersion' + pwsh: true + dependsOn: + - sqlmi_kv + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + + - stage: deploy_avdag + displayName: Deploy AVD application group + variables: + resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Application Group + dependsOn: + - deploy_avdhp + + - stage: deploy_rolea + displayName: Deploy role assignments + variables: + resourceType: 'Microsoft.Authorization\roleAssignments' + templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: MSI Role Assignment + dependsOn: + - deploy_msi + - stage: deploy_vnet displayName: Deploy virtual networks variables: @@ -519,29 +521,29 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: Default Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Bastion Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: VNET PEering 1 Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: VNET Peering 2 Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Azure Firewall Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: AKS Virtual Network - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQL MI Virtual Network - # dependsOn: - # - deploy_nsg - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - deploy_udr + - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json + templateFilePath: $(templateFilePath) + displayName: Bastion Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json + templateFilePath: $(templateFilePath) + displayName: VNET PEering 1 Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json + templateFilePath: $(templateFilePath) + displayName: VNET Peering 2 Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json + templateFilePath: $(templateFilePath) + displayName: Azure Firewall Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json + templateFilePath: $(templateFilePath) + displayName: AKS Virtual Network + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQL MI Virtual Network + dependsOn: + - deploy_nsg + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - deploy_udr - stage: deploy_dnszone displayName: Deploy private DNS zones @@ -572,5 +574,5 @@ stages: displayName: Default Virtual Machine dependsOn: - deploy_vnet - # - deploy_rsv - # - deploy_kv + - deploy_rsv + - deploy_kv From aa726920d11c5362d71bb11866eec6fae19800a0 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 28 Dec 2021 12:13:42 +0100 Subject: [PATCH 36/72] Updated known issues --- docs/wiki/KnownIssues.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/wiki/KnownIssues.md b/docs/wiki/KnownIssues.md index f66eaf3f13..79a48ee023 100644 --- a/docs/wiki/KnownIssues.md +++ b/docs/wiki/KnownIssues.md @@ -39,7 +39,3 @@ We have yet to implement the full set of parameter files we need in order to tes # Pipeline specific This section outlines known issues that currently affect our pipelines. - -## Azure DevOps Dependency pipeline - -There is currently no dependency pipeline for our Azure DevOps solution. From 83d67ac0137867f08331ecb4f9ccaa1b0b59fc31 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 4 Jan 2022 11:59:55 +0100 Subject: [PATCH 37/72] Added missing condition --- .../platform.dependencies.yml | 83 ++++++++++--------- 1 file changed, 42 insertions(+), 41 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 08c2ac3a0f..5e65775717 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -432,48 +432,49 @@ stages: pwsh: true dependsOn: - default_kv - - job: - displayName: Set sqlmi key vault secrets and keys - condition: eq(${{ parameters.deploySqlMiDependencies }}, true) - pool: - ${{ if eq(variables['vmImage'], '') }}: - name: $(poolName) - ${{ if eq(variables['poolName'], '') }}: - vmImage: $(vmImage) - steps: - - task: PowerShell@2 - displayName: 'Setup agent' - inputs: - targetType: inline - pwsh: true - script: | - # Load used functions - . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Set agent up - Set-EnvironmentOnAgent - - task: AzurePowerShell@5 + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - job: displayName: Set sqlmi key vault secrets and keys - inputs: - azureSubscription: $(serviceConnection) - ScriptType: 'InlineScript' - Inline: | - $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length - $passwordString = (New-Guid).Guid.SubString(0,19) - $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) - $keyVaultName = 'adp-sxx-az-kv-x-sqlmi' - $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - # SQLManagedInstances secrets - $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username - $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password - # SQLManagedInstances Keys - $null = az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKeySqlMi' - azurePowerShellVersion: 'LatestVersion' - pwsh: true - dependsOn: - - sqlmi_kv + condition: eq(${{ parameters.deploySqlMiDependencies }}, true) + pool: + ${{ if eq(variables['vmImage'], '') }}: + name: $(poolName) + ${{ if eq(variables['poolName'], '') }}: + vmImage: $(vmImage) + steps: + - task: PowerShell@2 + displayName: 'Setup agent' + inputs: + targetType: inline + pwsh: true + script: | + # Load used functions + . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Set agent up + Set-EnvironmentOnAgent + - task: AzurePowerShell@5 + displayName: Set sqlmi key vault secrets and keys + inputs: + azureSubscription: $(serviceConnection) + ScriptType: 'InlineScript' + Inline: | + $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length + $passwordString = (New-Guid).Guid.SubString(0,19) + $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) + $keyVaultName = 'adp-sxx-az-kv-x-sqlmi' + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + # SQLManagedInstances secrets + $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username + $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password + # SQLManagedInstances Keys + $null = az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKeySqlMi' + azurePowerShellVersion: 'LatestVersion' + pwsh: true + dependsOn: + - sqlmi_kv dependsOn: - deploy_sa - deploy_evh From baf1fb04b4908c021d21ee9230c6da7fdef8e6eb Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 4 Jan 2022 17:10:41 +0100 Subject: [PATCH 38/72] Added more dynamic to name resolution --- .../platformPipelines/platform.dependencies.yml | 9 +++++++-- .github/workflows/platform.dependencies.yml | 15 ++++++++++++--- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 5e65775717..d4f22b2c24 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -152,7 +152,7 @@ stages: . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') # Get storage account name - $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'parameters' 'parameters.json' + $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters # Upload files to storage account @@ -408,7 +408,12 @@ stages: $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length $passwordString = (New-Guid).Guid.SubString(0,19) $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) - $keyVaultName = 'adp-sxx-az-kv-x-001' + + # Get key vault name + $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' + $keyVaultParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + $keyVaultName = $keyVaultParameters.name.value + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 51c6328961..9cefe351f1 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -194,6 +194,8 @@ jobs: job_sa_upload_storage_files: runs-on: ubuntu-20.04 name: 'Upload files to storage account' + env: + namespace: 'Microsoft.Storage\storageAccounts' needs: - job_deploy_sa steps: @@ -214,14 +216,14 @@ jobs: . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') # Get storage account name - $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' 'Microsoft.Storage/storageAccounts' 'parameters' 'parameters.json' + $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'parameters' 'parameters.json' $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters # Upload files to storage account $functionInput = @{ ResourceGroupName = '${{ env.defaultResourceGroupName }}' StorageAccountName = $storageAccountParameters.name.value - contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' 'Microsoft.Storage/storageAccounts' 'uploads' + contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'uploads' targetContainer = $storageAccountParameters.blobServices.value.containers[0].name } @@ -610,6 +612,8 @@ jobs: job_deploy_kv_secrets: runs-on: ubuntu-20.04 name: 'Set key vault secrets keys and certificates' + env: + namespace: 'Microsoft.KeyVault\vaults' needs: - job_deploy_kv steps: @@ -629,7 +633,12 @@ jobs: $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length $passwordString = (New-Guid).Guid.SubString(0,19) $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) - $keyVaultName = 'adp-sxx-az-kv-x-001' + + # Get key vault name + $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'parameters' 'parameters.json' + $keyVaultParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + $keyVaultName = $keyVaultParameters.name.value + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force From 8a5e9db38ff8822108577023a3f0d32eb4c1bf05 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Wed, 5 Jan 2022 13:49:07 +0100 Subject: [PATCH 39/72] Updated dependency pipeline --- .../platform.dependencies.yml | 61 ++++++++++++------- 1 file changed, 40 insertions(+), 21 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index d4f22b2c24..7b9ecda06a 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -405,34 +405,53 @@ stages: azureSubscription: $(serviceConnection) ScriptType: 'InlineScript' Inline: | - $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length - $passwordString = (New-Guid).Guid.SubString(0,19) - $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) - # Get key vault name $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' - $keyVaultParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters $keyVaultName = $keyVaultParameters.name.value + # Prepare + $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $passwordString = (New-Guid).Guid.SubString(0, 19) $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - # VirtualMachines and VMSS - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminUsername' -SecretValue $username - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminPassword' -SecretValue $password - # Azure SQLServer - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password - # VirtualNetworkGateway - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'vpnSharedKey' -SecretValue $vpnSharedKey - # DiskEncryptionSet, VirtualMachines and VMSS - az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKey' - # ApplicationGateway - $apgwCertPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal - Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name 'applicationGatewaySslCertificate' -CertificatePolicy $apgwCertPolicy - # API management - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientid' -SecretValue $username - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientsecret' -SecretValue $password + + # Secrets + # ------- + @( + @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS + @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS + @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer + @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer + @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway + @{ name = 'apimclientid'; secretValue = $username } # API management + @{ name = 'apimclientsecret'; secretValue = $password } # API management + ) | ForEach-Object { + $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + + # Certificats + # ----------- + $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal + @( + @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway + ) | ForEach-Object { + $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy + Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + + # Keys + # ---- + @( + @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS + ) | ForEach-Object { + $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + azurePowerShellVersion: 'LatestVersion' pwsh: true dependsOn: From d6eb69cfad0d80aee04e349d878fb0adf00ac75e Mon Sep 17 00:00:00 2001 From: MrMCake Date: Wed, 5 Jan 2022 15:19:33 +0100 Subject: [PATCH 40/72] Update to latest --- docs/wiki/UtilitiesRegisterAzureDevOpsPipeline.md | 2 +- .../tools/{ => AzureDevOps}/Register-AzureDevOpsPipeline.ps1 | 0 ...Set-DevOpsPipelineFiles.ps1 => Set-DevOpsPipelineFile.ps1} | 4 ++-- 3 files changed, 3 insertions(+), 3 deletions(-) rename utilities/tools/{ => AzureDevOps}/Register-AzureDevOpsPipeline.ps1 (100%) rename utilities/tools/AzureDevOps/{Set-DevOpsPipelineFiles.ps1 => Set-DevOpsPipelineFile.ps1} (99%) diff --git a/docs/wiki/UtilitiesRegisterAzureDevOpsPipeline.md b/docs/wiki/UtilitiesRegisterAzureDevOpsPipeline.md index 56b3be9820..bc5dfd9f75 100644 --- a/docs/wiki/UtilitiesRegisterAzureDevOpsPipeline.md +++ b/docs/wiki/UtilitiesRegisterAzureDevOpsPipeline.md @@ -14,7 +14,7 @@ Use this script to automatically register all specified Azure DevOps pipelines i --- # Location -You can find the script under `/utilities/tools/Register-AzureDevOpsPipeline.ps1` +You can find the script under `/utilities/tools/AzureDevOps/Register-AzureDevOpsPipeline.ps1` # How it works diff --git a/utilities/tools/Register-AzureDevOpsPipeline.ps1 b/utilities/tools/AzureDevOps/Register-AzureDevOpsPipeline.ps1 similarity index 100% rename from utilities/tools/Register-AzureDevOpsPipeline.ps1 rename to utilities/tools/AzureDevOps/Register-AzureDevOpsPipeline.ps1 diff --git a/utilities/tools/AzureDevOps/Set-DevOpsPipelineFiles.ps1 b/utilities/tools/AzureDevOps/Set-DevOpsPipelineFile.ps1 similarity index 99% rename from utilities/tools/AzureDevOps/Set-DevOpsPipelineFiles.ps1 rename to utilities/tools/AzureDevOps/Set-DevOpsPipelineFile.ps1 index 7c59ed44ad..6718e99626 100644 --- a/utilities/tools/AzureDevOps/Set-DevOpsPipelineFiles.ps1 +++ b/utilities/tools/AzureDevOps/Set-DevOpsPipelineFile.ps1 @@ -30,11 +30,11 @@ Optional. The path to the GitHub workflows folder to crawl from Defaults to: '.github/workflows' .EXAMPLE -Set-DevOpsPipelineFiles +Set-DevOpsPipelineFile Generate all Azure DevOps pipeline files in the default DevOps pipeline folder based on the workflows files in the default workflows folder based on the provided default template #> -function Set-DevOpsPipelineFiles { +function Set-DevOpsPipelineFile { [CmdletBinding(SupportsShouldProcess)] From 07ea4d1dade74647843a8f1df783a25618f50f26 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Wed, 5 Jan 2022 21:50:13 +0100 Subject: [PATCH 41/72] Update to latest --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 7b9ecda06a..b96d078a6f 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -192,7 +192,7 @@ stages: - stage: deploy_ag displayName: Deploy action groups variables: - resourceType: 'Microsoft.Compute/galleries' + resourceType: 'Microsoft.Insights/actionGroups' templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep jobs: - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml From a85a541bd34cec1c36e1f1c35c6cda5f93356cd8 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Wed, 5 Jan 2022 22:07:58 +0100 Subject: [PATCH 42/72] Update to latest --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index b96d078a6f..aa3cd7b30c 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -376,7 +376,7 @@ stages: templateFilePath: $(templateFilePath) displayName: Private Endpoint Key Vault - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json templateFilePath: $(templateFilePath) displayName: SQLMI key vault jobName: sqlmi_kv From 6c85089146eb3e7ed20bce47132b6054f549ab46 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Thu, 6 Jan 2022 18:26:22 +0100 Subject: [PATCH 43/72] Improved SQLMI kvlt secret deployment + aligned gh to ado implementation + butchered gh dependency pipeline for testing --- .../platform.dependencies.yml | 37 +- .github/workflows/platform.dependencies.yml | 1557 +++++++++-------- .../virtualMachines/deploy.bicep | 6 +- 3 files changed, 826 insertions(+), 774 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index aa3cd7b30c..b472fd1a28 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -483,18 +483,35 @@ stages: azureSubscription: $(serviceConnection) ScriptType: 'InlineScript' Inline: | - $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length - $passwordString = (New-Guid).Guid.SubString(0,19) - $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) - $keyVaultName = 'adp-sxx-az-kv-x-sqlmi' + # Get key vault name + $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'sqlmi.parameters.json' + $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + $keyVaultName = $keyVaultParameters.name.value + + # Prepare + $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $passwordString = (New-Guid).Guid.SubString(0, 19) $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - # SQLManagedInstances secrets - $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username - $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password - # SQLManagedInstances Keys - $null = az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKeySqlMi' + + # Secrets + # ------- + @( + @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances + @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances + ) | ForEach-Object { + $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + + # Keys + # ---- + @( + @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances + ) | ForEach-Object { + $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } azurePowerShellVersion: 'LatestVersion' pwsh: true dependsOn: diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 9cefe351f1..f7fc2d0604 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -30,565 +30,565 @@ env: DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: - job_deploy_rg: - runs-on: ubuntu-20.04 - name: 'Deploy resource group' - env: - namespace: 'Microsoft.Resources\resourceGroups' - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['validation.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_msi: - runs-on: ubuntu-20.04 - name: 'Deploy user assigned identity' - env: - namespace: 'Microsoft.ManagedIdentity\userAssignedIdentities' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_pa: - runs-on: ubuntu-20.04 - name: 'Deploy policy assignment' - env: - namespace: 'Microsoft.Authorization\policyAssignments' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_policyAssignments_sub.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_evh: - runs-on: ubuntu-20.04 - name: 'Deploy eventhub' - env: - namespace: 'Microsoft.EventHub\namespaces' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_law: - runs-on: ubuntu-20.04 - name: 'Deploy log analytics workspace' - env: - namespace: 'Microsoft.OperationalInsights\workspaces' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['appi.parameters.json', 'parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sa: - runs-on: ubuntu-20.04 - name: 'Deploy storage account' - env: - namespace: 'Microsoft.Storage\storageAccounts' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: - ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_sa_upload_storage_files: - runs-on: ubuntu-20.04 - name: 'Upload files to storage account' - env: - namespace: 'Microsoft.Storage\storageAccounts' - needs: - - job_deploy_sa - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: Azure Login - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - enable-AzPSSession: true - - name: Run PowerShell - uses: azure/powershell@v1 - with: - inlineScript: | - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') - - # Get storage account name - $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'parameters' 'parameters.json' - $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # Upload files to storage account - $functionInput = @{ - ResourceGroupName = '${{ env.defaultResourceGroupName }}' - StorageAccountName = $storageAccountParameters.name.value - contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'uploads' - targetContainer = $storageAccountParameters.blobServices.value.containers[0].name - } - - Write-Verbose "Invoke task with" -Verbose - Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - Export-ContentToBlob @functionInput -Verbose - azPSVersion: 'latest' - - job_deploy_sig: - runs-on: ubuntu-20.04 - name: 'Deploy shared image gallery and definition' - env: - namespace: 'Microsoft.Compute\galleries' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_ag: - runs-on: ubuntu-20.04 - name: 'Deploy action groups' - env: - namespace: 'Microsoft.Insights\actionGroups' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_asg: - runs-on: ubuntu-20.04 - name: 'Deploy application security groups' - env: - namespace: 'Microsoft.Network\applicationSecurityGroups' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_udr: - runs-on: ubuntu-20.04 - name: 'Deploy route tables' - env: - namespace: 'Microsoft.Network\routeTables' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sqlmi_udr: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi route tables' - if: github.event.inputs.deploySqlMiDependencies == 'true' - env: - namespace: 'Microsoft.Network\routeTables' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['sqlMi.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_nsg: - runs-on: ubuntu-20.04 - name: 'Deploy network security groups' - env: - namespace: 'Microsoft.Network\networkSecurityGroups' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: - [ - 'apgw.parameters.json', - 'ase.parameters.json', - 'bastion.parameters.json', - 'parameters.json', - ] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sqlmi_nsg: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi network security group' - if: github.event.inputs.deploySqlMiDependencies == 'true' - env: - namespace: 'Microsoft.Network\networkSecurityGroups' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['sqlmi.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_pip: - runs-on: ubuntu-20.04 - name: 'Deploy public IP addresses' - env: - namespace: 'Microsoft.Network\publicIPAddresses' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: - ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_appi: - runs-on: ubuntu-20.04 - name: 'Deploy application insight' - env: - namespace: 'Microsoft.Insights\components' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_aut: - runs-on: ubuntu-20.04 - name: 'Deploy automation account' - env: - namespace: 'Microsoft.Automation\automationAccounts' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_avdhp: - runs-on: ubuntu-20.04 - name: 'Deploy AVD host pool' - env: - namespace: 'Microsoft.DesktopVirtualization\hostpools' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_rsv: - runs-on: ubuntu-20.04 - name: 'Deploy recovery services vault' - env: - namespace: 'Microsoft.RecoveryServices\vaults' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' + # job_deploy_rg: + # runs-on: ubuntu-20.04 + # name: 'Deploy resource group' + # env: + # namespace: 'Microsoft.Resources\resourceGroups' + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['validation.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_msi: + # runs-on: ubuntu-20.04 + # name: 'Deploy user assigned identity' + # env: + # namespace: 'Microsoft.ManagedIdentity\userAssignedIdentities' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_pa: + # runs-on: ubuntu-20.04 + # name: 'Deploy policy assignment' + # env: + # namespace: 'Microsoft.Authorization\policyAssignments' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_policyAssignments_sub.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_evh: + # runs-on: ubuntu-20.04 + # name: 'Deploy eventhub' + # env: + # namespace: 'Microsoft.EventHub\namespaces' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_law: + # runs-on: ubuntu-20.04 + # name: 'Deploy log analytics workspace' + # env: + # namespace: 'Microsoft.OperationalInsights\workspaces' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['appi.parameters.json', 'parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sa: + # runs-on: ubuntu-20.04 + # name: 'Deploy storage account' + # env: + # namespace: 'Microsoft.Storage\storageAccounts' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_sa_upload_storage_files: + # runs-on: ubuntu-20.04 + # name: 'Upload files to storage account' + # env: + # namespace: 'Microsoft.Storage\storageAccounts' + # needs: + # - job_deploy_sa + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: Azure Login + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_CREDENTIALS }} + # enable-AzPSSession: true + # - name: Run PowerShell + # uses: azure/powershell@v1 + # with: + # inlineScript: | + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + + # # Get storage account name + # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'parameters' 'parameters.json' + # $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # # Upload files to storage account + # $functionInput = @{ + # ResourceGroupName = '${{ env.defaultResourceGroupName }}' + # StorageAccountName = $storageAccountParameters.name.value + # contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'uploads' + # targetContainer = $storageAccountParameters.blobServices.value.containers[0].name + # } + + # Write-Verbose "Invoke task with" -Verbose + # Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + # Export-ContentToBlob @functionInput -Verbose + # azPSVersion: 'latest' + + # job_deploy_sig: + # runs-on: ubuntu-20.04 + # name: 'Deploy shared image gallery and definition' + # env: + # namespace: 'Microsoft.Compute\galleries' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_ag: + # runs-on: ubuntu-20.04 + # name: 'Deploy action groups' + # env: + # namespace: 'Microsoft.Insights\actionGroups' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_asg: + # runs-on: ubuntu-20.04 + # name: 'Deploy application security groups' + # env: + # namespace: 'Microsoft.Network\applicationSecurityGroups' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_udr: + # runs-on: ubuntu-20.04 + # name: 'Deploy route tables' + # env: + # namespace: 'Microsoft.Network\routeTables' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sqlmi_udr: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi route tables' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # env: + # namespace: 'Microsoft.Network\routeTables' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['sqlMi.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_nsg: + # runs-on: ubuntu-20.04 + # name: 'Deploy network security groups' + # env: + # namespace: 'Microsoft.Network\networkSecurityGroups' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # [ + # 'apgw.parameters.json', + # 'ase.parameters.json', + # 'bastion.parameters.json', + # 'parameters.json', + # ] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sqlmi_nsg: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi network security group' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # env: + # namespace: 'Microsoft.Network\networkSecurityGroups' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['sqlmi.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_pip: + # runs-on: ubuntu-20.04 + # name: 'Deploy public IP addresses' + # env: + # namespace: 'Microsoft.Network\publicIPAddresses' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_appi: + # runs-on: ubuntu-20.04 + # name: 'Deploy application insight' + # env: + # namespace: 'Microsoft.Insights\components' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_aut: + # runs-on: ubuntu-20.04 + # name: 'Deploy automation account' + # env: + # namespace: 'Microsoft.Automation\automationAccounts' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_avdhp: + # runs-on: ubuntu-20.04 + # name: 'Deploy AVD host pool' + # env: + # namespace: 'Microsoft.DesktopVirtualization\hostpools' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_rsv: + # runs-on: ubuntu-20.04 + # name: 'Deploy recovery services vault' + # env: + # namespace: 'Microsoft.RecoveryServices\vaults' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' job_deploy_kv: runs-on: ubuntu-20.04 name: 'Deploy key vaults' env: namespace: 'Microsoft.KeyVault\vaults' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law strategy: fail-fast: false matrix: @@ -630,34 +630,52 @@ jobs: uses: azure/powershell@v1 with: inlineScript: | - $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length - $passwordString = (New-Guid).Guid.SubString(0,19) - $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) - # Get key vault name - $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'parameters' 'parameters.json' - $keyVaultParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'parameters.json' + $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters $keyVaultName = $keyVaultParameters.name.value + # Prepare + $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $passwordString = (New-Guid).Guid.SubString(0, 19) $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - # VirtualMachines and VMSS - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminUsername' -SecretValue $username - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminPassword' -SecretValue $password - # Azure SQLServer - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password - # VirtualNetworkGateway - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'vpnSharedKey' -SecretValue $vpnSharedKey - # DiskEncryptionSet, VirtualMachines and VMSS - az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKey' - # ApplicationGateway - $apgwCertPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal - Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name 'applicationGatewaySslCertificate' -CertificatePolicy $apgwCertPolicy - # API management - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientid' -SecretValue $username - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientsecret' -SecretValue $password + + # Secrets + # ------- + @( + @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS + @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS + @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer + @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer + @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway + @{ name = 'apimclientid'; secretValue = $username } # API management + @{ name = 'apimclientsecret'; secretValue = $password } # API management + ) | ForEach-Object { + $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + + # Certificats + # ----------- + $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal + @( + @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway + ) | ForEach-Object { + $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy + Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + + # Keys + # ---- + @( + @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS + ) | ForEach-Object { + $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } azPSVersion: 'latest' job_deploy_sqlmi_kv: @@ -666,10 +684,10 @@ jobs: if: github.event.inputs.deploySqlMiDependencies == 'true' env: namespace: 'Microsoft.KeyVault\vaults' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law strategy: fail-fast: false matrix: @@ -710,190 +728,207 @@ jobs: uses: azure/powershell@v1 with: inlineScript: | - $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length - $passwordString = (New-Guid).Guid.SubString(0,19) - $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) - $keyVaultName = 'adp-sxx-az-kv-x-sqlmi' + # Get key vault name + $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'sqlmi.parameters.json' + $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + $keyVaultName = $keyVaultParameters.name.value + + # Prepare + $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $passwordString = (New-Guid).Guid.SubString(0, 19) $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - # SQLManagedInstances secrets - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password - # SQLManagedInstances Keys - az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKeySqlMi' - azPSVersion: 'latest' - - job_deploy_avdag: - runs-on: ubuntu-20.04 - name: 'Deploy AVD application group' - env: - namespace: 'Microsoft.DesktopVirtualization\applicationgroups' - needs: - - job_deploy_avdhp - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_rolea: - runs-on: ubuntu-20.04 - name: 'Deploy role assignments' - env: - namespace: 'Microsoft.Authorization\roleAssignments' - needs: - - job_deploy_msi - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_rbac_sub.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_vnet: - runs-on: ubuntu-20.04 - name: 'Deploy virtual networks' - env: - namespace: 'Microsoft.Network\virtualNetworks' - needs: - - job_deploy_nsg - strategy: - fail-fast: false - matrix: - parameterFilePaths: - [ - '1.bastion.parameters.json', - '2.vnetpeer01.parameters.json', - '3.vnetpeer02.parameters.json', - '4.azfw.parameters.json', - '5.aks.parameters.json', - 'parameters.json', - ] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - job_deploy_sqlmi_vnet: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi virtual network' - if: github.event.inputs.deploySqlMiDependencies == 'true' - env: - namespace: 'Microsoft.Network\virtualNetworks' - needs: - - job_deploy_sqlmi_udr - - job_deploy_sqlmi_nsg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['6.sqlmi.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' + # Secrets + # ------- + @( + @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances + @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances + ) | ForEach-Object { + $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } - job_deploy_dnszone: - runs-on: ubuntu-20.04 - name: 'Deploy private DNS zones' - env: - namespace: 'Microsoft.Network\privateDnsZones' - needs: - - job_deploy_vnet - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' + # Keys + # ---- + @( + @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances + ) | ForEach-Object { + $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + azPSVersion: 'latest' - job_deploy_vm: - runs-on: ubuntu-20.04 - name: 'Deploy virtual machines' - env: - namespace: 'Microsoft.Compute\virtualMachines' - needs: - - job_deploy_kv_secrets - - job_deploy_vnet - - job_deploy_rsv - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' + # job_deploy_avdag: + # runs-on: ubuntu-20.04 + # name: 'Deploy AVD application group' + # env: + # namespace: 'Microsoft.DesktopVirtualization\applicationgroups' + # needs: + # - job_deploy_avdhp + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_rolea: + # runs-on: ubuntu-20.04 + # name: 'Deploy role assignments' + # env: + # namespace: 'Microsoft.Authorization\roleAssignments' + # needs: + # - job_deploy_msi + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_rbac_sub.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_vnet: + # runs-on: ubuntu-20.04 + # name: 'Deploy virtual networks' + # env: + # namespace: 'Microsoft.Network\virtualNetworks' + # needs: + # - job_deploy_nsg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # [ + # '1.bastion.parameters.json', + # '2.vnetpeer01.parameters.json', + # '3.vnetpeer02.parameters.json', + # '4.azfw.parameters.json', + # '5.aks.parameters.json', + # 'parameters.json', + # ] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sqlmi_vnet: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi virtual network' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # env: + # namespace: 'Microsoft.Network\virtualNetworks' + # needs: + # - job_deploy_sqlmi_udr + # - job_deploy_sqlmi_nsg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['6.sqlmi.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_dnszone: + # runs-on: ubuntu-20.04 + # name: 'Deploy private DNS zones' + # env: + # namespace: 'Microsoft.Network\privateDnsZones' + # needs: + # - job_deploy_vnet + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_vm: + # runs-on: ubuntu-20.04 + # name: 'Deploy virtual machines' + # env: + # namespace: 'Microsoft.Compute\virtualMachines' + # needs: + # - job_deploy_kv_secrets + # - job_deploy_vnet + # - job_deploy_rsv + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' diff --git a/arm/Microsoft.Compute/virtualMachines/deploy.bicep b/arm/Microsoft.Compute/virtualMachines/deploy.bicep index ec92b15d66..c0f02350b1 100644 --- a/arm/Microsoft.Compute/virtualMachines/deploy.bicep +++ b/arm/Microsoft.Compute/virtualMachines/deploy.bicep @@ -580,13 +580,13 @@ module virtualMachine_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, in }] @description('The name of the VM.') -output virtualMachineName string = virtualMachine.name +output name string = virtualMachine.name @description('The Resource ID of the VM.') -output virtualMachineResourceId string = virtualMachine.id +output ResourceId string = virtualMachine.id @description('The name of the Resource Group the VM was created in.') -output virtualMachineResourceGroup string = resourceGroup().name +output ResourceGroup string = resourceGroup().name @description('The principal ID of the system assigned identity.') output systemAssignedPrincipalId string = systemAssignedIdentity ? virtualMachine.identity.principalId : '' From dee4094fc684548a879cf17c829f170b707e9625 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Thu, 6 Jan 2022 18:29:55 +0100 Subject: [PATCH 44/72] Butchered ADO pipeline for testing --- .../platform.dependencies.yml | 865 +++++++++--------- 1 file changed, 432 insertions(+), 433 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index b472fd1a28..2721511a8c 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -28,336 +28,336 @@ variables: value: 'validation-rg' stages: - - stage: deploy_rg - displayName: Deploy resource group - variables: - resourceType: 'Microsoft.Resources/resourceGroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json - templateFilePath: $(templateFilePath) - displayName: Validation Resource Group - - - stage: deploy_msi - displayName: Deploy user assigned identity - variables: - resourceType: 'Microsoft.ManagedIdentity/userAssignedIdentities' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: User Assigned Identity - dependsOn: - - deploy_rg - - - stage: deploy_pa - displayName: Deploy policy assignment - variables: - resourceType: 'Microsoft.Authorization/policyAssignments' - templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Policy assignment - dependsOn: - - deploy_rg - - - stage: deploy_evh - displayName: Deploy event hub - variables: - resourceType: 'Microsoft.EventHub/namespaces' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: EventHub - dependsOn: - - deploy_rg - - - stage: deploy_law - displayName: Deploy log analytics workspace - variables: - resourceType: 'Microsoft.OperationalInsights/workspaces' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default LAW - - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json - templateFilePath: $(templateFilePath) - displayName: AppInsights LAW - dependsOn: - - deploy_rg - - - stage: deploy_sa - displayName: Deploy storage account - variables: - resourceType: 'Microsoft.Storage/storageAccounts' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default storage account - jobName: default_sa - - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json - templateFilePath: $(templateFilePath) - displayName: LAW storage account - - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json - templateFilePath: $(templateFilePath) - displayName: FunctionApp storage account - - job: - displayName: Upload files to storage account - pool: - ${{ if eq(variables['vmImage'], '') }}: - name: $(poolName) - ${{ if eq(variables['poolName'], '') }}: - vmImage: $(vmImage) - steps: - - task: PowerShell@2 - displayName: 'Setup agent' - inputs: - targetType: inline - pwsh: true - script: | - # Load used functions - . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Set agent up - Set-EnvironmentOnAgent - - task: AzurePowerShell@5 - displayName: Upload files to storage account - inputs: - azureSubscription: $(serviceConnection) - ScriptType: 'InlineScript' - Inline: | - # Load used functions - . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') - - # Get storage account name - $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' - $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # Upload files to storage account - $functionInput = @{ - ResourceGroupName = '$(defaultResourceGroupName)' - StorageAccountName = $storageAccountParameters.name.value - contentDirectories = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'uploads' - targetContainer = $storageAccountParameters.blobServices.value.containers[0].name - } - - Write-Verbose "Invoke task with" -Verbose - Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - Export-ContentToBlob @functionInput -Verbose - azurePowerShellVersion: 'LatestVersion' - pwsh: true - dependsOn: - - default_sa - dependsOn: - - deploy_rg - - - stage: deploy_sig - displayName: Deploy shared image gallery and definition - variables: - resourceType: 'Microsoft.Compute/galleries' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default SIG and SID - dependsOn: - - deploy_rg - - - stage: deploy_ag - displayName: Deploy action groups - variables: - resourceType: 'Microsoft.Insights/actionGroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Action Group - dependsOn: - - deploy_rg - - - stage: deploy_asg - displayName: Deploy application security groups - variables: - resourceType: 'Microsoft.Network/applicationSecurityGroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Application Security Groups - dependsOn: - - deploy_rg - - - stage: deploy_udr - displayName: Deploy route tables - variables: - resourceType: 'Microsoft.Network/routeTables' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default User Defined Routes - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json - templateFilePath: $(templateFilePath) - displayName: SQLMI User Defined Routes - dependsOn: - - deploy_rg - - - stage: deploy_nsg - displayName: Deploy network security groups - variables: - resourceType: 'Microsoft.Network/networkSecurityGroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default NSG - - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json - templateFilePath: $(templateFilePath) - displayName: App Gateway NSG - - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json - templateFilePath: $(templateFilePath) - displayName: ASE NSG - - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json - templateFilePath: $(templateFilePath) - displayName: Bastion NSG - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json - templateFilePath: $(templateFilePath) - displayName: SQLMI NSG - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - - - stage: deploy_pip - displayName: Deploy public IP addresses - variables: - resourceType: 'Microsoft.Network\publicIPAddresses' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json - templateFilePath: $(templateFilePath) - displayName: App Gateway Public IP - - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json - templateFilePath: $(templateFilePath) - displayName: Bastion Public IP - - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json - templateFilePath: $(templateFilePath) - displayName: Load balancer Public IP - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - - - stage: deploy_appi - displayName: Deploy application insight - variables: - resourceType: 'Microsoft.Insights/components' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Application Insights - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - - - stage: deploy_aut - displayName: Deploy automation account - variables: - resourceType: 'Microsoft.Automation/automationAccounts' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Automation Account - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - - - stage: deploy_avdhp - displayName: Deploy AVD host pool - variables: - resourceType: 'Microsoft.DesktopVirtualization/hostpools' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default AVD Host Pool - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - - - stage: deploy_rsv - displayName: Deploy recovery services vault - variables: - resourceType: 'Microsoft.RecoveryServices/vaults' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default recovery services vault - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law + # - stage: deploy_rg + # displayName: Deploy resource group + # variables: + # resourceType: 'Microsoft.Resources/resourceGroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Validation Resource Group + + # - stage: deploy_msi + # displayName: Deploy user assigned identity + # variables: + # resourceType: 'Microsoft.ManagedIdentity/userAssignedIdentities' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: User Assigned Identity + # dependsOn: + # - deploy_rg + + # - stage: deploy_pa + # displayName: Deploy policy assignment + # variables: + # resourceType: 'Microsoft.Authorization/policyAssignments' + # templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Policy assignment + # dependsOn: + # - deploy_rg + + # - stage: deploy_evh + # displayName: Deploy event hub + # variables: + # resourceType: 'Microsoft.EventHub/namespaces' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: EventHub + # dependsOn: + # - deploy_rg + + # - stage: deploy_law + # displayName: Deploy log analytics workspace + # variables: + # resourceType: 'Microsoft.OperationalInsights/workspaces' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default LAW + # - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: AppInsights LAW + # dependsOn: + # - deploy_rg + + # - stage: deploy_sa + # displayName: Deploy storage account + # variables: + # resourceType: 'Microsoft.Storage/storageAccounts' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default storage account + # jobName: default_sa + # - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: LAW storage account + # - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: FunctionApp storage account + # - job: + # displayName: Upload files to storage account + # pool: + # ${{ if eq(variables['vmImage'], '') }}: + # name: $(poolName) + # ${{ if eq(variables['poolName'], '') }}: + # vmImage: $(vmImage) + # steps: + # - task: PowerShell@2 + # displayName: 'Setup agent' + # inputs: + # targetType: inline + # pwsh: true + # script: | + # # Load used functions + # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # # Set agent up + # Set-EnvironmentOnAgent + # - task: AzurePowerShell@5 + # displayName: Upload files to storage account + # inputs: + # azureSubscription: $(serviceConnection) + # ScriptType: 'InlineScript' + # Inline: | + # # Load used functions + # . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + + # # Get storage account name + # $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' + # $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # # Upload files to storage account + # $functionInput = @{ + # ResourceGroupName = '$(defaultResourceGroupName)' + # StorageAccountName = $storageAccountParameters.name.value + # contentDirectories = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'uploads' + # targetContainer = $storageAccountParameters.blobServices.value.containers[0].name + # } + + # Write-Verbose "Invoke task with" -Verbose + # Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + # Export-ContentToBlob @functionInput -Verbose + # azurePowerShellVersion: 'LatestVersion' + # pwsh: true + # dependsOn: + # - default_sa + # dependsOn: + # - deploy_rg + + # - stage: deploy_sig + # displayName: Deploy shared image gallery and definition + # variables: + # resourceType: 'Microsoft.Compute/galleries' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default SIG and SID + # dependsOn: + # - deploy_rg + + # - stage: deploy_ag + # displayName: Deploy action groups + # variables: + # resourceType: 'Microsoft.Insights/actionGroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Action Group + # dependsOn: + # - deploy_rg + + # - stage: deploy_asg + # displayName: Deploy application security groups + # variables: + # resourceType: 'Microsoft.Network/applicationSecurityGroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Application Security Groups + # dependsOn: + # - deploy_rg + + # - stage: deploy_udr + # displayName: Deploy route tables + # variables: + # resourceType: 'Microsoft.Network/routeTables' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default User Defined Routes + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQLMI User Defined Routes + # dependsOn: + # - deploy_rg + + # - stage: deploy_nsg + # displayName: Deploy network security groups + # variables: + # resourceType: 'Microsoft.Network/networkSecurityGroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default NSG + # - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: App Gateway NSG + # - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: ASE NSG + # - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Bastion NSG + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQLMI NSG + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + + # - stage: deploy_pip + # displayName: Deploy public IP addresses + # variables: + # resourceType: 'Microsoft.Network\publicIPAddresses' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: App Gateway Public IP + # - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Bastion Public IP + # - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Load balancer Public IP + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + + # - stage: deploy_appi + # displayName: Deploy application insight + # variables: + # resourceType: 'Microsoft.Insights/components' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Application Insights + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + + # - stage: deploy_aut + # displayName: Deploy automation account + # variables: + # resourceType: 'Microsoft.Automation/automationAccounts' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Automation Account + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + + # - stage: deploy_avdhp + # displayName: Deploy AVD host pool + # variables: + # resourceType: 'Microsoft.DesktopVirtualization/hostpools' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default AVD Host Pool + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + + # - stage: deploy_rsv + # displayName: Deploy recovery services vault + # variables: + # resourceType: 'Microsoft.RecoveryServices/vaults' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default recovery services vault + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law - stage: deploy_kv displayName: Deploy key vaults @@ -451,7 +451,6 @@ stages: $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose } - azurePowerShellVersion: 'LatestVersion' pwsh: true dependsOn: @@ -516,105 +515,105 @@ stages: pwsh: true dependsOn: - sqlmi_kv - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - - - stage: deploy_avdag - displayName: Deploy AVD application group - variables: - resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Application Group - dependsOn: - - deploy_avdhp - - - stage: deploy_rolea - displayName: Deploy role assignments - variables: - resourceType: 'Microsoft.Authorization\roleAssignments' - templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: MSI Role Assignment - dependsOn: - - deploy_msi - - - stage: deploy_vnet - displayName: Deploy virtual networks - variables: - resourceType: 'Microsoft.Network/virtualNetworks' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json - templateFilePath: $(templateFilePath) - displayName: Bastion Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json - templateFilePath: $(templateFilePath) - displayName: VNET PEering 1 Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json - templateFilePath: $(templateFilePath) - displayName: VNET Peering 2 Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json - templateFilePath: $(templateFilePath) - displayName: Azure Firewall Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json - templateFilePath: $(templateFilePath) - displayName: AKS Virtual Network - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json - templateFilePath: $(templateFilePath) - displayName: SQL MI Virtual Network - dependsOn: - - deploy_nsg - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - deploy_udr - - - stage: deploy_dnszone - displayName: Deploy private DNS zones - variables: - resourceType: 'Microsoft.Network/privateDnsZones' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Private DNS Zones - dependsOn: - - deploy_vnet - - - stage: deploy_vm - displayName: Deploy virtual machines - variables: - resourceType: 'Microsoft.Compute/virtualMachines' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Virtual Machine - dependsOn: - - deploy_vnet - - deploy_rsv - - deploy_kv + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + + # - stage: deploy_avdag + # displayName: Deploy AVD application group + # variables: + # resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Application Group + # dependsOn: + # - deploy_avdhp + + # - stage: deploy_rolea + # displayName: Deploy role assignments + # variables: + # resourceType: 'Microsoft.Authorization\roleAssignments' + # templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: MSI Role Assignment + # dependsOn: + # - deploy_msi + + # - stage: deploy_vnet + # displayName: Deploy virtual networks + # variables: + # resourceType: 'Microsoft.Network/virtualNetworks' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Bastion Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: VNET PEering 1 Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: VNET Peering 2 Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Azure Firewall Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: AKS Virtual Network + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQL MI Virtual Network + # dependsOn: + # - deploy_nsg + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - deploy_udr + + # - stage: deploy_dnszone + # displayName: Deploy private DNS zones + # variables: + # resourceType: 'Microsoft.Network/privateDnsZones' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Private DNS Zones + # dependsOn: + # - deploy_vnet + + # - stage: deploy_vm + # displayName: Deploy virtual machines + # variables: + # resourceType: 'Microsoft.Compute/virtualMachines' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Virtual Machine + # dependsOn: + # - deploy_vnet + # - deploy_rsv + # - deploy_kv From 0ac7171a3ea47690ec0cbc7dcfbf96cbf056e77d Mon Sep 17 00:00:00 2001 From: MrMCake Date: Thu, 6 Jan 2022 18:38:51 +0100 Subject: [PATCH 45/72] Update to latest --- .../platform.dependencies.yml | 40 ++++++++++--------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 2721511a8c..11e6c96c0d 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -365,23 +365,25 @@ stages: resourceType: 'Microsoft.KeyVault/vaults' templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Key Vault - jobName: default_kv - - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json - templateFilePath: $(templateFilePath) - displayName: Private Endpoint Key Vault - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json - templateFilePath: $(templateFilePath) - displayName: SQLMI key vault - jobName: sqlmi_kv + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Key Vault + # jobName: default_kv + # - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Private Endpoint Key Vault + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQLMI key vault + # jobName: sqlmi_kv - job: displayName: Set key vault secrets keys and certificates + # dependsOn: + # - default_kv pool: ${{ if eq(variables['vmImage'], '') }}: name: $(poolName) @@ -453,12 +455,13 @@ stages: } azurePowerShellVersion: 'LatestVersion' pwsh: true - dependsOn: - - default_kv + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - job: displayName: Set sqlmi key vault secrets and keys condition: eq(${{ parameters.deploySqlMiDependencies }}, true) + # dependsOn: + # - sqlmi_kv pool: ${{ if eq(variables['vmImage'], '') }}: name: $(poolName) @@ -513,8 +516,7 @@ stages: } azurePowerShellVersion: 'LatestVersion' pwsh: true - dependsOn: - - sqlmi_kv + # dependsOn: # - deploy_sa # - deploy_evh From 5bc8be8b132c766053899be45f7298b23571ba23 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Thu, 6 Jan 2022 18:44:53 +0100 Subject: [PATCH 46/72] Further refactored gh pipeline --- .github/workflows/platform.dependencies.yml | 122 ++++++++++---------- 1 file changed, 61 insertions(+), 61 deletions(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index f7fc2d0604..b23e80a880 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -580,42 +580,42 @@ jobs: # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' # removeDeployment: '${{ env.removeDeployment }}' - job_deploy_kv: - runs-on: ubuntu-20.04 - name: 'Deploy key vaults' - env: - namespace: 'Microsoft.KeyVault\vaults' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json', 'pe.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' + # job_deploy_kv: + # runs-on: ubuntu-20.04 + # name: 'Deploy key vaults' + # env: + # namespace: 'Microsoft.KeyVault\vaults' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json', 'pe.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' job_deploy_kv_secrets: runs-on: ubuntu-20.04 name: 'Set key vault secrets keys and certificates' env: namespace: 'Microsoft.KeyVault\vaults' - needs: - - job_deploy_kv + # needs: + # - job_deploy_kv steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -678,42 +678,42 @@ jobs: } azPSVersion: 'latest' - job_deploy_sqlmi_kv: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi key vault' - if: github.event.inputs.deploySqlMiDependencies == 'true' - env: - namespace: 'Microsoft.KeyVault\vaults' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['sqlmi.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' + # job_deploy_sqlmi_kv: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi key vault' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # env: + # namespace: 'Microsoft.KeyVault\vaults' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['sqlmi.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' job_deploy_sqlmi_kv_secrets: runs-on: ubuntu-20.04 name: 'Set sqlmi key vault secrets and keys' if: github.event.inputs.deploySqlMiDependencies == 'true' - needs: - - job_deploy_sqlmi_kv + # needs: + # - job_deploy_sqlmi_kv steps: - name: 'Checkout' uses: actions/checkout@v2 From c7e1b94da230e908e863505788e48b5e904d9661 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Thu, 6 Jan 2022 18:48:31 +0100 Subject: [PATCH 47/72] Update to latest --- .github/workflows/platform.dependencies.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index b23e80a880..5bc3b344b7 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -714,6 +714,8 @@ jobs: if: github.event.inputs.deploySqlMiDependencies == 'true' # needs: # - job_deploy_sqlmi_kv + env: + namespace: 'Microsoft.KeyVault\vaults' steps: - name: 'Checkout' uses: actions/checkout@v2 From ab85d70f534750cc67222a99158b37f722124493 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Thu, 6 Jan 2022 19:14:07 +0100 Subject: [PATCH 48/72] Re-enable full ADO dependency pipeline --- .../platform.dependencies.yml | 901 +++++++++--------- 1 file changed, 450 insertions(+), 451 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 11e6c96c0d..8304d74868 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -28,362 +28,366 @@ variables: value: 'validation-rg' stages: - # - stage: deploy_rg - # displayName: Deploy resource group - # variables: - # resourceType: 'Microsoft.Resources/resourceGroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Validation Resource Group - - # - stage: deploy_msi - # displayName: Deploy user assigned identity - # variables: - # resourceType: 'Microsoft.ManagedIdentity/userAssignedIdentities' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: User Assigned Identity - # dependsOn: - # - deploy_rg - - # - stage: deploy_pa - # displayName: Deploy policy assignment - # variables: - # resourceType: 'Microsoft.Authorization/policyAssignments' - # templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Policy assignment - # dependsOn: - # - deploy_rg - - # - stage: deploy_evh - # displayName: Deploy event hub - # variables: - # resourceType: 'Microsoft.EventHub/namespaces' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: EventHub - # dependsOn: - # - deploy_rg - - # - stage: deploy_law - # displayName: Deploy log analytics workspace - # variables: - # resourceType: 'Microsoft.OperationalInsights/workspaces' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default LAW - # - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: AppInsights LAW - # dependsOn: - # - deploy_rg - - # - stage: deploy_sa - # displayName: Deploy storage account - # variables: - # resourceType: 'Microsoft.Storage/storageAccounts' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default storage account - # jobName: default_sa - # - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: LAW storage account - # - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: FunctionApp storage account - # - job: - # displayName: Upload files to storage account - # pool: - # ${{ if eq(variables['vmImage'], '') }}: - # name: $(poolName) - # ${{ if eq(variables['poolName'], '') }}: - # vmImage: $(vmImage) - # steps: - # - task: PowerShell@2 - # displayName: 'Setup agent' - # inputs: - # targetType: inline - # pwsh: true - # script: | - # # Load used functions - # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Set agent up - # Set-EnvironmentOnAgent - # - task: AzurePowerShell@5 - # displayName: Upload files to storage account - # inputs: - # azureSubscription: $(serviceConnection) - # ScriptType: 'InlineScript' - # Inline: | - # # Load used functions - # . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') - - # # Get storage account name - # $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' - # $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # # Upload files to storage account - # $functionInput = @{ - # ResourceGroupName = '$(defaultResourceGroupName)' - # StorageAccountName = $storageAccountParameters.name.value - # contentDirectories = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'uploads' - # targetContainer = $storageAccountParameters.blobServices.value.containers[0].name - # } - - # Write-Verbose "Invoke task with" -Verbose - # Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - # Export-ContentToBlob @functionInput -Verbose - # azurePowerShellVersion: 'LatestVersion' - # pwsh: true - # dependsOn: - # - default_sa - # dependsOn: - # - deploy_rg - - # - stage: deploy_sig - # displayName: Deploy shared image gallery and definition - # variables: - # resourceType: 'Microsoft.Compute/galleries' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default SIG and SID - # dependsOn: - # - deploy_rg - - # - stage: deploy_ag - # displayName: Deploy action groups - # variables: - # resourceType: 'Microsoft.Insights/actionGroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Action Group - # dependsOn: - # - deploy_rg - - # - stage: deploy_asg - # displayName: Deploy application security groups - # variables: - # resourceType: 'Microsoft.Network/applicationSecurityGroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Application Security Groups - # dependsOn: - # - deploy_rg - - # - stage: deploy_udr - # displayName: Deploy route tables - # variables: - # resourceType: 'Microsoft.Network/routeTables' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default User Defined Routes - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQLMI User Defined Routes - # dependsOn: - # - deploy_rg - - # - stage: deploy_nsg - # displayName: Deploy network security groups - # variables: - # resourceType: 'Microsoft.Network/networkSecurityGroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default NSG - # - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: App Gateway NSG - # - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: ASE NSG - # - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Bastion NSG - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQLMI NSG - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - - # - stage: deploy_pip - # displayName: Deploy public IP addresses - # variables: - # resourceType: 'Microsoft.Network\publicIPAddresses' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: App Gateway Public IP - # - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Bastion Public IP - # - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Load balancer Public IP - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - - # - stage: deploy_appi - # displayName: Deploy application insight - # variables: - # resourceType: 'Microsoft.Insights/components' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Application Insights - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - - # - stage: deploy_aut - # displayName: Deploy automation account - # variables: - # resourceType: 'Microsoft.Automation/automationAccounts' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Automation Account - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - - # - stage: deploy_avdhp - # displayName: Deploy AVD host pool - # variables: - # resourceType: 'Microsoft.DesktopVirtualization/hostpools' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default AVD Host Pool - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - - # - stage: deploy_rsv - # displayName: Deploy recovery services vault - # variables: - # resourceType: 'Microsoft.RecoveryServices/vaults' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default recovery services vault - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law + - stage: deploy_rg + displayName: Deploy resource group + variables: + resourceType: 'Microsoft.Resources/resourceGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json + templateFilePath: $(templateFilePath) + displayName: Validation Resource Group + + - stage: deploy_msi + displayName: Deploy user assigned identity + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.ManagedIdentity/userAssignedIdentities' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: User Assigned Identity + + - stage: deploy_pa + displayName: Deploy policy assignment + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.Authorization/policyAssignments' + templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Policy assignment + + - stage: deploy_evh + displayName: Deploy event hub + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.EventHub/namespaces' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: EventHub + + - stage: deploy_law + displayName: Deploy log analytics workspace + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.OperationalInsights/workspaces' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default LAW + - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json + templateFilePath: $(templateFilePath) + displayName: AppInsights LAW + + - stage: deploy_sa + displayName: Deploy storage account + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.Storage/storageAccounts' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default storage account + jobName: default_sa + - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json + templateFilePath: $(templateFilePath) + displayName: LAW storage account + - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json + templateFilePath: $(templateFilePath) + displayName: FunctionApp storage account + - job: + displayName: Upload files to storage account + dependsOn: + - default_sa + pool: + ${{ if eq(variables['vmImage'], '') }}: + name: $(poolName) + ${{ if eq(variables['poolName'], '') }}: + vmImage: $(vmImage) + steps: + - task: PowerShell@2 + displayName: 'Setup agent' + inputs: + targetType: inline + pwsh: true + script: | + # Load used functions + . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Set agent up + Set-EnvironmentOnAgent + - task: AzurePowerShell@5 + displayName: Upload files to storage account + inputs: + azureSubscription: $(serviceConnection) + ScriptType: 'InlineScript' + Inline: | + # Load used functions + . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + + # Get storage account name + $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' + $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # Upload files to storage account + $functionInput = @{ + ResourceGroupName = '$(defaultResourceGroupName)' + StorageAccountName = $storageAccountParameters.name.value + contentDirectories = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'uploads' + targetContainer = $storageAccountParameters.blobServices.value.containers[0].name + } + + Write-Verbose "Invoke task with" -Verbose + Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + Export-ContentToBlob @functionInput -Verbose + azurePowerShellVersion: 'LatestVersion' + pwsh: true + + - stage: deploy_sig + displayName: Deploy shared image gallery and definition + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.Compute/galleries' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default SIG and SID + + - stage: deploy_ag + displayName: Deploy action groups + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.Insights/actionGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Action Group + + - stage: deploy_asg + displayName: Deploy application security groups + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.Network/applicationSecurityGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Application Security Groups + + - stage: deploy_udr + displayName: Deploy route tables + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.Network/routeTables' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default User Defined Routes + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI User Defined Routes + + - stage: deploy_nsg + displayName: Deploy network security groups + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + variables: + resourceType: 'Microsoft.Network/networkSecurityGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default NSG + - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + templateFilePath: $(templateFilePath) + displayName: App Gateway NSG + - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json + templateFilePath: $(templateFilePath) + displayName: ASE NSG + - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json + templateFilePath: $(templateFilePath) + displayName: Bastion NSG + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI NSG + + - stage: deploy_pip + displayName: Deploy public IP addresses + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + variables: + resourceType: 'Microsoft.Network\publicIPAddresses' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + templateFilePath: $(templateFilePath) + displayName: App Gateway Public IP + - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json + templateFilePath: $(templateFilePath) + displayName: Bastion Public IP + - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json + templateFilePath: $(templateFilePath) + displayName: Load balancer Public IP + + - stage: deploy_appi + displayName: Deploy application insight + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + variables: + resourceType: 'Microsoft.Insights/components' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Application Insights + + - stage: deploy_aut + displayName: Deploy automation account + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + variables: + resourceType: 'Microsoft.Automation/automationAccounts' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Automation Account + + - stage: deploy_avdhp + displayName: Deploy AVD host pool + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + variables: + resourceType: 'Microsoft.DesktopVirtualization/hostpools' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default AVD Host Pool + + - stage: deploy_rsv + displayName: Deploy recovery services vault + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + variables: + resourceType: 'Microsoft.RecoveryServices/vaults' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default recovery services vault - stage: deploy_kv displayName: Deploy key vaults + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law variables: resourceType: 'Microsoft.KeyVault/vaults' templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Key Vault - # jobName: default_kv - # - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Private Endpoint Key Vault - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQLMI key vault - # jobName: sqlmi_kv + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Key Vault + jobName: default_kv + - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json + templateFilePath: $(templateFilePath) + displayName: Private Endpoint Key Vault + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI key vault + jobName: sqlmi_kv - job: displayName: Set key vault secrets keys and certificates - # dependsOn: - # - default_kv + dependsOn: + - default_kv pool: ${{ if eq(variables['vmImage'], '') }}: name: $(poolName) @@ -460,8 +464,8 @@ stages: - job: displayName: Set sqlmi key vault secrets and keys condition: eq(${{ parameters.deploySqlMiDependencies }}, true) - # dependsOn: - # - sqlmi_kv + dependsOn: + - sqlmi_kv pool: ${{ if eq(variables['vmImage'], '') }}: name: $(poolName) @@ -517,105 +521,100 @@ stages: azurePowerShellVersion: 'LatestVersion' pwsh: true - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - - # - stage: deploy_avdag - # displayName: Deploy AVD application group - # variables: - # resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Application Group - # dependsOn: - # - deploy_avdhp - - # - stage: deploy_rolea - # displayName: Deploy role assignments - # variables: - # resourceType: 'Microsoft.Authorization\roleAssignments' - # templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: MSI Role Assignment - # dependsOn: - # - deploy_msi - - # - stage: deploy_vnet - # displayName: Deploy virtual networks - # variables: - # resourceType: 'Microsoft.Network/virtualNetworks' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Bastion Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: VNET PEering 1 Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: VNET Peering 2 Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Azure Firewall Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: AKS Virtual Network - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQL MI Virtual Network - # dependsOn: - # - deploy_nsg - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - deploy_udr - - # - stage: deploy_dnszone - # displayName: Deploy private DNS zones - # variables: - # resourceType: 'Microsoft.Network/privateDnsZones' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Private DNS Zones - # dependsOn: - # - deploy_vnet - - # - stage: deploy_vm - # displayName: Deploy virtual machines - # variables: - # resourceType: 'Microsoft.Compute/virtualMachines' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Virtual Machine - # dependsOn: - # - deploy_vnet - # - deploy_rsv - # - deploy_kv + - stage: deploy_avdag + displayName: Deploy AVD application group + dependsOn: + - deploy_avdhp + variables: + resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Application Group + + - stage: deploy_rolea + displayName: Deploy role assignments + dependsOn: + - deploy_msi + variables: + resourceType: 'Microsoft.Authorization\roleAssignments' + templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: MSI Role Assignment + + - stage: deploy_vnet + displayName: Deploy virtual networks + dependsOn: + - deploy_nsg + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - deploy_udr + variables: + resourceType: 'Microsoft.Network/virtualNetworks' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json + templateFilePath: $(templateFilePath) + displayName: Bastion Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json + templateFilePath: $(templateFilePath) + displayName: VNET PEering 1 Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json + templateFilePath: $(templateFilePath) + displayName: VNET Peering 2 Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json + templateFilePath: $(templateFilePath) + displayName: Azure Firewall Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json + templateFilePath: $(templateFilePath) + displayName: AKS Virtual Network + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQL MI Virtual Network + + - stage: deploy_dnszone + displayName: Deploy private DNS zones + dependsOn: + - deploy_vnet + variables: + resourceType: 'Microsoft.Network/privateDnsZones' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Private DNS Zones + + - stage: deploy_vm + displayName: Deploy virtual machines + dependsOn: + - deploy_vnet + - deploy_rsv + - deploy_kv + variables: + resourceType: 'Microsoft.Compute/virtualMachines' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Virtual Machine From bcde9117db0c5215abb433724c742576a5bcb010 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Thu, 6 Jan 2022 19:17:53 +0100 Subject: [PATCH 49/72] Re-enabled full GH --- .github/workflows/platform.dependencies.yml | 1572 +++++++++---------- 1 file changed, 786 insertions(+), 786 deletions(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 5bc3b344b7..c6ce539129 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -30,592 +30,592 @@ env: DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: - # job_deploy_rg: - # runs-on: ubuntu-20.04 - # name: 'Deploy resource group' - # env: - # namespace: 'Microsoft.Resources\resourceGroups' - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['validation.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_msi: - # runs-on: ubuntu-20.04 - # name: 'Deploy user assigned identity' - # env: - # namespace: 'Microsoft.ManagedIdentity\userAssignedIdentities' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_pa: - # runs-on: ubuntu-20.04 - # name: 'Deploy policy assignment' - # env: - # namespace: 'Microsoft.Authorization\policyAssignments' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_policyAssignments_sub.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_evh: - # runs-on: ubuntu-20.04 - # name: 'Deploy eventhub' - # env: - # namespace: 'Microsoft.EventHub\namespaces' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_law: - # runs-on: ubuntu-20.04 - # name: 'Deploy log analytics workspace' - # env: - # namespace: 'Microsoft.OperationalInsights\workspaces' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['appi.parameters.json', 'parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_sa: - # runs-on: ubuntu-20.04 - # name: 'Deploy storage account' - # env: - # namespace: 'Microsoft.Storage\storageAccounts' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_sa_upload_storage_files: - # runs-on: ubuntu-20.04 - # name: 'Upload files to storage account' - # env: - # namespace: 'Microsoft.Storage\storageAccounts' - # needs: - # - job_deploy_sa - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: Azure Login - # uses: azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - # enable-AzPSSession: true - # - name: Run PowerShell - # uses: azure/powershell@v1 - # with: - # inlineScript: | - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') - - # # Get storage account name - # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'parameters' 'parameters.json' - # $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # # Upload files to storage account - # $functionInput = @{ - # ResourceGroupName = '${{ env.defaultResourceGroupName }}' - # StorageAccountName = $storageAccountParameters.name.value - # contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'uploads' - # targetContainer = $storageAccountParameters.blobServices.value.containers[0].name - # } - - # Write-Verbose "Invoke task with" -Verbose - # Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - # Export-ContentToBlob @functionInput -Verbose - # azPSVersion: 'latest' - - # job_deploy_sig: - # runs-on: ubuntu-20.04 - # name: 'Deploy shared image gallery and definition' - # env: - # namespace: 'Microsoft.Compute\galleries' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_ag: - # runs-on: ubuntu-20.04 - # name: 'Deploy action groups' - # env: - # namespace: 'Microsoft.Insights\actionGroups' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_asg: - # runs-on: ubuntu-20.04 - # name: 'Deploy application security groups' - # env: - # namespace: 'Microsoft.Network\applicationSecurityGroups' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_udr: - # runs-on: ubuntu-20.04 - # name: 'Deploy route tables' - # env: - # namespace: 'Microsoft.Network\routeTables' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_sqlmi_udr: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi route tables' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # env: - # namespace: 'Microsoft.Network\routeTables' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['sqlMi.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_nsg: - # runs-on: ubuntu-20.04 - # name: 'Deploy network security groups' - # env: - # namespace: 'Microsoft.Network\networkSecurityGroups' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # [ - # 'apgw.parameters.json', - # 'ase.parameters.json', - # 'bastion.parameters.json', - # 'parameters.json', - # ] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_sqlmi_nsg: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi network security group' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # env: - # namespace: 'Microsoft.Network\networkSecurityGroups' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['sqlmi.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_pip: - # runs-on: ubuntu-20.04 - # name: 'Deploy public IP addresses' - # env: - # namespace: 'Microsoft.Network\publicIPAddresses' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_appi: - # runs-on: ubuntu-20.04 - # name: 'Deploy application insight' - # env: - # namespace: 'Microsoft.Insights\components' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_aut: - # runs-on: ubuntu-20.04 - # name: 'Deploy automation account' - # env: - # namespace: 'Microsoft.Automation\automationAccounts' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_avdhp: - # runs-on: ubuntu-20.04 - # name: 'Deploy AVD host pool' - # env: - # namespace: 'Microsoft.DesktopVirtualization\hostpools' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_rsv: - # runs-on: ubuntu-20.04 - # name: 'Deploy recovery services vault' - # env: - # namespace: 'Microsoft.RecoveryServices\vaults' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_kv: - # runs-on: ubuntu-20.04 - # name: 'Deploy key vaults' - # env: - # namespace: 'Microsoft.KeyVault\vaults' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json', 'pe.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_rg: + runs-on: ubuntu-20.04 + name: 'Deploy resource group' + env: + namespace: 'Microsoft.Resources\resourceGroups' + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['validation.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_msi: + runs-on: ubuntu-20.04 + name: 'Deploy user assigned identity' + env: + namespace: 'Microsoft.ManagedIdentity\userAssignedIdentities' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_pa: + runs-on: ubuntu-20.04 + name: 'Deploy policy assignment' + env: + namespace: 'Microsoft.Authorization\policyAssignments' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_policyAssignments_sub.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_evh: + runs-on: ubuntu-20.04 + name: 'Deploy eventhub' + env: + namespace: 'Microsoft.EventHub\namespaces' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_law: + runs-on: ubuntu-20.04 + name: 'Deploy log analytics workspace' + env: + namespace: 'Microsoft.OperationalInsights\workspaces' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['appi.parameters.json', 'parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_sa: + runs-on: ubuntu-20.04 + name: 'Deploy storage account' + env: + namespace: 'Microsoft.Storage\storageAccounts' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: + ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_sa_upload_storage_files: + runs-on: ubuntu-20.04 + name: 'Upload files to storage account' + env: + namespace: 'Microsoft.Storage\storageAccounts' + needs: + - job_deploy_sa + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Azure Login + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + enable-AzPSSession: true + - name: Run PowerShell + uses: azure/powershell@v1 + with: + inlineScript: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + + # Get storage account name + $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'parameters' 'parameters.json' + $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # Upload files to storage account + $functionInput = @{ + ResourceGroupName = '${{ env.defaultResourceGroupName }}' + StorageAccountName = $storageAccountParameters.name.value + contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'uploads' + targetContainer = $storageAccountParameters.blobServices.value.containers[0].name + } + + Write-Verbose "Invoke task with" -Verbose + Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + Export-ContentToBlob @functionInput -Verbose + azPSVersion: 'latest' + + job_deploy_sig: + runs-on: ubuntu-20.04 + name: 'Deploy shared image gallery and definition' + env: + namespace: 'Microsoft.Compute\galleries' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_ag: + runs-on: ubuntu-20.04 + name: 'Deploy action groups' + env: + namespace: 'Microsoft.Insights\actionGroups' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_asg: + runs-on: ubuntu-20.04 + name: 'Deploy application security groups' + env: + namespace: 'Microsoft.Network\applicationSecurityGroups' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_udr: + runs-on: ubuntu-20.04 + name: 'Deploy route tables' + env: + namespace: 'Microsoft.Network\routeTables' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_sqlmi_udr: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi route tables' + if: github.event.inputs.deploySqlMiDependencies == 'true' + env: + namespace: 'Microsoft.Network\routeTables' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['sqlMi.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_nsg: + runs-on: ubuntu-20.04 + name: 'Deploy network security groups' + env: + namespace: 'Microsoft.Network\networkSecurityGroups' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: + [ + 'apgw.parameters.json', + 'ase.parameters.json', + 'bastion.parameters.json', + 'parameters.json', + ] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_sqlmi_nsg: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi network security group' + if: github.event.inputs.deploySqlMiDependencies == 'true' + env: + namespace: 'Microsoft.Network\networkSecurityGroups' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['sqlmi.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_pip: + runs-on: ubuntu-20.04 + name: 'Deploy public IP addresses' + env: + namespace: 'Microsoft.Network\publicIPAddresses' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: + ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_appi: + runs-on: ubuntu-20.04 + name: 'Deploy application insight' + env: + namespace: 'Microsoft.Insights\components' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_aut: + runs-on: ubuntu-20.04 + name: 'Deploy automation account' + env: + namespace: 'Microsoft.Automation\automationAccounts' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_avdhp: + runs-on: ubuntu-20.04 + name: 'Deploy AVD host pool' + env: + namespace: 'Microsoft.DesktopVirtualization\hostpools' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_rsv: + runs-on: ubuntu-20.04 + name: 'Deploy recovery services vault' + env: + namespace: 'Microsoft.RecoveryServices\vaults' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_kv: + runs-on: ubuntu-20.04 + name: 'Deploy key vaults' + env: + namespace: 'Microsoft.KeyVault\vaults' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json', 'pe.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' job_deploy_kv_secrets: runs-on: ubuntu-20.04 name: 'Set key vault secrets keys and certificates' env: namespace: 'Microsoft.KeyVault\vaults' - # needs: - # - job_deploy_kv + needs: + - job_deploy_kv steps: - name: 'Checkout' uses: actions/checkout@v2 @@ -626,7 +626,7 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} enable-AzPSSession: true - - name: Run PowerShell + - name: 'Set key vault secrets keys and certificates' uses: azure/powershell@v1 with: inlineScript: | @@ -678,42 +678,42 @@ jobs: } azPSVersion: 'latest' - # job_deploy_sqlmi_kv: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi key vault' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # env: - # namespace: 'Microsoft.KeyVault\vaults' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['sqlmi.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_sqlmi_kv: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi key vault' + if: github.event.inputs.deploySqlMiDependencies == 'true' + env: + namespace: 'Microsoft.KeyVault\vaults' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['sqlmi.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' job_deploy_sqlmi_kv_secrets: runs-on: ubuntu-20.04 name: 'Set sqlmi key vault secrets and keys' if: github.event.inputs.deploySqlMiDependencies == 'true' - # needs: - # - job_deploy_sqlmi_kv + needs: + - job_deploy_sqlmi_kv env: namespace: 'Microsoft.KeyVault\vaults' steps: @@ -726,7 +726,7 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} enable-AzPSSession: true - - name: Run PowerShell + - name: 'Set sqlmi key vault secrets and keys' uses: azure/powershell@v1 with: inlineScript: | @@ -761,176 +761,176 @@ jobs: } azPSVersion: 'latest' - # job_deploy_avdag: - # runs-on: ubuntu-20.04 - # name: 'Deploy AVD application group' - # env: - # namespace: 'Microsoft.DesktopVirtualization\applicationgroups' - # needs: - # - job_deploy_avdhp - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_rolea: - # runs-on: ubuntu-20.04 - # name: 'Deploy role assignments' - # env: - # namespace: 'Microsoft.Authorization\roleAssignments' - # needs: - # - job_deploy_msi - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_rbac_sub.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_vnet: - # runs-on: ubuntu-20.04 - # name: 'Deploy virtual networks' - # env: - # namespace: 'Microsoft.Network\virtualNetworks' - # needs: - # - job_deploy_nsg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # [ - # '1.bastion.parameters.json', - # '2.vnetpeer01.parameters.json', - # '3.vnetpeer02.parameters.json', - # '4.azfw.parameters.json', - # '5.aks.parameters.json', - # 'parameters.json', - # ] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_sqlmi_vnet: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi virtual network' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # env: - # namespace: 'Microsoft.Network\virtualNetworks' - # needs: - # - job_deploy_sqlmi_udr - # - job_deploy_sqlmi_nsg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['6.sqlmi.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_dnszone: - # runs-on: ubuntu-20.04 - # name: 'Deploy private DNS zones' - # env: - # namespace: 'Microsoft.Network\privateDnsZones' - # needs: - # - job_deploy_vnet - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_vm: - # runs-on: ubuntu-20.04 - # name: 'Deploy virtual machines' - # env: - # namespace: 'Microsoft.Compute\virtualMachines' - # needs: - # - job_deploy_kv_secrets - # - job_deploy_vnet - # - job_deploy_rsv - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_avdag: + runs-on: ubuntu-20.04 + name: 'Deploy AVD application group' + env: + namespace: 'Microsoft.DesktopVirtualization\applicationgroups' + needs: + - job_deploy_avdhp + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_rolea: + runs-on: ubuntu-20.04 + name: 'Deploy role assignments' + env: + namespace: 'Microsoft.Authorization\roleAssignments' + needs: + - job_deploy_msi + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_rbac_sub.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_vnet: + runs-on: ubuntu-20.04 + name: 'Deploy virtual networks' + env: + namespace: 'Microsoft.Network\virtualNetworks' + needs: + - job_deploy_nsg + strategy: + fail-fast: false + matrix: + parameterFilePaths: + [ + '1.bastion.parameters.json', + '2.vnetpeer01.parameters.json', + '3.vnetpeer02.parameters.json', + '4.azfw.parameters.json', + '5.aks.parameters.json', + 'parameters.json', + ] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_sqlmi_vnet: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi virtual network' + if: github.event.inputs.deploySqlMiDependencies == 'true' + env: + namespace: 'Microsoft.Network\virtualNetworks' + needs: + - job_deploy_sqlmi_udr + - job_deploy_sqlmi_nsg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['6.sqlmi.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_dnszone: + runs-on: ubuntu-20.04 + name: 'Deploy private DNS zones' + env: + namespace: 'Microsoft.Network\privateDnsZones' + needs: + - job_deploy_vnet + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_vm: + runs-on: ubuntu-20.04 + name: 'Deploy virtual machines' + env: + namespace: 'Microsoft.Compute\virtualMachines' + needs: + - job_deploy_kv_secrets + - job_deploy_vnet + - job_deploy_rsv + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' From b2bbba826e7b6e61dbe7f4216116851a27820f82 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Thu, 6 Jan 2022 20:16:05 +0100 Subject: [PATCH 50/72] Added trigger none for ado --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 8304d74868..e9ef3785cd 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -6,6 +6,8 @@ parameters: type: boolean default: false +trigger: none + # trigger: # batch: true # branches: From 170e659e0589e924799b427cf53474099571102c Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 12 Jan 2022 09:51:38 +0100 Subject: [PATCH 51/72] Update arm/Microsoft.Compute/virtualMachines/deploy.bicep Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- arm/Microsoft.Compute/virtualMachines/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Compute/virtualMachines/deploy.bicep b/arm/Microsoft.Compute/virtualMachines/deploy.bicep index c0f02350b1..796e4275ee 100644 --- a/arm/Microsoft.Compute/virtualMachines/deploy.bicep +++ b/arm/Microsoft.Compute/virtualMachines/deploy.bicep @@ -582,7 +582,7 @@ module virtualMachine_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, in @description('The name of the VM.') output name string = virtualMachine.name -@description('The Resource ID of the VM.') +@description('The resource ID of the VM.') output ResourceId string = virtualMachine.id @description('The name of the Resource Group the VM was created in.') From 502d020ca3c1673aa67e60e60ef9a96482cf6da8 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 12 Jan 2022 09:51:52 +0100 Subject: [PATCH 52/72] Update arm/Microsoft.Compute/virtualMachines/deploy.bicep Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- arm/Microsoft.Compute/virtualMachines/deploy.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Compute/virtualMachines/deploy.bicep b/arm/Microsoft.Compute/virtualMachines/deploy.bicep index 796e4275ee..7182738488 100644 --- a/arm/Microsoft.Compute/virtualMachines/deploy.bicep +++ b/arm/Microsoft.Compute/virtualMachines/deploy.bicep @@ -585,7 +585,7 @@ output name string = virtualMachine.name @description('The resource ID of the VM.') output ResourceId string = virtualMachine.id -@description('The name of the Resource Group the VM was created in.') +@description('The name of the resource group the VM was created in.') output ResourceGroup string = resourceGroup().name @description('The principal ID of the system assigned identity.') From 46cefb3ef5aad8ae9102d454dc07b2ddcf7ed3bf Mon Sep 17 00:00:00 2001 From: MrMCake Date: Wed, 12 Jan 2022 09:59:55 +0100 Subject: [PATCH 53/72] Rollback of unwanted changes --- arm/Microsoft.Compute/virtualMachines/deploy.bicep | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.Compute/virtualMachines/deploy.bicep b/arm/Microsoft.Compute/virtualMachines/deploy.bicep index fbfba3f4eb..9837490f3d 100644 --- a/arm/Microsoft.Compute/virtualMachines/deploy.bicep +++ b/arm/Microsoft.Compute/virtualMachines/deploy.bicep @@ -580,13 +580,13 @@ module virtualMachine_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, in }] @description('The name of the VM.') -output name string = virtualMachine.name +output virtualMachineName string = virtualMachine.name @description('The resource ID of the VM.') -output ResourceId string = virtualMachine.id +output virtualMachineResourceId string = virtualMachine.id @description('The name of the resource group the VM was created in.') -output ResourceGroup string = resourceGroup().name +output virtualMachineResourceGroup string = resourceGroup().name @description('The principal ID of the system assigned identity.') output systemAssignedPrincipalId string = systemAssignedIdentity && contains(virtualMachine.identity, 'principalId') ? virtualMachine.identity.principalId : '' From 6a2a732fb17e29ff1f1bc6e3d59eae9e38819a80 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 12 Jan 2022 10:39:22 +0100 Subject: [PATCH 54/72] Update .github/workflows/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .github/workflows/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index c6ce539129..6087bec16e 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -658,7 +658,7 @@ jobs: Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose } - # Certificats + # Set certificates # ----------- $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal @( From 7715f3ae6616e6ac768661bee0bbd1a333b3621f Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 12 Jan 2022 10:39:35 +0100 Subject: [PATCH 55/72] Update .github/workflows/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .github/workflows/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 6087bec16e..e698285024 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -735,7 +735,7 @@ jobs: $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters $keyVaultName = $keyVaultParameters.name.value - # Prepare + # Generate values $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force $passwordString = (New-Guid).Guid.SubString(0, 19) From bc7ad169a25e7e04ee797ab050142b629722292e Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 12 Jan 2022 10:39:44 +0100 Subject: [PATCH 56/72] Update .github/workflows/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .github/workflows/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index e698285024..b5e62b53ca 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -751,7 +751,7 @@ jobs: Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose } - # Keys + # Set keys # ---- @( @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances From a8da42ac7b54463becb10b937b2358149cd32013 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 12 Jan 2022 10:39:53 +0100 Subject: [PATCH 57/72] Update .github/workflows/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .github/workflows/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index b5e62b53ca..89bc00b49b 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -643,7 +643,7 @@ jobs: $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - # Secrets + # Set secrets # ------- @( @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS From fb0ca5e8f413a84a9acf328c22869a36c455b563 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 12 Jan 2022 10:40:35 +0100 Subject: [PATCH 58/72] Update .github/workflows/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .github/workflows/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 89bc00b49b..1fdbb6a891 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -668,7 +668,7 @@ jobs: Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose } - # Keys + # Set keys # ---- @( @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS From 1028922eb62496b3963fa46e890b81429c654309 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 12 Jan 2022 10:40:55 +0100 Subject: [PATCH 59/72] Update .github/workflows/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .github/workflows/platform.dependencies.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 1fdbb6a891..cd18334915 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -651,8 +651,8 @@ jobs: @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway - @{ name = 'apimclientid'; secretValue = $username } # API management - @{ name = 'apimclientsecret'; secretValue = $password } # API management + @{ name = 'apimClientId'; secretValue = $username } # API management + @{ name = 'apimClientSecret'; secretValue = $password } # API management ) | ForEach-Object { $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose From 39c8dc381262bfd2dbb202c32f0a9bd76288e446 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 12 Jan 2022 10:41:06 +0100 Subject: [PATCH 60/72] Update .github/workflows/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .github/workflows/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index cd18334915..818d11ab84 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -635,7 +635,7 @@ jobs: $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters $keyVaultName = $keyVaultParameters.name.value - # Prepare + # Generate values $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force $passwordString = (New-Guid).Guid.SubString(0, 19) From 6be1a46d30713e4f8586cf7f8f7e640914d5fb3b Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 12 Jan 2022 10:41:13 +0100 Subject: [PATCH 61/72] Update .azuredevops/platformPipelines/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index e9ef3785cd..ef19e74cf1 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -418,7 +418,7 @@ stages: $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters $keyVaultName = $keyVaultParameters.name.value - # Prepare + # Generate values $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force $passwordString = (New-Guid).Guid.SubString(0, 19) From f40cf045af2b583c92a3fee7bb70b528716b0cdc Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 12 Jan 2022 10:42:13 +0100 Subject: [PATCH 62/72] Update .azuredevops/platformPipelines/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index ef19e74cf1..72cfb98346 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -426,7 +426,7 @@ stages: $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - # Secrets + # Set secrets # ------- @( @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS From d84df2682e1ba541506327b4bb18564a41d16fae Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 12 Jan 2022 10:42:20 +0100 Subject: [PATCH 63/72] Update .azuredevops/platformPipelines/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 72cfb98346..be6b200f93 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -451,7 +451,7 @@ stages: Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose } - # Keys + # Set keys # ---- @( @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS From 07ae33d94fefa5e967239969f8ac22195ea8b342 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 12 Jan 2022 10:42:28 +0100 Subject: [PATCH 64/72] Update .azuredevops/platformPipelines/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .azuredevops/platformPipelines/platform.dependencies.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index be6b200f93..a0eafdb18e 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -434,8 +434,8 @@ stages: @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway - @{ name = 'apimclientid'; secretValue = $username } # API management - @{ name = 'apimclientsecret'; secretValue = $password } # API management + @{ name = 'apimClientId'; secretValue = $username } # API management + @{ name = 'apimClientSecret'; secretValue = $password } # API management ) | ForEach-Object { $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose From b02781eb1a61f7da774ff7dd5262f4150789f3ba Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 12 Jan 2022 10:45:34 +0100 Subject: [PATCH 65/72] Update .azuredevops/platformPipelines/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index a0eafdb18e..51cbdbaf78 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -496,7 +496,7 @@ stages: $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters $keyVaultName = $keyVaultParameters.name.value - # Prepare + # Generate values $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force $passwordString = (New-Guid).Guid.SubString(0, 19) From 93b0daacfbd82de18303e1ba195715e4d6f9912f Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 12 Jan 2022 10:45:42 +0100 Subject: [PATCH 66/72] Update .azuredevops/platformPipelines/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 51cbdbaf78..d42ddb3098 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -502,7 +502,7 @@ stages: $passwordString = (New-Guid).Guid.SubString(0, 19) $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - # Secrets + # Set secrets # ------- @( @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances From 43d1220f6d2d17dcc2332cc029817102845240f4 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 12 Jan 2022 10:45:47 +0100 Subject: [PATCH 67/72] Update .azuredevops/platformPipelines/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index d42ddb3098..b4fabd13eb 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -512,7 +512,7 @@ stages: Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose } - # Keys + # Set keys # ---- @( @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances From 0c7b6aea47c00b0f9464bb6479dd6024aa090e5c Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 12 Jan 2022 10:46:01 +0100 Subject: [PATCH 68/72] Update .azuredevops/platformPipelines/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .azuredevops/platformPipelines/platform.dependencies.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index b4fabd13eb..0379923289 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -146,8 +146,13 @@ stages: # Load used functions . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.Storage' } + ) + # Set agent up - Set-EnvironmentOnAgent + Set-EnvironmentOnAgent -PSModules $Modules - task: AzurePowerShell@5 displayName: Upload files to storage account inputs: From caf33e10d0ac278577de80b4ab664c0d14705a6e Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 12 Jan 2022 10:46:09 +0100 Subject: [PATCH 69/72] Update .azuredevops/platformPipelines/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .azuredevops/platformPipelines/platform.dependencies.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 0379923289..cc88c9ff64 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -410,8 +410,13 @@ stages: # Load used functions . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.KeyVault' } + ) + # Set agent up - Set-EnvironmentOnAgent + Set-EnvironmentOnAgent -PSModules $Modules - task: AzurePowerShell@5 displayName: Set key vault secrets keys and certificates inputs: From d502f2e5b52a3a27c8816c44c75a3ebbaff3a2f7 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 12 Jan 2022 10:46:15 +0100 Subject: [PATCH 70/72] Update .azuredevops/platformPipelines/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .azuredevops/platformPipelines/platform.dependencies.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index cc88c9ff64..9abe3c0aea 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -493,8 +493,13 @@ stages: # Load used functions . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.KeyVault' } + ) + # Set agent up - Set-EnvironmentOnAgent + Set-EnvironmentOnAgent -PSModules $Modules - task: AzurePowerShell@5 displayName: Set sqlmi key vault secrets and keys inputs: From 83f129e35c3fdf2583a6e796ba4e9a99575c4421 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Wed, 12 Jan 2022 11:22:07 +0100 Subject: [PATCH 71/72] Added environment setup to GH pipeline --- .github/workflows/platform.dependencies.yml | 39 +++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 818d11ab84..c95be3738b 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -203,6 +203,19 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 + - name: 'Setup agent' + shell: pwsh + run: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.Storage' } + ) + + # Set agent up + Set-EnvironmentOnAgent -PSModules $Modules - name: Azure Login uses: azure/login@v1 with: @@ -621,6 +634,19 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 + - name: 'Setup agent' + shell: pwsh + run: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.KeyVault' } + ) + + # Set agent up + Set-EnvironmentOnAgent -PSModules $Modules - name: Azure Login uses: azure/login@v1 with: @@ -721,6 +747,19 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 + - name: 'Setup agent' + shell: pwsh + run: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.KeyVault' } + ) + + # Set agent up + Set-EnvironmentOnAgent -PSModules $Modules - name: Azure Login uses: azure/login@v1 with: From a37e4658c6f7c1fff4a9f99da008c1334e4939f9 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Wed, 12 Jan 2022 11:25:04 +0100 Subject: [PATCH 72/72] Update .github/workflows/platform.dependencies.yml Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .github/workflows/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index c95be3738b..3a7c306611 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -780,7 +780,7 @@ jobs: $passwordString = (New-Guid).Guid.SubString(0, 19) $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - # Secrets + # Set secrets # ------- @( @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances