From 13b57baf87bdadf90d3cff9999331b93ce5482d2 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 4 Jan 2022 14:35:54 +0100 Subject: [PATCH 1/3] Added an additional note to the wiki --- docs/wiki/TestingDesign.md | 1 + .../roleAssignments/parameters/parameters.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/wiki/TestingDesign.md b/docs/wiki/TestingDesign.md index a64209ab7e..d783a6ba25 100644 --- a/docs/wiki/TestingDesign.md +++ b/docs/wiki/TestingDesign.md @@ -154,6 +154,7 @@ Since also dependency resources are in turn subject to dependencies with each ot - '_adp-sxx-az-pip-x-bas_': Leveraged by the [bastion host] resource. - '_adp-sxx-az-pip-x-lb_': Leveraged by the [load balancer] resource. 1. Role assignment: This resource assigns the '_Contributor_' role on the subscription to the [user assigned identity] deployed as part of the group above. This is needed by the [image template] deployment. + > **Note**: You must add the object ID of the [user assigned identity]. However, when you first run the pipeline, this object ID will be unknown. It is hence recommended to either manually create the MSI beforehand - or - run the pipeline without the ID once (which will cause the pipeline to fail during the role assignment, but **after** the MSI was deployed), then update the value in the parameter file and finally re-run the pipeline. **Fourth level resources**: This group of resources has a dependency on one or more resources in the groups above. Resources in this group can be deployed in parallel. diff --git a/utilities/pipelines/dependencies/Microsoft.Authorization/roleAssignments/parameters/parameters.json b/utilities/pipelines/dependencies/Microsoft.Authorization/roleAssignments/parameters/parameters.json index 29cb3cb7a4..4a63cc7d1e 100644 --- a/utilities/pipelines/dependencies/Microsoft.Authorization/roleAssignments/parameters/parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.Authorization/roleAssignments/parameters/parameters.json @@ -6,7 +6,7 @@ "value": "Contributor" }, "principalId": { - "value": "cf33fea8-b30f-424f-ab73-c48d99e0b222" + "value": "cf33fea8-b30f-424f-ab73-c48d99e0b222" // The object ID of the deployed MSI }, "subscriptionId": { "value": "<>" From ad95117ca1abd9a0b5c72eee3259cb5a47b6cd20 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Tue, 4 Jan 2022 14:58:06 +0100 Subject: [PATCH 2/3] Update to latest --- docs/wiki/TestingDesign.md | 4 ++-- .../vaults/parameters/parameters.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/wiki/TestingDesign.md b/docs/wiki/TestingDesign.md index d783a6ba25..4dd6a84ef1 100644 --- a/docs/wiki/TestingDesign.md +++ b/docs/wiki/TestingDesign.md @@ -113,7 +113,8 @@ Since also dependency resources are in turn subject to dependencies with each ot **Second level resources**: This group of resources has a dependency only on the resource group which will host them. Resources in this group can be deployed in parallel. - 1. User assigned identity: This resource is leveraged as a test identity by all resources supporting RBAC. + 1. User assigned identity: This resource is leveraged by all dependency resources + > **Note**: The object ID of the [user assigned identity] must be set in several dependency parameter files. However, when you first run the pipeline, this object ID will be unknown. It is hence recommended to either manually create the MSI beforehand - or - run the pipeline without the ID once (which will cause the pipeline to fail during the ID's usage, but **after** the MSI was deployed), then update the value in the parameter files and finally re-run the pipeline. 1. Policy assignment: This resource is leveraged by the [policy exemption] resource. 1. Log analytics workspace: This resource is leveraged by all resources supporting diagnostic settings on LAW. 1. Storage account: This resource is leveraged by all resources supporting diagnostic settings on a storage account. @@ -154,7 +155,6 @@ Since also dependency resources are in turn subject to dependencies with each ot - '_adp-sxx-az-pip-x-bas_': Leveraged by the [bastion host] resource. - '_adp-sxx-az-pip-x-lb_': Leveraged by the [load balancer] resource. 1. Role assignment: This resource assigns the '_Contributor_' role on the subscription to the [user assigned identity] deployed as part of the group above. This is needed by the [image template] deployment. - > **Note**: You must add the object ID of the [user assigned identity]. However, when you first run the pipeline, this object ID will be unknown. It is hence recommended to either manually create the MSI beforehand - or - run the pipeline without the ID once (which will cause the pipeline to fail during the role assignment, but **after** the MSI was deployed), then update the value in the parameter file and finally re-run the pipeline. **Fourth level resources**: This group of resources has a dependency on one or more resources in the groups above. Resources in this group can be deployed in parallel. diff --git a/utilities/pipelines/dependencies/Microsoft.RecoveryServices/vaults/parameters/parameters.json b/utilities/pipelines/dependencies/Microsoft.RecoveryServices/vaults/parameters/parameters.json index cd637787d4..7a84003ad2 100644 --- a/utilities/pipelines/dependencies/Microsoft.RecoveryServices/vaults/parameters/parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.RecoveryServices/vaults/parameters/parameters.json @@ -254,7 +254,7 @@ { "roleDefinitionIdOrName": "Reader", "principalIds": [ - "cf33fea8-b30f-424f-ab73-c48d99e0b222" + "cf33fea8-b30f-424f-ab73-c48d99e0b222" // The object ID of the deployed MSI ] } ] From 8830a48052891980de8aae980cce93fbab3d6d20 Mon Sep 17 00:00:00 2001 From: MrMCake Date: Wed, 5 Jan 2022 09:46:32 +0100 Subject: [PATCH 3/3] Update to latest --- .../virtualMachines/.parameters/linux.parameters.json | 2 +- .../virtualMachines/.parameters/windows.parameters.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.Compute/virtualMachines/.parameters/linux.parameters.json b/arm/Microsoft.Compute/virtualMachines/.parameters/linux.parameters.json index dc57703889..043cae89a6 100644 --- a/arm/Microsoft.Compute/virtualMachines/.parameters/linux.parameters.json +++ b/arm/Microsoft.Compute/virtualMachines/.parameters/linux.parameters.json @@ -137,7 +137,7 @@ "EncryptionOperation": "EnableEncryption", "KeyVaultURL": "https://adp-sxx-az-kv-x-001.vault.azure.net/", "KeyVaultResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001", - "KeyEncryptionKeyURL": "https://adp-sxx-az-kv-x-001.vault.azure.net/keys/keyEncryptionKey/1dcaf3e93b44433bba0232e9eec54cc7", + "KeyEncryptionKeyURL": "https://adp-sxx-az-kv-x-001.vault.azure.net/keys/keyEncryptionKey/1dcaf3e93b44433bba0232e9eec54cc7", // ID must be updated for new keys "KekVaultResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001", "KeyEncryptionAlgorithm": "RSA-OAEP", "VolumeType": "All", diff --git a/arm/Microsoft.Compute/virtualMachines/.parameters/windows.parameters.json b/arm/Microsoft.Compute/virtualMachines/.parameters/windows.parameters.json index 8cffb9255f..9567c9d797 100644 --- a/arm/Microsoft.Compute/virtualMachines/.parameters/windows.parameters.json +++ b/arm/Microsoft.Compute/virtualMachines/.parameters/windows.parameters.json @@ -154,7 +154,7 @@ "EncryptionOperation": "EnableEncryption", "KeyVaultURL": "https://adp-sxx-az-kv-x-001.vault.azure.net/", "KeyVaultResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001", - "KeyEncryptionKeyURL": "https://adp-sxx-az-kv-x-001.vault.azure.net/keys/keyEncryptionKey/1dcaf3e93b44433bba0232e9eec54cc7", + "KeyEncryptionKeyURL": "https://adp-sxx-az-kv-x-001.vault.azure.net/keys/keyEncryptionKey/1dcaf3e93b44433bba0232e9eec54cc7", // ID must be updated for new keys "KekVaultResourceId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-sxx-az-kv-x-001", "KeyEncryptionAlgorithm": "RSA-OAEP", "VolumeType": "All",