From 891c299feda8f79bed1e71873123db5193e56f83 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 11 Jan 2022 15:10:59 +0100 Subject: [PATCH 01/19] set json output from deploy action --- .../validateModuleDeployment/action.yml | 25 ++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/.github/actions/templates/validateModuleDeployment/action.yml b/.github/actions/templates/validateModuleDeployment/action.yml index 361a2ef9d3..94595db70a 100644 --- a/.github/actions/templates/validateModuleDeployment/action.yml +++ b/.github/actions/templates/validateModuleDeployment/action.yml @@ -25,6 +25,11 @@ inputs: default: 'true' required: false +outputs: + deploymentOutput: + description: 'Deployment output matrix' + value: ${{ steps.deploy_step.outputs.deploymentOutput }} + runs: using: 'composite' steps: @@ -129,11 +134,29 @@ runs: # Get deployment name Write-Output ('::set-output name={0}::{1}' -f 'deploymentName', $res.deploymentName) + $deploymentOutputHash=@{} + # Populate further outputs foreach ($outputKey in $res.deploymentOutput.Keys) { - Write-Output ('::set-output name={0}::{1}' -f $outputKey, $res.deploymentOutput[$outputKey].Value) + Write-Output ('::set-output name={0}::{1}' -f $outputKey, $res.deploymentOutput[$outputKey].Value) + Write-Verbose ('Output key:{0}' -f $outputKey) -Verbose + Write-Verbose ('Output value:{0}' -f $res.deploymentOutput[$outputKey].Value) -Verbose + + $deploymentOutputHash.add($outputKey,$res.deploymentOutput[$outputKey].Value) + # $deploymentOutputString+='"{0}":"{1}",' -f $outputKey, $res.deploymentOutput[$outputKey].Value } + $deploymentOutput = $deploymentOutputHash | ConvertTo-Json -Compress -Depth 100 + Write-Verbose "Output deploymentOutput:$deploymentOutput" -Verbose + Write-Host "::set-output name=deploymentOutput::$deploymentOutput" + # Write-Verbose ('Output deploymentOutput:{0}' -f $deploymentOutput) -Verbose + # Write-Output ('::set-output name=deploymentOutput::{0}' -f $deploymentOutput) + + # $deploymentOutputString = $deploymentOutputString.Substring(0,$deploymentOutputString.Length-1) + # Write-Verbose "Output deploymentOutputString:$deploymentOutputString" -Verbose + # # Write-Output ('::set-output name=deploymentOutput::{{0}}' -f $deploymentOutputString) + # Write-Output "::set-output name=deploymentOutput::$deploymentOutputString" + if ($res.ContainsKey('exception')) { # Happens only if there is an exception throw $res.exception From b8f808f86e5f2ae71c175c0a7cff1f51c93f1e41 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 11 Jan 2022 15:21:03 +0100 Subject: [PATCH 02/19] test output in pipeline same job --- .github/workflows/platform.dependencies.yml | 1679 ++++++++++--------- 1 file changed, 847 insertions(+), 832 deletions(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index fdce96ce03..3bb899e606 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -30,562 +30,39 @@ env: DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: - job_deploy_rg: - runs-on: ubuntu-20.04 - name: 'Deploy resource group' - env: - namespace: 'Microsoft.Resources\resourceGroups' - strategy: - fail-fast: false - matrix: - parameterFilePaths: - ['artifacts.parameters.json', 'validation.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_msi: - runs-on: ubuntu-20.04 - name: 'Deploy user assigned identity' - env: - namespace: 'Microsoft.ManagedIdentity\userAssignedIdentities' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_pa: - runs-on: ubuntu-20.04 - name: 'Deploy policy assignment' - env: - namespace: 'Microsoft.Authorization\policyAssignments' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_policyAssignments_sub.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_privateBicepRegistry: - runs-on: ubuntu-20.04 - name: 'Deploy private bicep registry' - env: - namespace: 'Microsoft.ContainerRegistry\registries' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupNameArtifacts }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_evh: - runs-on: ubuntu-20.04 - name: 'Deploy eventhub' - env: - namespace: 'Microsoft.EventHub\namespaces' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_law: - runs-on: ubuntu-20.04 - name: 'Deploy log analytics workspace' - env: - namespace: 'Microsoft.OperationalInsights\workspaces' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['appi.parameters.json', 'parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sa: - runs-on: ubuntu-20.04 - name: 'Deploy storage account' - env: - namespace: 'Microsoft.Storage\storageAccounts' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: - ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_upload_storage_files: - runs-on: ubuntu-20.04 - name: 'Upload files to storage account' - needs: - - job_deploy_sa - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: Azure Login - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - enable-AzPSSession: true - - name: Run PowerShell - uses: azure/powershell@v1 - with: - inlineScript: | - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') - - # Get storage account name - $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' 'Microsoft.Storage/storageAccounts' 'parameters' 'parameters.json' - $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # Upload files to storage account - $functionInput = @{ - ResourceGroupName = '${{ env.resourceGroupName }}' - StorageAccountName = $storageAccountParameters.name.value - contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' 'Microsoft.Storage/storageAccounts' 'uploads' - targetContainer = $storageAccountParameters.blobServices.value.containers[0].name - } - - Write-Verbose "Invoke task with" -Verbose - Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - Export-ContentToBlob @functionInput -Verbose - azPSVersion: 'latest' - - job_deploy_sig: - runs-on: ubuntu-20.04 - name: 'Deploy shared image gallery and definition' - env: - namespace: 'Microsoft.Compute\galleries' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_ag: - runs-on: ubuntu-20.04 - name: 'Deploy action groups' - env: - namespace: 'Microsoft.Insights\actionGroups' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_asg: - runs-on: ubuntu-20.04 - name: 'Deploy application security groups' - env: - namespace: 'Microsoft.Network\applicationSecurityGroups' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_udr: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi route tables' - env: - namespace: 'Microsoft.Network\routeTables' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sqlmi_udr: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi route tables' - if: github.event.inputs.deploySqlMiDependencies == 'true' - env: - namespace: 'Microsoft.Network\routeTables' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['sqlMi.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_nsg: - runs-on: ubuntu-20.04 - name: 'Deploy network security groups' - env: - namespace: 'Microsoft.Network\networkSecurityGroups' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: - [ - 'apgw.parameters.json', - 'ase.parameters.json', - 'bastion.parameters.json', - 'parameters.json', - ] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sqlmi_nsg: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi network security group' - if: github.event.inputs.deploySqlMiDependencies == 'true' - env: - namespace: 'Microsoft.Network\networkSecurityGroups' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['sqlmi.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_pip: - runs-on: ubuntu-20.04 - name: 'Deploy public IP addresses' - env: - namespace: 'Microsoft.Network\publicIPAddresses' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: - ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_appi: - runs-on: ubuntu-20.04 - name: 'Deploy application insight' - env: - namespace: 'Microsoft.Insights\components' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_aut: - runs-on: ubuntu-20.04 - name: 'Deploy automation account' - env: - namespace: 'Microsoft.Automation\automationAccounts' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_avdhp: - runs-on: ubuntu-20.04 - name: 'Deploy AVD host pool' - env: - namespace: 'Microsoft.DesktopVirtualization\hostpools' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' + # job_deploy_rg: + # runs-on: ubuntu-20.04 + # name: 'Deploy resource group' + # env: + # namespace: 'Microsoft.Resources\resourceGroups' + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # ['artifacts.parameters.json', 'validation.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' - job_deploy_rsv: + job_deploy_msi: runs-on: ubuntu-20.04 - name: 'Deploy recovery services vault' + name: 'Deploy user assigned identity' env: - namespace: 'Microsoft.RecoveryServices\vaults' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law + namespace: 'Microsoft.ManagedIdentity\userAssignedIdentities' + # needs: + # - job_deploy_rg strategy: fail-fast: false matrix: @@ -596,6 +73,7 @@ jobs: with: fetch-depth: 0 - name: 'Deploy module' + id: deploy-msi uses: ./.github/actions/templates/validateModuleDeployment with: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' @@ -605,170 +83,707 @@ jobs: subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_kv: - runs-on: ubuntu-20.04 - name: 'Deploy key vaults' - env: - namespace: 'Microsoft.KeyVault\vaults' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json', 'pe.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_kv_secrets: - runs-on: ubuntu-20.04 - name: 'Set key vault secrets keys and certificates' - needs: - - job_deploy_kv - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: Azure Login - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - enable-AzPSSession: true - - name: Run PowerShell - uses: azure/powershell@v1 - with: - inlineScript: | - $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length - $passwordString = (New-Guid).Guid.SubString(0,19) - $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) - $keyVaultName = 'adp-sxx-az-kv-x-001' - $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - # VirtualMachines and VMSS - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminUsername' -SecretValue $username - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminPassword' -SecretValue $password - # Azure SQLServer - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password - # VirtualNetworkGateway - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'vpnSharedKey' -SecretValue $vpnSharedKey - # DiskEncryptionSet, VirtualMachines and VMSS - az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKey' - # ApplicationGateway - $apgwCertPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal - Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name 'applicationGatewaySslCertificate' -CertificatePolicy $apgwCertPolicy - # API management - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientid' -SecretValue $username - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientsecret' -SecretValue $password - azPSVersion: 'latest' - - job_deploy_sqlmi_kv: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi key vault' - if: github.event.inputs.deploySqlMiDependencies == 'true' - env: - namespace: 'Microsoft.KeyVault\vaults' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['sqlmi.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sqlmi_kv_secrets: - runs-on: ubuntu-20.04 - name: 'Set sqlmi key vault secrets and keys' - if: github.event.inputs.deploySqlMiDependencies == 'true' - needs: - - job_deploy_sqlmi_kv - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: Azure Login - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - enable-AzPSSession: true - - name: Run PowerShell + - name: Set principal ID output + id: deploy-msi-out uses: azure/powershell@v1 with: inlineScript: | - $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length - $passwordString = (New-Guid).Guid.SubString(0,19) - $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) - $keyVaultName = 'adp-sxx-az-kv-x-sqlmi' - $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - # SQLManagedInstances secrets - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username - Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password - # SQLManagedInstances Keys - az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKeySqlMi' + $deploymentOutput = '${{ steps.deploy-msi.outputs.deploymentOutput }}' + Write-Verbose $deploymentOutput -Verbose + $deploymentOutputConversion = ConvertFrom-Json $deploymentOutput + $msiPrincipalId = $deploymentOutputConversion.msiPrincipalId + Write-Verbose $msiPrincipalId -Verbose + Write-Output ('::set-output name=msiPrincipalId::{0}' -f $msiPrincipalId) azPSVersion: 'latest' - - job_deploy_avdag: - runs-on: ubuntu-20.04 - name: 'Deploy AVD application group' - env: - namespace: 'Microsoft.DesktopVirtualization\applicationgroups' - needs: - - job_deploy_avdhp - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' + outputs: + msiPrincipalId: ${{ steps.deploy-msi-out.outputs.msiPrincipalId }} + + # job_deploy_pa: + # runs-on: ubuntu-20.04 + # name: 'Deploy policy assignment' + # env: + # namespace: 'Microsoft.Authorization\policyAssignments' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_policyAssignments_sub.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_privateBicepRegistry: + # runs-on: ubuntu-20.04 + # name: 'Deploy private bicep registry' + # env: + # namespace: 'Microsoft.ContainerRegistry\registries' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupNameArtifacts }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_evh: + # runs-on: ubuntu-20.04 + # name: 'Deploy eventhub' + # env: + # namespace: 'Microsoft.EventHub\namespaces' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_law: + # runs-on: ubuntu-20.04 + # name: 'Deploy log analytics workspace' + # env: + # namespace: 'Microsoft.OperationalInsights\workspaces' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['appi.parameters.json', 'parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sa: + # runs-on: ubuntu-20.04 + # name: 'Deploy storage account' + # env: + # namespace: 'Microsoft.Storage\storageAccounts' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_upload_storage_files: + # runs-on: ubuntu-20.04 + # name: 'Upload files to storage account' + # needs: + # - job_deploy_sa + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: Azure Login + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_CREDENTIALS }} + # enable-AzPSSession: true + # - name: Run PowerShell + # uses: azure/powershell@v1 + # with: + # inlineScript: | + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + + # # Get storage account name + # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' 'Microsoft.Storage/storageAccounts' 'parameters' 'parameters.json' + # $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # # Upload files to storage account + # $functionInput = @{ + # ResourceGroupName = '${{ env.resourceGroupName }}' + # StorageAccountName = $storageAccountParameters.name.value + # contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' 'Microsoft.Storage/storageAccounts' 'uploads' + # targetContainer = $storageAccountParameters.blobServices.value.containers[0].name + # } + + # Write-Verbose "Invoke task with" -Verbose + # Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + # Export-ContentToBlob @functionInput -Verbose + # azPSVersion: 'latest' + + # job_deploy_sig: + # runs-on: ubuntu-20.04 + # name: 'Deploy shared image gallery and definition' + # env: + # namespace: 'Microsoft.Compute\galleries' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_ag: + # runs-on: ubuntu-20.04 + # name: 'Deploy action groups' + # env: + # namespace: 'Microsoft.Insights\actionGroups' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_asg: + # runs-on: ubuntu-20.04 + # name: 'Deploy application security groups' + # env: + # namespace: 'Microsoft.Network\applicationSecurityGroups' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_udr: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi route tables' + # env: + # namespace: 'Microsoft.Network\routeTables' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sqlmi_udr: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi route tables' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # env: + # namespace: 'Microsoft.Network\routeTables' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['sqlMi.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_nsg: + # runs-on: ubuntu-20.04 + # name: 'Deploy network security groups' + # env: + # namespace: 'Microsoft.Network\networkSecurityGroups' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # [ + # 'apgw.parameters.json', + # 'ase.parameters.json', + # 'bastion.parameters.json', + # 'parameters.json', + # ] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sqlmi_nsg: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi network security group' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # env: + # namespace: 'Microsoft.Network\networkSecurityGroups' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['sqlmi.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_pip: + # runs-on: ubuntu-20.04 + # name: 'Deploy public IP addresses' + # env: + # namespace: 'Microsoft.Network\publicIPAddresses' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_appi: + # runs-on: ubuntu-20.04 + # name: 'Deploy application insight' + # env: + # namespace: 'Microsoft.Insights\components' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_aut: + # runs-on: ubuntu-20.04 + # name: 'Deploy automation account' + # env: + # namespace: 'Microsoft.Automation\automationAccounts' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_avdhp: + # runs-on: ubuntu-20.04 + # name: 'Deploy AVD host pool' + # env: + # namespace: 'Microsoft.DesktopVirtualization\hostpools' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_rsv: + # runs-on: ubuntu-20.04 + # name: 'Deploy recovery services vault' + # env: + # namespace: 'Microsoft.RecoveryServices\vaults' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_kv: + # runs-on: ubuntu-20.04 + # name: 'Deploy key vaults' + # env: + # namespace: 'Microsoft.KeyVault\vaults' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json', 'pe.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_kv_secrets: + # runs-on: ubuntu-20.04 + # name: 'Set key vault secrets keys and certificates' + # needs: + # - job_deploy_kv + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: Azure Login + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_CREDENTIALS }} + # enable-AzPSSession: true + # - name: Run PowerShell + # uses: azure/powershell@v1 + # with: + # inlineScript: | + # $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length + # $passwordString = (New-Guid).Guid.SubString(0,19) + # $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) + # $keyVaultName = 'adp-sxx-az-kv-x-001' + # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + # # VirtualMachines and VMSS + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminUsername' -SecretValue $username + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminPassword' -SecretValue $password + # # Azure SQLServer + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password + # # VirtualNetworkGateway + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'vpnSharedKey' -SecretValue $vpnSharedKey + # # DiskEncryptionSet, VirtualMachines and VMSS + # az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKey' + # # ApplicationGateway + # $apgwCertPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal + # Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name 'applicationGatewaySslCertificate' -CertificatePolicy $apgwCertPolicy + # # API management + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientid' -SecretValue $username + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientsecret' -SecretValue $password + # azPSVersion: 'latest' + + # job_deploy_sqlmi_kv: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi key vault' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # env: + # namespace: 'Microsoft.KeyVault\vaults' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['sqlmi.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sqlmi_kv_secrets: + # runs-on: ubuntu-20.04 + # name: 'Set sqlmi key vault secrets and keys' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # needs: + # - job_deploy_sqlmi_kv + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: Azure Login + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_CREDENTIALS }} + # enable-AzPSSession: true + # - name: Run PowerShell + # uses: azure/powershell@v1 + # with: + # inlineScript: | + # $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length + # $passwordString = (New-Guid).Guid.SubString(0,19) + # $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) + # $keyVaultName = 'adp-sxx-az-kv-x-sqlmi' + # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + # # SQLManagedInstances secrets + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username + # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password + # # SQLManagedInstances Keys + # az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKeySqlMi' + # azPSVersion: 'latest' + + # job_deploy_avdag: + # runs-on: ubuntu-20.04 + # name: 'Deploy AVD application group' + # env: + # namespace: 'Microsoft.DesktopVirtualization\applicationgroups' + # needs: + # - job_deploy_avdhp + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' job_deploy_rolea: runs-on: ubuntu-20.04 @@ -797,122 +812,122 @@ jobs: managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' - job_deploy_vnet: - runs-on: ubuntu-20.04 - name: 'Deploy virtual networks' - env: - namespace: 'Microsoft.Network\virtualNetworks' - needs: - - job_deploy_nsg - strategy: - fail-fast: false - matrix: - parameterFilePaths: - [ - '1.bastion.parameters.json', - '2.vnetpeer01.parameters.json', - '3.vnetpeer02.parameters.json', - '4.azfw.parameters.json', - '5.aks.parameters.json', - 'parameters.json', - ] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sqlmi_vnet: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi virtual network' - if: github.event.inputs.deploySqlMiDependencies == 'true' - env: - namespace: 'Microsoft.Network\virtualNetworks' - needs: - - job_deploy_sqlmi_udr - - job_deploy_sqlmi_nsg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['6.sqlmi.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_dnszone: - runs-on: ubuntu-20.04 - name: 'Deploy private DNS zones' - env: - namespace: 'Microsoft.Network\privateDnsZones' - needs: - - job_deploy_vnet - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_vm: - runs-on: ubuntu-20.04 - name: 'Deploy virtual machines' - env: - namespace: 'Microsoft.Compute\virtualMachines' - needs: - - job_deploy_kv_secrets - - job_deploy_vnet - - job_deploy_rsv - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.resourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' + # job_deploy_vnet: + # runs-on: ubuntu-20.04 + # name: 'Deploy virtual networks' + # env: + # namespace: 'Microsoft.Network\virtualNetworks' + # needs: + # - job_deploy_nsg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # [ + # '1.bastion.parameters.json', + # '2.vnetpeer01.parameters.json', + # '3.vnetpeer02.parameters.json', + # '4.azfw.parameters.json', + # '5.aks.parameters.json', + # 'parameters.json', + # ] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sqlmi_vnet: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi virtual network' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # env: + # namespace: 'Microsoft.Network\virtualNetworks' + # needs: + # - job_deploy_sqlmi_udr + # - job_deploy_sqlmi_nsg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['6.sqlmi.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_dnszone: + # runs-on: ubuntu-20.04 + # name: 'Deploy private DNS zones' + # env: + # namespace: 'Microsoft.Network\privateDnsZones' + # needs: + # - job_deploy_vnet + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_vm: + # runs-on: ubuntu-20.04 + # name: 'Deploy virtual machines' + # env: + # namespace: 'Microsoft.Compute\virtualMachines' + # needs: + # - job_deploy_kv_secrets + # - job_deploy_vnet + # - job_deploy_rsv + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.resourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' From 93e15f4990755f77a186fadb1d35d4009536d1c9 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 11 Jan 2022 15:54:05 +0100 Subject: [PATCH 03/19] get output in different job --- .github/workflows/platform.dependencies.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 3bb899e606..b495941761 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -801,6 +801,13 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 + - name: Get msi principal ID output + uses: azure/powershell@v1 + with: + inlineScript: | + $msiPrincipalId = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' + Write-Verbose $msiPrincipalId -Verbose + azPSVersion: 'latest' - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: From f1dbdb80dae740cdea7a80ed43c64afcd877cd07 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 11 Jan 2022 18:46:33 +0100 Subject: [PATCH 04/19] action cleanup --- .../validateModuleDeployment/action.yml | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/.github/actions/templates/validateModuleDeployment/action.yml b/.github/actions/templates/validateModuleDeployment/action.yml index 3c48fa45dd..f851559555 100644 --- a/.github/actions/templates/validateModuleDeployment/action.yml +++ b/.github/actions/templates/validateModuleDeployment/action.yml @@ -27,7 +27,7 @@ inputs: outputs: deploymentOutput: - description: 'Deployment output matrix' + description: 'Deployment output in json form' value: ${{ steps.deploy_step.outputs.deploymentOutput }} runs: @@ -152,28 +152,17 @@ runs: # Get deployment name Write-Output ('::set-output name={0}::{1}' -f 'deploymentName', $res.deploymentName) + # Populate further outputs $deploymentOutputHash=@{} - # Populate further outputs foreach ($outputKey in $res.deploymentOutput.Keys) { Write-Output ('::set-output name={0}::{1}' -f $outputKey, $res.deploymentOutput[$outputKey].Value) - Write-Verbose ('Output key:{0}' -f $outputKey) -Verbose - Write-Verbose ('Output value:{0}' -f $res.deploymentOutput[$outputKey].Value) -Verbose - $deploymentOutputHash.add($outputKey,$res.deploymentOutput[$outputKey].Value) - # $deploymentOutputString+='"{0}":"{1}",' -f $outputKey, $res.deploymentOutput[$outputKey].Value } $deploymentOutput = $deploymentOutputHash | ConvertTo-Json -Compress -Depth 100 - Write-Verbose "Output deploymentOutput:$deploymentOutput" -Verbose - Write-Host "::set-output name=deploymentOutput::$deploymentOutput" - # Write-Verbose ('Output deploymentOutput:{0}' -f $deploymentOutput) -Verbose - # Write-Output ('::set-output name=deploymentOutput::{0}' -f $deploymentOutput) - - # $deploymentOutputString = $deploymentOutputString.Substring(0,$deploymentOutputString.Length-1) - # Write-Verbose "Output deploymentOutputString:$deploymentOutputString" -Verbose - # # Write-Output ('::set-output name=deploymentOutput::{{0}}' -f $deploymentOutputString) - # Write-Output "::set-output name=deploymentOutput::$deploymentOutputString" + Write-Verbose "Deployment output: $deploymentOutput" -Verbose + Write-Output ('::set-output name={0}::{1}' -f 'deploymentOutput', $deploymentOutput') if ($res.ContainsKey('exception')) { # Happens only if there is an exception From 15cf2d286485511d5be81a80a2c588b9a525ac31 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 11 Jan 2022 18:50:39 +0100 Subject: [PATCH 05/19] action cleanup quote --- .github/actions/templates/validateModuleDeployment/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/templates/validateModuleDeployment/action.yml b/.github/actions/templates/validateModuleDeployment/action.yml index f851559555..dab647a0f8 100644 --- a/.github/actions/templates/validateModuleDeployment/action.yml +++ b/.github/actions/templates/validateModuleDeployment/action.yml @@ -162,7 +162,7 @@ runs: $deploymentOutput = $deploymentOutputHash | ConvertTo-Json -Compress -Depth 100 Write-Verbose "Deployment output: $deploymentOutput" -Verbose - Write-Output ('::set-output name={0}::{1}' -f 'deploymentOutput', $deploymentOutput') + Write-Output ('::set-output name={0}::{1}' -f 'deploymentOutput', $deploymentOutput) if ($res.ContainsKey('exception')) { # Happens only if there is an exception From 98d1e78e364dcd689fce6b740b119c2abbe20979 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 11 Jan 2022 19:02:41 +0100 Subject: [PATCH 06/19] test hash --- .github/actions/templates/validateModuleDeployment/action.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/actions/templates/validateModuleDeployment/action.yml b/.github/actions/templates/validateModuleDeployment/action.yml index dab647a0f8..532bb5bf5b 100644 --- a/.github/actions/templates/validateModuleDeployment/action.yml +++ b/.github/actions/templates/validateModuleDeployment/action.yml @@ -155,6 +155,9 @@ runs: # Populate further outputs $deploymentOutputHash=@{} + $depOut = $res.deploymentOutput | ConvertTo-Json -Compress -Depth 100 + Write-Verbose "Deployment output: $depOut" -Verbose + foreach ($outputKey in $res.deploymentOutput.Keys) { Write-Output ('::set-output name={0}::{1}' -f $outputKey, $res.deploymentOutput[$outputKey].Value) $deploymentOutputHash.add($outputKey,$res.deploymentOutput[$outputKey].Value) From 53c57c761ca246545f294594a5f7d0b506984bc3 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 11 Jan 2022 19:14:17 +0100 Subject: [PATCH 07/19] cleanup --- .../actions/templates/validateModuleDeployment/action.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/actions/templates/validateModuleDeployment/action.yml b/.github/actions/templates/validateModuleDeployment/action.yml index 532bb5bf5b..eecf48a092 100644 --- a/.github/actions/templates/validateModuleDeployment/action.yml +++ b/.github/actions/templates/validateModuleDeployment/action.yml @@ -152,12 +152,9 @@ runs: # Get deployment name Write-Output ('::set-output name={0}::{1}' -f 'deploymentName', $res.deploymentName) - # Populate further outputs + # Populate action output $deploymentOutputHash=@{} - $depOut = $res.deploymentOutput | ConvertTo-Json -Compress -Depth 100 - Write-Verbose "Deployment output: $depOut" -Verbose - foreach ($outputKey in $res.deploymentOutput.Keys) { Write-Output ('::set-output name={0}::{1}' -f $outputKey, $res.deploymentOutput[$outputKey].Value) $deploymentOutputHash.add($outputKey,$res.deploymentOutput[$outputKey].Value) From ff648cf5dfdc6a22c46e7e206d9e8aa44d860d2c Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 11 Jan 2022 19:22:04 +0100 Subject: [PATCH 08/19] dependency back --- .github/workflows/platform.dependencies.yml | 1686 +++++++++---------- 1 file changed, 832 insertions(+), 854 deletions(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index b495941761..fdce96ce03 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -30,39 +30,562 @@ env: DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: - # job_deploy_rg: - # runs-on: ubuntu-20.04 - # name: 'Deploy resource group' - # env: - # namespace: 'Microsoft.Resources\resourceGroups' - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # ['artifacts.parameters.json', 'validation.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_rg: + runs-on: ubuntu-20.04 + name: 'Deploy resource group' + env: + namespace: 'Microsoft.Resources\resourceGroups' + strategy: + fail-fast: false + matrix: + parameterFilePaths: + ['artifacts.parameters.json', 'validation.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_msi: + runs-on: ubuntu-20.04 + name: 'Deploy user assigned identity' + env: + namespace: 'Microsoft.ManagedIdentity\userAssignedIdentities' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_pa: + runs-on: ubuntu-20.04 + name: 'Deploy policy assignment' + env: + namespace: 'Microsoft.Authorization\policyAssignments' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_policyAssignments_sub.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_privateBicepRegistry: + runs-on: ubuntu-20.04 + name: 'Deploy private bicep registry' + env: + namespace: 'Microsoft.ContainerRegistry\registries' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupNameArtifacts }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_evh: + runs-on: ubuntu-20.04 + name: 'Deploy eventhub' + env: + namespace: 'Microsoft.EventHub\namespaces' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_law: + runs-on: ubuntu-20.04 + name: 'Deploy log analytics workspace' + env: + namespace: 'Microsoft.OperationalInsights\workspaces' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['appi.parameters.json', 'parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_sa: + runs-on: ubuntu-20.04 + name: 'Deploy storage account' + env: + namespace: 'Microsoft.Storage\storageAccounts' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: + ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_upload_storage_files: + runs-on: ubuntu-20.04 + name: 'Upload files to storage account' + needs: + - job_deploy_sa + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Azure Login + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + enable-AzPSSession: true + - name: Run PowerShell + uses: azure/powershell@v1 + with: + inlineScript: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + + # Get storage account name + $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' 'Microsoft.Storage/storageAccounts' 'parameters' 'parameters.json' + $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # Upload files to storage account + $functionInput = @{ + ResourceGroupName = '${{ env.resourceGroupName }}' + StorageAccountName = $storageAccountParameters.name.value + contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' 'Microsoft.Storage/storageAccounts' 'uploads' + targetContainer = $storageAccountParameters.blobServices.value.containers[0].name + } + + Write-Verbose "Invoke task with" -Verbose + Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + Export-ContentToBlob @functionInput -Verbose + azPSVersion: 'latest' + + job_deploy_sig: + runs-on: ubuntu-20.04 + name: 'Deploy shared image gallery and definition' + env: + namespace: 'Microsoft.Compute\galleries' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_ag: + runs-on: ubuntu-20.04 + name: 'Deploy action groups' + env: + namespace: 'Microsoft.Insights\actionGroups' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_asg: + runs-on: ubuntu-20.04 + name: 'Deploy application security groups' + env: + namespace: 'Microsoft.Network\applicationSecurityGroups' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_udr: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi route tables' + env: + namespace: 'Microsoft.Network\routeTables' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_sqlmi_udr: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi route tables' + if: github.event.inputs.deploySqlMiDependencies == 'true' + env: + namespace: 'Microsoft.Network\routeTables' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['sqlMi.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_nsg: + runs-on: ubuntu-20.04 + name: 'Deploy network security groups' + env: + namespace: 'Microsoft.Network\networkSecurityGroups' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: + [ + 'apgw.parameters.json', + 'ase.parameters.json', + 'bastion.parameters.json', + 'parameters.json', + ] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_sqlmi_nsg: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi network security group' + if: github.event.inputs.deploySqlMiDependencies == 'true' + env: + namespace: 'Microsoft.Network\networkSecurityGroups' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['sqlmi.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_pip: + runs-on: ubuntu-20.04 + name: 'Deploy public IP addresses' + env: + namespace: 'Microsoft.Network\publicIPAddresses' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: + ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' - job_deploy_msi: + job_deploy_appi: runs-on: ubuntu-20.04 - name: 'Deploy user assigned identity' + name: 'Deploy application insight' env: - namespace: 'Microsoft.ManagedIdentity\userAssignedIdentities' - # needs: - # - job_deploy_rg + namespace: 'Microsoft.Insights\components' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_aut: + runs-on: ubuntu-20.04 + name: 'Deploy automation account' + env: + namespace: 'Microsoft.Automation\automationAccounts' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_avdhp: + runs-on: ubuntu-20.04 + name: 'Deploy AVD host pool' + env: + namespace: 'Microsoft.DesktopVirtualization\hostpools' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_rsv: + runs-on: ubuntu-20.04 + name: 'Deploy recovery services vault' + env: + namespace: 'Microsoft.RecoveryServices\vaults' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law strategy: fail-fast: false matrix: @@ -73,7 +596,6 @@ jobs: with: fetch-depth: 0 - name: 'Deploy module' - id: deploy-msi uses: ./.github/actions/templates/validateModuleDeployment with: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' @@ -83,707 +605,170 @@ jobs: subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' - - name: Set principal ID output - id: deploy-msi-out + + job_deploy_kv: + runs-on: ubuntu-20.04 + name: 'Deploy key vaults' + env: + namespace: 'Microsoft.KeyVault\vaults' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json', 'pe.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_kv_secrets: + runs-on: ubuntu-20.04 + name: 'Set key vault secrets keys and certificates' + needs: + - job_deploy_kv + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Azure Login + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + enable-AzPSSession: true + - name: Run PowerShell + uses: azure/powershell@v1 + with: + inlineScript: | + $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length + $passwordString = (New-Guid).Guid.SubString(0,19) + $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) + $keyVaultName = 'adp-sxx-az-kv-x-001' + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + # VirtualMachines and VMSS + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminUsername' -SecretValue $username + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminPassword' -SecretValue $password + # Azure SQLServer + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password + # VirtualNetworkGateway + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'vpnSharedKey' -SecretValue $vpnSharedKey + # DiskEncryptionSet, VirtualMachines and VMSS + az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKey' + # ApplicationGateway + $apgwCertPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal + Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name 'applicationGatewaySslCertificate' -CertificatePolicy $apgwCertPolicy + # API management + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientid' -SecretValue $username + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientsecret' -SecretValue $password + azPSVersion: 'latest' + + job_deploy_sqlmi_kv: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi key vault' + if: github.event.inputs.deploySqlMiDependencies == 'true' + env: + namespace: 'Microsoft.KeyVault\vaults' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['sqlmi.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_sqlmi_kv_secrets: + runs-on: ubuntu-20.04 + name: 'Set sqlmi key vault secrets and keys' + if: github.event.inputs.deploySqlMiDependencies == 'true' + needs: + - job_deploy_sqlmi_kv + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Azure Login + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + enable-AzPSSession: true + - name: Run PowerShell uses: azure/powershell@v1 with: inlineScript: | - $deploymentOutput = '${{ steps.deploy-msi.outputs.deploymentOutput }}' - Write-Verbose $deploymentOutput -Verbose - $deploymentOutputConversion = ConvertFrom-Json $deploymentOutput - $msiPrincipalId = $deploymentOutputConversion.msiPrincipalId - Write-Verbose $msiPrincipalId -Verbose - Write-Output ('::set-output name=msiPrincipalId::{0}' -f $msiPrincipalId) + $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length + $passwordString = (New-Guid).Guid.SubString(0,19) + $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) + $keyVaultName = 'adp-sxx-az-kv-x-sqlmi' + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + # SQLManagedInstances secrets + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username + Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password + # SQLManagedInstances Keys + az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKeySqlMi' azPSVersion: 'latest' - outputs: - msiPrincipalId: ${{ steps.deploy-msi-out.outputs.msiPrincipalId }} - - # job_deploy_pa: - # runs-on: ubuntu-20.04 - # name: 'Deploy policy assignment' - # env: - # namespace: 'Microsoft.Authorization\policyAssignments' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_policyAssignments_sub.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_privateBicepRegistry: - # runs-on: ubuntu-20.04 - # name: 'Deploy private bicep registry' - # env: - # namespace: 'Microsoft.ContainerRegistry\registries' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupNameArtifacts }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_evh: - # runs-on: ubuntu-20.04 - # name: 'Deploy eventhub' - # env: - # namespace: 'Microsoft.EventHub\namespaces' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_law: - # runs-on: ubuntu-20.04 - # name: 'Deploy log analytics workspace' - # env: - # namespace: 'Microsoft.OperationalInsights\workspaces' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['appi.parameters.json', 'parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_sa: - # runs-on: ubuntu-20.04 - # name: 'Deploy storage account' - # env: - # namespace: 'Microsoft.Storage\storageAccounts' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_upload_storage_files: - # runs-on: ubuntu-20.04 - # name: 'Upload files to storage account' - # needs: - # - job_deploy_sa - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: Azure Login - # uses: azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - # enable-AzPSSession: true - # - name: Run PowerShell - # uses: azure/powershell@v1 - # with: - # inlineScript: | - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') - - # # Get storage account name - # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' 'Microsoft.Storage/storageAccounts' 'parameters' 'parameters.json' - # $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # # Upload files to storage account - # $functionInput = @{ - # ResourceGroupName = '${{ env.resourceGroupName }}' - # StorageAccountName = $storageAccountParameters.name.value - # contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' 'Microsoft.Storage/storageAccounts' 'uploads' - # targetContainer = $storageAccountParameters.blobServices.value.containers[0].name - # } - - # Write-Verbose "Invoke task with" -Verbose - # Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - # Export-ContentToBlob @functionInput -Verbose - # azPSVersion: 'latest' - - # job_deploy_sig: - # runs-on: ubuntu-20.04 - # name: 'Deploy shared image gallery and definition' - # env: - # namespace: 'Microsoft.Compute\galleries' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_ag: - # runs-on: ubuntu-20.04 - # name: 'Deploy action groups' - # env: - # namespace: 'Microsoft.Insights\actionGroups' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_asg: - # runs-on: ubuntu-20.04 - # name: 'Deploy application security groups' - # env: - # namespace: 'Microsoft.Network\applicationSecurityGroups' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_udr: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi route tables' - # env: - # namespace: 'Microsoft.Network\routeTables' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_sqlmi_udr: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi route tables' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # env: - # namespace: 'Microsoft.Network\routeTables' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['sqlMi.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_nsg: - # runs-on: ubuntu-20.04 - # name: 'Deploy network security groups' - # env: - # namespace: 'Microsoft.Network\networkSecurityGroups' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # [ - # 'apgw.parameters.json', - # 'ase.parameters.json', - # 'bastion.parameters.json', - # 'parameters.json', - # ] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_sqlmi_nsg: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi network security group' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # env: - # namespace: 'Microsoft.Network\networkSecurityGroups' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['sqlmi.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_pip: - # runs-on: ubuntu-20.04 - # name: 'Deploy public IP addresses' - # env: - # namespace: 'Microsoft.Network\publicIPAddresses' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_appi: - # runs-on: ubuntu-20.04 - # name: 'Deploy application insight' - # env: - # namespace: 'Microsoft.Insights\components' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_aut: - # runs-on: ubuntu-20.04 - # name: 'Deploy automation account' - # env: - # namespace: 'Microsoft.Automation\automationAccounts' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_avdhp: - # runs-on: ubuntu-20.04 - # name: 'Deploy AVD host pool' - # env: - # namespace: 'Microsoft.DesktopVirtualization\hostpools' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_rsv: - # runs-on: ubuntu-20.04 - # name: 'Deploy recovery services vault' - # env: - # namespace: 'Microsoft.RecoveryServices\vaults' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_kv: - # runs-on: ubuntu-20.04 - # name: 'Deploy key vaults' - # env: - # namespace: 'Microsoft.KeyVault\vaults' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json', 'pe.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_kv_secrets: - # runs-on: ubuntu-20.04 - # name: 'Set key vault secrets keys and certificates' - # needs: - # - job_deploy_kv - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: Azure Login - # uses: azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - # enable-AzPSSession: true - # - name: Run PowerShell - # uses: azure/powershell@v1 - # with: - # inlineScript: | - # $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length - # $passwordString = (New-Guid).Guid.SubString(0,19) - # $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) - # $keyVaultName = 'adp-sxx-az-kv-x-001' - # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - # # VirtualMachines and VMSS - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminUsername' -SecretValue $username - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'adminPassword' -SecretValue $password - # # Azure SQLServer - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password - # # VirtualNetworkGateway - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'vpnSharedKey' -SecretValue $vpnSharedKey - # # DiskEncryptionSet, VirtualMachines and VMSS - # az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKey' - # # ApplicationGateway - # $apgwCertPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal - # Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name 'applicationGatewaySslCertificate' -CertificatePolicy $apgwCertPolicy - # # API management - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientid' -SecretValue $username - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'apimclientsecret' -SecretValue $password - # azPSVersion: 'latest' - - # job_deploy_sqlmi_kv: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi key vault' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # env: - # namespace: 'Microsoft.KeyVault\vaults' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['sqlmi.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_sqlmi_kv_secrets: - # runs-on: ubuntu-20.04 - # name: 'Set sqlmi key vault secrets and keys' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # needs: - # - job_deploy_sqlmi_kv - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: Azure Login - # uses: azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - # enable-AzPSSession: true - # - name: Run PowerShell - # uses: azure/powershell@v1 - # with: - # inlineScript: | - # $usernameString = (-join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | % {[char]$_ + "$_"})).substring(0,19) # max length - # $passwordString = (New-Guid).Guid.SubString(0,19) - # $vpnSharedKeyString = (New-Guid).Guid.SubString(0,32) - # $keyVaultName = 'adp-sxx-az-kv-x-sqlmi' - # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - # # SQLManagedInstances secrets - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLogin' -SecretValue $username - # Set-AzKeyVaultSecret -VaultName $keyVaultName -Name 'administratorLoginPassword' -SecretValue $password - # # SQLManagedInstances Keys - # az keyvault key create --vault-name $keyVaultName --name 'keyEncryptionKeySqlMi' - # azPSVersion: 'latest' - - # job_deploy_avdag: - # runs-on: ubuntu-20.04 - # name: 'Deploy AVD application group' - # env: - # namespace: 'Microsoft.DesktopVirtualization\applicationgroups' - # needs: - # - job_deploy_avdhp - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_avdag: + runs-on: ubuntu-20.04 + name: 'Deploy AVD application group' + env: + namespace: 'Microsoft.DesktopVirtualization\applicationgroups' + needs: + - job_deploy_avdhp + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' job_deploy_rolea: runs-on: ubuntu-20.04 @@ -801,13 +786,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: Get msi principal ID output - uses: azure/powershell@v1 - with: - inlineScript: | - $msiPrincipalId = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' - Write-Verbose $msiPrincipalId -Verbose - azPSVersion: 'latest' - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -819,122 +797,122 @@ jobs: managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' - # job_deploy_vnet: - # runs-on: ubuntu-20.04 - # name: 'Deploy virtual networks' - # env: - # namespace: 'Microsoft.Network\virtualNetworks' - # needs: - # - job_deploy_nsg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # [ - # '1.bastion.parameters.json', - # '2.vnetpeer01.parameters.json', - # '3.vnetpeer02.parameters.json', - # '4.azfw.parameters.json', - # '5.aks.parameters.json', - # 'parameters.json', - # ] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_sqlmi_vnet: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi virtual network' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # env: - # namespace: 'Microsoft.Network\virtualNetworks' - # needs: - # - job_deploy_sqlmi_udr - # - job_deploy_sqlmi_nsg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['6.sqlmi.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_dnszone: - # runs-on: ubuntu-20.04 - # name: 'Deploy private DNS zones' - # env: - # namespace: 'Microsoft.Network\privateDnsZones' - # needs: - # - job_deploy_vnet - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_vm: - # runs-on: ubuntu-20.04 - # name: 'Deploy virtual machines' - # env: - # namespace: 'Microsoft.Compute\virtualMachines' - # needs: - # - job_deploy_kv_secrets - # - job_deploy_vnet - # - job_deploy_rsv - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.resourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_vnet: + runs-on: ubuntu-20.04 + name: 'Deploy virtual networks' + env: + namespace: 'Microsoft.Network\virtualNetworks' + needs: + - job_deploy_nsg + strategy: + fail-fast: false + matrix: + parameterFilePaths: + [ + '1.bastion.parameters.json', + '2.vnetpeer01.parameters.json', + '3.vnetpeer02.parameters.json', + '4.azfw.parameters.json', + '5.aks.parameters.json', + 'parameters.json', + ] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_sqlmi_vnet: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi virtual network' + if: github.event.inputs.deploySqlMiDependencies == 'true' + env: + namespace: 'Microsoft.Network\virtualNetworks' + needs: + - job_deploy_sqlmi_udr + - job_deploy_sqlmi_nsg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['6.sqlmi.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_dnszone: + runs-on: ubuntu-20.04 + name: 'Deploy private DNS zones' + env: + namespace: 'Microsoft.Network\privateDnsZones' + needs: + - job_deploy_vnet + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_vm: + runs-on: ubuntu-20.04 + name: 'Deploy virtual machines' + env: + namespace: 'Microsoft.Compute\virtualMachines' + needs: + - job_deploy_kv_secrets + - job_deploy_vnet + - job_deploy_rsv + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' From f3efde332b7759902e9a482380a7d89074834392 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 11 Jan 2022 19:37:04 +0100 Subject: [PATCH 09/19] output description --- .github/actions/templates/validateModuleDeployment/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/templates/validateModuleDeployment/action.yml b/.github/actions/templates/validateModuleDeployment/action.yml index eecf48a092..01519b4160 100644 --- a/.github/actions/templates/validateModuleDeployment/action.yml +++ b/.github/actions/templates/validateModuleDeployment/action.yml @@ -27,7 +27,7 @@ inputs: outputs: deploymentOutput: - description: 'Deployment output in json form' + description: 'Deployment output in json format' value: ${{ steps.deploy_step.outputs.deploymentOutput }} runs: From 4593400a57c34b0c9574f0113995eba1a8d48fb1 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 11 Jan 2022 19:38:06 +0100 Subject: [PATCH 10/19] output description --- .github/actions/templates/validateModuleDeployment/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/templates/validateModuleDeployment/action.yml b/.github/actions/templates/validateModuleDeployment/action.yml index 01519b4160..aaee78a36e 100644 --- a/.github/actions/templates/validateModuleDeployment/action.yml +++ b/.github/actions/templates/validateModuleDeployment/action.yml @@ -27,7 +27,7 @@ inputs: outputs: deploymentOutput: - description: 'Deployment output in json format' + description: 'Module deployment output in json format' value: ${{ steps.deploy_step.outputs.deploymentOutput }} runs: From 8a47cb47a67c23f58942bffc586085e86e841bb0 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Tue, 11 Jan 2022 19:38:31 +0100 Subject: [PATCH 11/19] output description up --- .github/actions/templates/validateModuleDeployment/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/templates/validateModuleDeployment/action.yml b/.github/actions/templates/validateModuleDeployment/action.yml index aaee78a36e..f05fe89c08 100644 --- a/.github/actions/templates/validateModuleDeployment/action.yml +++ b/.github/actions/templates/validateModuleDeployment/action.yml @@ -27,7 +27,7 @@ inputs: outputs: deploymentOutput: - description: 'Module deployment output in json format' + description: 'The module deployment output in json format' value: ${{ steps.deploy_step.outputs.deploymentOutput }} runs: From acf296c110f7e3e45e3ba8c16f9b43c50445ce0f Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Wed, 12 Jan 2022 13:23:17 +0100 Subject: [PATCH 12/19] deploymentOutput ADO --- .../pipelineTemplates/module.jobs.deploy.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml index 5e517b415c..ad83e67318 100644 --- a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml +++ b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml @@ -272,11 +272,23 @@ jobs: # Get deployment name Write-Host ('##vso[task.setvariable variable=deploymentName]{0}' -f $res.deploymentName) - # Populate further outputs + # # Populate further outputs + # foreach ($outputKey in $res.deploymentOutput.Keys) { + # Write-Output ('##vso[task.setvariable variable={0}]{1}' -f $outputKey, $res.deploymentOutput[$outputKey].Value) + # } + + # Populate pipeline output + $deploymentOutputHash=@{} + foreach ($outputKey in $res.deploymentOutput.Keys) { - Write-Output ('##vso[task.setvariable variable={0}]{1}' -f $outputKey, $res.deploymentOutput[$outputKey].Value) + Write-Output ('##vso[task.setvariable variable={0}]{1}' -f $outputKey, $res.deploymentOutput[$outputKey].Value) + $deploymentOutputHash.add($outputKey,$res.deploymentOutput[$outputKey].Value) } + $deploymentOutput = $deploymentOutputHash | ConvertTo-Json -Compress -Depth 100 + Write-Verbose "Deployment output: $deploymentOutput" -Verbose + Write-Output ('##vso[task.setvariable variable={0}]{1}' -f 'deploymentOutput', $deploymentOutput) + if ($res.ContainsKey('exception')) { # Happens only if there is an exception throw $res.exception From 031e217233fc467a7b63881006d98a89fb47c499 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Wed, 12 Jan 2022 20:19:23 +0100 Subject: [PATCH 13/19] test ADO deploy output --- .../pipelineTemplates/module.jobs.deploy.yml | 3 +- .../platform.dependencies.yml | 1194 +++++++++-------- 2 files changed, 606 insertions(+), 591 deletions(-) diff --git a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml index ad83e67318..abfe94910a 100644 --- a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml +++ b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml @@ -231,6 +231,7 @@ jobs: #--------------------- - task: AzurePowerShell@5 displayName: 'Deploy [${{ deploymentBlock.path }}] via connection [${{ parameters.serviceConnection }}]' + name: DeployModule inputs: azureSubscription: ${{ parameters.serviceConnection }} azurePowerShellVersion: ${{ parameters.azurePowerShellVersion }} @@ -287,7 +288,7 @@ jobs: $deploymentOutput = $deploymentOutputHash | ConvertTo-Json -Compress -Depth 100 Write-Verbose "Deployment output: $deploymentOutput" -Verbose - Write-Output ('##vso[task.setvariable variable={0}]{1}' -f 'deploymentOutput', $deploymentOutput) + Write-Output ('##vso[task.setvariable variable={0};isOutput=true]{1}' -f 'deploymentOutput', $deploymentOutput) if ($res.ContainsKey('exception')) { # Happens only if there is an exception diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 9abe3c0aea..f4bb67097c 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -30,23 +30,23 @@ variables: value: 'validation-rg' stages: - - stage: deploy_rg - displayName: Deploy resource group - variables: - resourceType: 'Microsoft.Resources/resourceGroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json - templateFilePath: $(templateFilePath) - displayName: Validation Resource Group + # - stage: deploy_rg + # displayName: Deploy resource group + # variables: + # resourceType: 'Microsoft.Resources/resourceGroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Validation Resource Group - stage: deploy_msi displayName: Deploy user assigned identity - dependsOn: - - deploy_rg + # dependsOn: + # - deploy_rg variables: resourceType: 'Microsoft.ManagedIdentity/userAssignedIdentities' templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep @@ -57,581 +57,595 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: User Assigned Identity + jobName: default_msi_job - - stage: deploy_pa - displayName: Deploy policy assignment - dependsOn: - - deploy_rg - variables: - resourceType: 'Microsoft.Authorization/policyAssignments' - templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Policy assignment - - - stage: deploy_evh - displayName: Deploy event hub - dependsOn: - - deploy_rg - variables: - resourceType: 'Microsoft.EventHub/namespaces' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: EventHub - - - stage: deploy_law - displayName: Deploy log analytics workspace - dependsOn: - - deploy_rg - variables: - resourceType: 'Microsoft.OperationalInsights/workspaces' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default LAW - - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json - templateFilePath: $(templateFilePath) - displayName: AppInsights LAW - - - stage: deploy_sa - displayName: Deploy storage account - dependsOn: - - deploy_rg - variables: - resourceType: 'Microsoft.Storage/storageAccounts' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default storage account - jobName: default_sa - - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json - templateFilePath: $(templateFilePath) - displayName: LAW storage account - - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json - templateFilePath: $(templateFilePath) - displayName: FunctionApp storage account - - job: - displayName: Upload files to storage account - dependsOn: - - default_sa - pool: - ${{ if eq(variables['vmImage'], '') }}: - name: $(poolName) - ${{ if eq(variables['poolName'], '') }}: - vmImage: $(vmImage) - steps: - - task: PowerShell@2 - displayName: 'Setup agent' - inputs: - targetType: inline - pwsh: true - script: | - # Load used functions - . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Define PS modules to install on the runner - $Modules = @( - @{ Name = 'Az.Storage' } - ) - - # Set agent up - Set-EnvironmentOnAgent -PSModules $Modules - - task: AzurePowerShell@5 - displayName: Upload files to storage account - inputs: - azureSubscription: $(serviceConnection) - ScriptType: 'InlineScript' - Inline: | - # Load used functions - . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') - - # Get storage account name - $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' - $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # Upload files to storage account - $functionInput = @{ - ResourceGroupName = '$(defaultResourceGroupName)' - StorageAccountName = $storageAccountParameters.name.value - contentDirectories = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'uploads' - targetContainer = $storageAccountParameters.blobServices.value.containers[0].name - } - - Write-Verbose "Invoke task with" -Verbose - Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - Export-ContentToBlob @functionInput -Verbose - azurePowerShellVersion: 'LatestVersion' - pwsh: true - - - stage: deploy_sig - displayName: Deploy shared image gallery and definition - dependsOn: - - deploy_rg - variables: - resourceType: 'Microsoft.Compute/galleries' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default SIG and SID - - - stage: deploy_ag - displayName: Deploy action groups - dependsOn: - - deploy_rg - variables: - resourceType: 'Microsoft.Insights/actionGroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Action Group - - - stage: deploy_asg - displayName: Deploy application security groups - dependsOn: - - deploy_rg - variables: - resourceType: 'Microsoft.Network/applicationSecurityGroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Application Security Groups - - - stage: deploy_udr - displayName: Deploy route tables - dependsOn: - - deploy_rg - variables: - resourceType: 'Microsoft.Network/routeTables' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default User Defined Routes - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json - templateFilePath: $(templateFilePath) - displayName: SQLMI User Defined Routes - - - stage: deploy_nsg - displayName: Deploy network security groups - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - variables: - resourceType: 'Microsoft.Network/networkSecurityGroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default NSG - - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json - templateFilePath: $(templateFilePath) - displayName: App Gateway NSG - - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json - templateFilePath: $(templateFilePath) - displayName: ASE NSG - - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json - templateFilePath: $(templateFilePath) - displayName: Bastion NSG - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json - templateFilePath: $(templateFilePath) - displayName: SQLMI NSG - - - stage: deploy_pip - displayName: Deploy public IP addresses - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - variables: - resourceType: 'Microsoft.Network\publicIPAddresses' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json - templateFilePath: $(templateFilePath) - displayName: App Gateway Public IP - - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json - templateFilePath: $(templateFilePath) - displayName: Bastion Public IP - - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json - templateFilePath: $(templateFilePath) - displayName: Load balancer Public IP - - - stage: deploy_appi - displayName: Deploy application insight - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - variables: - resourceType: 'Microsoft.Insights/components' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Application Insights - - - stage: deploy_aut - displayName: Deploy automation account - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - variables: - resourceType: 'Microsoft.Automation/automationAccounts' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Automation Account - - - stage: deploy_avdhp - displayName: Deploy AVD host pool - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - variables: - resourceType: 'Microsoft.DesktopVirtualization/hostpools' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default AVD Host Pool - - - stage: deploy_rsv - displayName: Deploy recovery services vault - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - variables: - resourceType: 'Microsoft.RecoveryServices/vaults' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default recovery services vault - - - stage: deploy_kv - displayName: Deploy key vaults - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - variables: - resourceType: 'Microsoft.KeyVault/vaults' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Key Vault - jobName: default_kv - - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json - templateFilePath: $(templateFilePath) - displayName: Private Endpoint Key Vault - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json - templateFilePath: $(templateFilePath) - displayName: SQLMI key vault - jobName: sqlmi_kv - - job: - displayName: Set key vault secrets keys and certificates - dependsOn: - - default_kv - pool: - ${{ if eq(variables['vmImage'], '') }}: - name: $(poolName) - ${{ if eq(variables['poolName'], '') }}: - vmImage: $(vmImage) - steps: - - task: PowerShell@2 - displayName: 'Setup agent' - inputs: - targetType: inline - pwsh: true - script: | - # Load used functions - . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Define PS modules to install on the runner - $Modules = @( - @{ Name = 'Az.KeyVault' } - ) - - # Set agent up - Set-EnvironmentOnAgent -PSModules $Modules - - task: AzurePowerShell@5 - displayName: Set key vault secrets keys and certificates - inputs: - azureSubscription: $(serviceConnection) - ScriptType: 'InlineScript' - Inline: | - # Get key vault name - $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' - $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters - $keyVaultName = $keyVaultParameters.name.value - - # Generate values - $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length - $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - $passwordString = (New-Guid).Guid.SubString(0, 19) - $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) - $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - - # Set secrets - # ------- - @( - @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS - @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS - @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer - @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer - @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway - @{ name = 'apimClientId'; secretValue = $username } # API management - @{ name = 'apimClientSecret'; secretValue = $password } # API management - ) | ForEach-Object { - $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue - Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - - # Certificats - # ----------- - $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal - @( - @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway - ) | ForEach-Object { - $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy - Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - - # Set keys - # ---- - @( - @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS - ) | ForEach-Object { - $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination - Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - azurePowerShellVersion: 'LatestVersion' - pwsh: true - - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - job: - displayName: Set sqlmi key vault secrets and keys - condition: eq(${{ parameters.deploySqlMiDependencies }}, true) - dependsOn: - - sqlmi_kv - pool: - ${{ if eq(variables['vmImage'], '') }}: - name: $(poolName) - ${{ if eq(variables['poolName'], '') }}: - vmImage: $(vmImage) - steps: - - task: PowerShell@2 - displayName: 'Setup agent' - inputs: - targetType: inline - pwsh: true - script: | - # Load used functions - . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Define PS modules to install on the runner - $Modules = @( - @{ Name = 'Az.KeyVault' } - ) - - # Set agent up - Set-EnvironmentOnAgent -PSModules $Modules - - task: AzurePowerShell@5 - displayName: Set sqlmi key vault secrets and keys - inputs: - azureSubscription: $(serviceConnection) - ScriptType: 'InlineScript' - Inline: | - # Get key vault name - $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'sqlmi.parameters.json' - $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters - $keyVaultName = $keyVaultParameters.name.value - - # Generate values - $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length - $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - $passwordString = (New-Guid).Guid.SubString(0, 19) - $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - - # Set secrets - # ------- - @( - @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances - @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances - ) | ForEach-Object { - $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue - Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - - # Set keys - # ---- - @( - @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances - ) | ForEach-Object { - $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination - Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - azurePowerShellVersion: 'LatestVersion' - pwsh: true - - - stage: deploy_avdag - displayName: Deploy AVD application group - dependsOn: - - deploy_avdhp - variables: - resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Application Group - - - stage: deploy_rolea - displayName: Deploy role assignments - dependsOn: - - deploy_msi - variables: - resourceType: 'Microsoft.Authorization\roleAssignments' - templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: MSI Role Assignment - - - stage: deploy_vnet - displayName: Deploy virtual networks - dependsOn: - - deploy_nsg - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - deploy_udr - variables: - resourceType: 'Microsoft.Network/virtualNetworks' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json - templateFilePath: $(templateFilePath) - displayName: Bastion Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json - templateFilePath: $(templateFilePath) - displayName: VNET PEering 1 Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json - templateFilePath: $(templateFilePath) - displayName: VNET Peering 2 Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json - templateFilePath: $(templateFilePath) - displayName: Azure Firewall Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json - templateFilePath: $(templateFilePath) - displayName: AKS Virtual Network - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json - templateFilePath: $(templateFilePath) - displayName: SQL MI Virtual Network - - - stage: deploy_dnszone - displayName: Deploy private DNS zones - dependsOn: - - deploy_vnet - variables: - resourceType: 'Microsoft.Network/privateDnsZones' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + - stage: print_msi + dependsOn: deploy_msi jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Private DNS Zones - - - stage: deploy_vm - displayName: Deploy virtual machines - dependsOn: - - deploy_vnet - - deploy_rsv - - deploy_kv - variables: - resourceType: 'Microsoft.Compute/virtualMachines' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Virtual Machine + - job: print_msi_job + variables: + varFromStageA: $[ stageDependencies.deploy_msi.default_msi_job.outputs['DeployModule.deploymentOutput'] ] + name: ValidateVar + steps: + - checkout: none + - script: | + echo "This Job will print value from deploy_msi stage" + echo $(varFromStageA) + + # - stage: deploy_pa + # displayName: Deploy policy assignment + # dependsOn: + # - deploy_rg + # variables: + # resourceType: 'Microsoft.Authorization/policyAssignments' + # templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Policy assignment + + # - stage: deploy_evh + # displayName: Deploy event hub + # dependsOn: + # - deploy_rg + # variables: + # resourceType: 'Microsoft.EventHub/namespaces' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: EventHub + + # - stage: deploy_law + # displayName: Deploy log analytics workspace + # dependsOn: + # - deploy_rg + # variables: + # resourceType: 'Microsoft.OperationalInsights/workspaces' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default LAW + # - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: AppInsights LAW + + # - stage: deploy_sa + # displayName: Deploy storage account + # dependsOn: + # - deploy_rg + # variables: + # resourceType: 'Microsoft.Storage/storageAccounts' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default storage account + # jobName: default_sa + # - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: LAW storage account + # - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: FunctionApp storage account + # - job: + # displayName: Upload files to storage account + # dependsOn: + # - default_sa + # pool: + # ${{ if eq(variables['vmImage'], '') }}: + # name: $(poolName) + # ${{ if eq(variables['poolName'], '') }}: + # vmImage: $(vmImage) + # steps: + # - task: PowerShell@2 + # displayName: 'Setup agent' + # inputs: + # targetType: inline + # pwsh: true + # script: | + # # Load used functions + # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # # Define PS modules to install on the runner + # $Modules = @( + # @{ Name = 'Az.Storage' } + # ) + + # # Set agent up + # Set-EnvironmentOnAgent -PSModules $Modules + # - task: AzurePowerShell@5 + # displayName: Upload files to storage account + # inputs: + # azureSubscription: $(serviceConnection) + # ScriptType: 'InlineScript' + # Inline: | + # # Load used functions + # . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + + # # Get storage account name + # $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' + # $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # # Upload files to storage account + # $functionInput = @{ + # ResourceGroupName = '$(defaultResourceGroupName)' + # StorageAccountName = $storageAccountParameters.name.value + # contentDirectories = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'uploads' + # targetContainer = $storageAccountParameters.blobServices.value.containers[0].name + # } + + # Write-Verbose "Invoke task with" -Verbose + # Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + # Export-ContentToBlob @functionInput -Verbose + # azurePowerShellVersion: 'LatestVersion' + # pwsh: true + + # - stage: deploy_sig + # displayName: Deploy shared image gallery and definition + # dependsOn: + # - deploy_rg + # variables: + # resourceType: 'Microsoft.Compute/galleries' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default SIG and SID + + # - stage: deploy_ag + # displayName: Deploy action groups + # dependsOn: + # - deploy_rg + # variables: + # resourceType: 'Microsoft.Insights/actionGroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Action Group + + # - stage: deploy_asg + # displayName: Deploy application security groups + # dependsOn: + # - deploy_rg + # variables: + # resourceType: 'Microsoft.Network/applicationSecurityGroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Application Security Groups + + # - stage: deploy_udr + # displayName: Deploy route tables + # dependsOn: + # - deploy_rg + # variables: + # resourceType: 'Microsoft.Network/routeTables' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default User Defined Routes + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQLMI User Defined Routes + + # - stage: deploy_nsg + # displayName: Deploy network security groups + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + # variables: + # resourceType: 'Microsoft.Network/networkSecurityGroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default NSG + # - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: App Gateway NSG + # - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: ASE NSG + # - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Bastion NSG + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQLMI NSG + + # - stage: deploy_pip + # displayName: Deploy public IP addresses + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + # variables: + # resourceType: 'Microsoft.Network\publicIPAddresses' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: App Gateway Public IP + # - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Bastion Public IP + # - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Load balancer Public IP + + # - stage: deploy_appi + # displayName: Deploy application insight + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + # variables: + # resourceType: 'Microsoft.Insights/components' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Application Insights + + # - stage: deploy_aut + # displayName: Deploy automation account + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + # variables: + # resourceType: 'Microsoft.Automation/automationAccounts' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Automation Account + + # - stage: deploy_avdhp + # displayName: Deploy AVD host pool + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + # variables: + # resourceType: 'Microsoft.DesktopVirtualization/hostpools' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default AVD Host Pool + + # - stage: deploy_rsv + # displayName: Deploy recovery services vault + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + # variables: + # resourceType: 'Microsoft.RecoveryServices/vaults' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default recovery services vault + + # - stage: deploy_kv + # displayName: Deploy key vaults + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + # variables: + # resourceType: 'Microsoft.KeyVault/vaults' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Key Vault + # jobName: default_kv + # - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Private Endpoint Key Vault + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQLMI key vault + # jobName: sqlmi_kv + # - job: + # displayName: Set key vault secrets keys and certificates + # dependsOn: + # - default_kv + # pool: + # ${{ if eq(variables['vmImage'], '') }}: + # name: $(poolName) + # ${{ if eq(variables['poolName'], '') }}: + # vmImage: $(vmImage) + # steps: + # - task: PowerShell@2 + # displayName: 'Setup agent' + # inputs: + # targetType: inline + # pwsh: true + # script: | + # # Load used functions + # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # # Define PS modules to install on the runner + # $Modules = @( + # @{ Name = 'Az.KeyVault' } + # ) + + # # Set agent up + # Set-EnvironmentOnAgent -PSModules $Modules + # - task: AzurePowerShell@5 + # displayName: Set key vault secrets keys and certificates + # inputs: + # azureSubscription: $(serviceConnection) + # ScriptType: 'InlineScript' + # Inline: | + # # Get key vault name + # $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' + # $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + # $keyVaultName = $keyVaultParameters.name.value + + # # Generate values + # $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length + # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + # $passwordString = (New-Guid).Guid.SubString(0, 19) + # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + # $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) + # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + + # # Set secrets + # # ------- + # @( + # @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS + # @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS + # @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer + # @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer + # @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway + # @{ name = 'apimClientId'; secretValue = $username } # API management + # @{ name = 'apimClientSecret'; secretValue = $password } # API management + # ) | ForEach-Object { + # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + # Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + + # # Certificats + # # ----------- + # $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal + # @( + # @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway + # ) | ForEach-Object { + # $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy + # Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + + # # Set keys + # # ---- + # @( + # @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS + # ) | ForEach-Object { + # $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + # Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + # azurePowerShellVersion: 'LatestVersion' + # pwsh: true + + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - job: + # displayName: Set sqlmi key vault secrets and keys + # condition: eq(${{ parameters.deploySqlMiDependencies }}, true) + # dependsOn: + # - sqlmi_kv + # pool: + # ${{ if eq(variables['vmImage'], '') }}: + # name: $(poolName) + # ${{ if eq(variables['poolName'], '') }}: + # vmImage: $(vmImage) + # steps: + # - task: PowerShell@2 + # displayName: 'Setup agent' + # inputs: + # targetType: inline + # pwsh: true + # script: | + # # Load used functions + # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # # Define PS modules to install on the runner + # $Modules = @( + # @{ Name = 'Az.KeyVault' } + # ) + + # # Set agent up + # Set-EnvironmentOnAgent -PSModules $Modules + # - task: AzurePowerShell@5 + # displayName: Set sqlmi key vault secrets and keys + # inputs: + # azureSubscription: $(serviceConnection) + # ScriptType: 'InlineScript' + # Inline: | + # # Get key vault name + # $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'sqlmi.parameters.json' + # $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + # $keyVaultName = $keyVaultParameters.name.value + + # # Generate values + # $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length + # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + # $passwordString = (New-Guid).Guid.SubString(0, 19) + # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + + # # Set secrets + # # ------- + # @( + # @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances + # @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances + # ) | ForEach-Object { + # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + # Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + + # # Set keys + # # ---- + # @( + # @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances + # ) | ForEach-Object { + # $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + # Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + # azurePowerShellVersion: 'LatestVersion' + # pwsh: true + + # - stage: deploy_avdag + # displayName: Deploy AVD application group + # dependsOn: + # - deploy_avdhp + # variables: + # resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Application Group + + # - stage: deploy_rolea + # displayName: Deploy role assignments + # dependsOn: + # - deploy_msi + # variables: + # resourceType: 'Microsoft.Authorization\roleAssignments' + # templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: MSI Role Assignment + + # - stage: deploy_vnet + # displayName: Deploy virtual networks + # dependsOn: + # - deploy_nsg + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - deploy_udr + # variables: + # resourceType: 'Microsoft.Network/virtualNetworks' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Bastion Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: VNET PEering 1 Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: VNET Peering 2 Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Azure Firewall Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: AKS Virtual Network + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQL MI Virtual Network + + # - stage: deploy_dnszone + # displayName: Deploy private DNS zones + # dependsOn: + # - deploy_vnet + # variables: + # resourceType: 'Microsoft.Network/privateDnsZones' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Private DNS Zones + + # - stage: deploy_vm + # displayName: Deploy virtual machines + # dependsOn: + # - deploy_vnet + # - deploy_rsv + # - deploy_kv + # variables: + # resourceType: 'Microsoft.Compute/virtualMachines' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Virtual Machine From c0bc1a00d965c0d7145dcd4b6f60223413ddc3ff Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Wed, 12 Jan 2022 20:27:44 +0100 Subject: [PATCH 14/19] task name --- .azuredevops/pipelineTemplates/module.jobs.deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml index abfe94910a..0e5ef3bd64 100644 --- a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml +++ b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml @@ -231,7 +231,7 @@ jobs: #--------------------- - task: AzurePowerShell@5 displayName: 'Deploy [${{ deploymentBlock.path }}] via connection [${{ parameters.serviceConnection }}]' - name: DeployModule + name: 'DeployModule' inputs: azureSubscription: ${{ parameters.serviceConnection }} azurePowerShellVersion: ${{ parameters.azurePowerShellVersion }} From 4b4909181aad820dcbd2b3ed90a03935b5a2e74c Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Wed, 12 Jan 2022 20:29:35 +0100 Subject: [PATCH 15/19] remove line --- .azuredevops/platformPipelines/platform.dependencies.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index f4bb67097c..b216cc0038 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -65,7 +65,6 @@ stages: - job: print_msi_job variables: varFromStageA: $[ stageDependencies.deploy_msi.default_msi_job.outputs['DeployModule.deploymentOutput'] ] - name: ValidateVar steps: - checkout: none - script: | From 42033db4f8905a5676e64c50bc89b9111aa5daf8 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Thu, 13 Jan 2022 10:20:52 +0100 Subject: [PATCH 16/19] cleanup --- .azuredevops/pipelineTemplates/module.jobs.deploy.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml index 0e5ef3bd64..d7c3ec8fce 100644 --- a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml +++ b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml @@ -273,11 +273,6 @@ jobs: # Get deployment name Write-Host ('##vso[task.setvariable variable=deploymentName]{0}' -f $res.deploymentName) - # # Populate further outputs - # foreach ($outputKey in $res.deploymentOutput.Keys) { - # Write-Output ('##vso[task.setvariable variable={0}]{1}' -f $outputKey, $res.deploymentOutput[$outputKey].Value) - # } - # Populate pipeline output $deploymentOutputHash=@{} From 721450c3ffdb5d0222ab8926ccf9bd88a7155d90 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Thu, 13 Jan 2022 10:22:26 +0100 Subject: [PATCH 17/19] Populate further outputs --- .azuredevops/pipelineTemplates/module.jobs.deploy.yml | 2 +- .github/actions/templates/validateModuleDeployment/action.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml index d7c3ec8fce..56faf474cd 100644 --- a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml +++ b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml @@ -273,7 +273,7 @@ jobs: # Get deployment name Write-Host ('##vso[task.setvariable variable=deploymentName]{0}' -f $res.deploymentName) - # Populate pipeline output + # Populate further outputs $deploymentOutputHash=@{} foreach ($outputKey in $res.deploymentOutput.Keys) { diff --git a/.github/actions/templates/validateModuleDeployment/action.yml b/.github/actions/templates/validateModuleDeployment/action.yml index f05fe89c08..8a6ae87cf1 100644 --- a/.github/actions/templates/validateModuleDeployment/action.yml +++ b/.github/actions/templates/validateModuleDeployment/action.yml @@ -152,7 +152,7 @@ runs: # Get deployment name Write-Output ('::set-output name={0}::{1}' -f 'deploymentName', $res.deploymentName) - # Populate action output + # Populate further outputs $deploymentOutputHash=@{} foreach ($outputKey in $res.deploymentOutput.Keys) { From b199be2b1c7cd1a04b578fab9a49012c587fa05a Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Thu, 13 Jan 2022 10:31:00 +0100 Subject: [PATCH 18/19] ado dependencies back --- .../platform.dependencies.yml | 1192 ++++++++--------- 1 file changed, 590 insertions(+), 602 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index b216cc0038..f0682ef6d5 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -30,23 +30,23 @@ variables: value: 'validation-rg' stages: - # - stage: deploy_rg - # displayName: Deploy resource group - # variables: - # resourceType: 'Microsoft.Resources/resourceGroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Validation Resource Group + - stage: deploy_rg + displayName: Deploy resource group + variables: + resourceType: 'Microsoft.Resources/resourceGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json + templateFilePath: $(templateFilePath) + displayName: Validation Resource Group - stage: deploy_msi displayName: Deploy user assigned identity - # dependsOn: - # - deploy_rg + dependsOn: + - deploy_rg variables: resourceType: 'Microsoft.ManagedIdentity/userAssignedIdentities' templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep @@ -59,592 +59,580 @@ stages: displayName: User Assigned Identity jobName: default_msi_job - - stage: print_msi - dependsOn: deploy_msi + - stage: deploy_pa + displayName: Deploy policy assignment + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.Authorization/policyAssignments' + templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Policy assignment + + - stage: deploy_evh + displayName: Deploy event hub + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.EventHub/namespaces' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: EventHub + + - stage: deploy_law + displayName: Deploy log analytics workspace + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.OperationalInsights/workspaces' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default LAW + - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json + templateFilePath: $(templateFilePath) + displayName: AppInsights LAW + + - stage: deploy_sa + displayName: Deploy storage account + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.Storage/storageAccounts' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default storage account + jobName: default_sa + - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json + templateFilePath: $(templateFilePath) + displayName: LAW storage account + - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json + templateFilePath: $(templateFilePath) + displayName: FunctionApp storage account + - job: + displayName: Upload files to storage account + dependsOn: + - default_sa + pool: + ${{ if eq(variables['vmImage'], '') }}: + name: $(poolName) + ${{ if eq(variables['poolName'], '') }}: + vmImage: $(vmImage) + steps: + - task: PowerShell@2 + displayName: 'Setup agent' + inputs: + targetType: inline + pwsh: true + script: | + # Load used functions + . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.Storage' } + ) + + # Set agent up + Set-EnvironmentOnAgent -PSModules $Modules + - task: AzurePowerShell@5 + displayName: Upload files to storage account + inputs: + azureSubscription: $(serviceConnection) + ScriptType: 'InlineScript' + Inline: | + # Load used functions + . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + + # Get storage account name + $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' + $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # Upload files to storage account + $functionInput = @{ + ResourceGroupName = '$(defaultResourceGroupName)' + StorageAccountName = $storageAccountParameters.name.value + contentDirectories = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'uploads' + targetContainer = $storageAccountParameters.blobServices.value.containers[0].name + } + + Write-Verbose "Invoke task with" -Verbose + Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + Export-ContentToBlob @functionInput -Verbose + azurePowerShellVersion: 'LatestVersion' + pwsh: true + + - stage: deploy_sig + displayName: Deploy shared image gallery and definition + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.Compute/galleries' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default SIG and SID + + - stage: deploy_ag + displayName: Deploy action groups + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.Insights/actionGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Action Group + + - stage: deploy_asg + displayName: Deploy application security groups + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.Network/applicationSecurityGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Application Security Groups + + - stage: deploy_udr + displayName: Deploy route tables + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.Network/routeTables' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default User Defined Routes + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI User Defined Routes + + - stage: deploy_nsg + displayName: Deploy network security groups + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + variables: + resourceType: 'Microsoft.Network/networkSecurityGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default NSG + - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + templateFilePath: $(templateFilePath) + displayName: App Gateway NSG + - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json + templateFilePath: $(templateFilePath) + displayName: ASE NSG + - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json + templateFilePath: $(templateFilePath) + displayName: Bastion NSG + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI NSG + + - stage: deploy_pip + displayName: Deploy public IP addresses + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + variables: + resourceType: 'Microsoft.Network\publicIPAddresses' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + templateFilePath: $(templateFilePath) + displayName: App Gateway Public IP + - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json + templateFilePath: $(templateFilePath) + displayName: Bastion Public IP + - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json + templateFilePath: $(templateFilePath) + displayName: Load balancer Public IP + + - stage: deploy_appi + displayName: Deploy application insight + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + variables: + resourceType: 'Microsoft.Insights/components' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Application Insights + + - stage: deploy_aut + displayName: Deploy automation account + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + variables: + resourceType: 'Microsoft.Automation/automationAccounts' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Automation Account + + - stage: deploy_avdhp + displayName: Deploy AVD host pool + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + variables: + resourceType: 'Microsoft.DesktopVirtualization/hostpools' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default AVD Host Pool + + - stage: deploy_rsv + displayName: Deploy recovery services vault + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + variables: + resourceType: 'Microsoft.RecoveryServices/vaults' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default recovery services vault + + - stage: deploy_kv + displayName: Deploy key vaults + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + variables: + resourceType: 'Microsoft.KeyVault/vaults' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Key Vault + jobName: default_kv + - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json + templateFilePath: $(templateFilePath) + displayName: Private Endpoint Key Vault + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI key vault + jobName: sqlmi_kv + - job: + displayName: Set key vault secrets keys and certificates + dependsOn: + - default_kv + pool: + ${{ if eq(variables['vmImage'], '') }}: + name: $(poolName) + ${{ if eq(variables['poolName'], '') }}: + vmImage: $(vmImage) + steps: + - task: PowerShell@2 + displayName: 'Setup agent' + inputs: + targetType: inline + pwsh: true + script: | + # Load used functions + . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.KeyVault' } + ) + + # Set agent up + Set-EnvironmentOnAgent -PSModules $Modules + - task: AzurePowerShell@5 + displayName: Set key vault secrets keys and certificates + inputs: + azureSubscription: $(serviceConnection) + ScriptType: 'InlineScript' + Inline: | + # Get key vault name + $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' + $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + $keyVaultName = $keyVaultParameters.name.value + + # Generate values + $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $passwordString = (New-Guid).Guid.SubString(0, 19) + $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) + $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + + # Set secrets + # ------- + @( + @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS + @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS + @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer + @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer + @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway + @{ name = 'apimClientId'; secretValue = $username } # API management + @{ name = 'apimClientSecret'; secretValue = $password } # API management + ) | ForEach-Object { + $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + + # Certificats + # ----------- + $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal + @( + @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway + ) | ForEach-Object { + $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy + Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + + # Set keys + # ---- + @( + @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS + ) | ForEach-Object { + $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + azurePowerShellVersion: 'LatestVersion' + pwsh: true + + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - job: + displayName: Set sqlmi key vault secrets and keys + condition: eq(${{ parameters.deploySqlMiDependencies }}, true) + dependsOn: + - sqlmi_kv + pool: + ${{ if eq(variables['vmImage'], '') }}: + name: $(poolName) + ${{ if eq(variables['poolName'], '') }}: + vmImage: $(vmImage) + steps: + - task: PowerShell@2 + displayName: 'Setup agent' + inputs: + targetType: inline + pwsh: true + script: | + # Load used functions + . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.KeyVault' } + ) + + # Set agent up + Set-EnvironmentOnAgent -PSModules $Modules + - task: AzurePowerShell@5 + displayName: Set sqlmi key vault secrets and keys + inputs: + azureSubscription: $(serviceConnection) + ScriptType: 'InlineScript' + Inline: | + # Get key vault name + $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'sqlmi.parameters.json' + $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + $keyVaultName = $keyVaultParameters.name.value + + # Generate values + $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $passwordString = (New-Guid).Guid.SubString(0, 19) + $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + + # Set secrets + # ------- + @( + @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances + @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances + ) | ForEach-Object { + $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + + # Set keys + # ---- + @( + @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances + ) | ForEach-Object { + $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + azurePowerShellVersion: 'LatestVersion' + pwsh: true + + - stage: deploy_avdag + displayName: Deploy AVD application group + dependsOn: + - deploy_avdhp + variables: + resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Application Group + + - stage: deploy_rolea + displayName: Deploy role assignments + dependsOn: + - deploy_msi + variables: + resourceType: 'Microsoft.Authorization\roleAssignments' + templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: MSI Role Assignment + + - stage: deploy_vnet + displayName: Deploy virtual networks + dependsOn: + - deploy_nsg + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - deploy_udr + variables: + resourceType: 'Microsoft.Network/virtualNetworks' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json + templateFilePath: $(templateFilePath) + displayName: Bastion Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json + templateFilePath: $(templateFilePath) + displayName: VNET PEering 1 Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json + templateFilePath: $(templateFilePath) + displayName: VNET Peering 2 Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json + templateFilePath: $(templateFilePath) + displayName: Azure Firewall Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json + templateFilePath: $(templateFilePath) + displayName: AKS Virtual Network + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQL MI Virtual Network + + - stage: deploy_dnszone + displayName: Deploy private DNS zones + dependsOn: + - deploy_vnet + variables: + resourceType: 'Microsoft.Network/privateDnsZones' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep jobs: - - job: print_msi_job - variables: - varFromStageA: $[ stageDependencies.deploy_msi.default_msi_job.outputs['DeployModule.deploymentOutput'] ] - steps: - - checkout: none - - script: | - echo "This Job will print value from deploy_msi stage" - echo $(varFromStageA) - - # - stage: deploy_pa - # displayName: Deploy policy assignment - # dependsOn: - # - deploy_rg - # variables: - # resourceType: 'Microsoft.Authorization/policyAssignments' - # templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Policy assignment - - # - stage: deploy_evh - # displayName: Deploy event hub - # dependsOn: - # - deploy_rg - # variables: - # resourceType: 'Microsoft.EventHub/namespaces' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: EventHub - - # - stage: deploy_law - # displayName: Deploy log analytics workspace - # dependsOn: - # - deploy_rg - # variables: - # resourceType: 'Microsoft.OperationalInsights/workspaces' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default LAW - # - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: AppInsights LAW - - # - stage: deploy_sa - # displayName: Deploy storage account - # dependsOn: - # - deploy_rg - # variables: - # resourceType: 'Microsoft.Storage/storageAccounts' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default storage account - # jobName: default_sa - # - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: LAW storage account - # - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: FunctionApp storage account - # - job: - # displayName: Upload files to storage account - # dependsOn: - # - default_sa - # pool: - # ${{ if eq(variables['vmImage'], '') }}: - # name: $(poolName) - # ${{ if eq(variables['poolName'], '') }}: - # vmImage: $(vmImage) - # steps: - # - task: PowerShell@2 - # displayName: 'Setup agent' - # inputs: - # targetType: inline - # pwsh: true - # script: | - # # Load used functions - # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Define PS modules to install on the runner - # $Modules = @( - # @{ Name = 'Az.Storage' } - # ) - - # # Set agent up - # Set-EnvironmentOnAgent -PSModules $Modules - # - task: AzurePowerShell@5 - # displayName: Upload files to storage account - # inputs: - # azureSubscription: $(serviceConnection) - # ScriptType: 'InlineScript' - # Inline: | - # # Load used functions - # . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') - - # # Get storage account name - # $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' - # $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # # Upload files to storage account - # $functionInput = @{ - # ResourceGroupName = '$(defaultResourceGroupName)' - # StorageAccountName = $storageAccountParameters.name.value - # contentDirectories = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'uploads' - # targetContainer = $storageAccountParameters.blobServices.value.containers[0].name - # } - - # Write-Verbose "Invoke task with" -Verbose - # Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - # Export-ContentToBlob @functionInput -Verbose - # azurePowerShellVersion: 'LatestVersion' - # pwsh: true - - # - stage: deploy_sig - # displayName: Deploy shared image gallery and definition - # dependsOn: - # - deploy_rg - # variables: - # resourceType: 'Microsoft.Compute/galleries' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default SIG and SID - - # - stage: deploy_ag - # displayName: Deploy action groups - # dependsOn: - # - deploy_rg - # variables: - # resourceType: 'Microsoft.Insights/actionGroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Action Group - - # - stage: deploy_asg - # displayName: Deploy application security groups - # dependsOn: - # - deploy_rg - # variables: - # resourceType: 'Microsoft.Network/applicationSecurityGroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Application Security Groups - - # - stage: deploy_udr - # displayName: Deploy route tables - # dependsOn: - # - deploy_rg - # variables: - # resourceType: 'Microsoft.Network/routeTables' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default User Defined Routes - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQLMI User Defined Routes - - # - stage: deploy_nsg - # displayName: Deploy network security groups - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - # variables: - # resourceType: 'Microsoft.Network/networkSecurityGroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default NSG - # - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: App Gateway NSG - # - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: ASE NSG - # - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Bastion NSG - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQLMI NSG - - # - stage: deploy_pip - # displayName: Deploy public IP addresses - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - # variables: - # resourceType: 'Microsoft.Network\publicIPAddresses' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: App Gateway Public IP - # - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Bastion Public IP - # - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Load balancer Public IP - - # - stage: deploy_appi - # displayName: Deploy application insight - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - # variables: - # resourceType: 'Microsoft.Insights/components' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Application Insights - - # - stage: deploy_aut - # displayName: Deploy automation account - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - # variables: - # resourceType: 'Microsoft.Automation/automationAccounts' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Automation Account - - # - stage: deploy_avdhp - # displayName: Deploy AVD host pool - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - # variables: - # resourceType: 'Microsoft.DesktopVirtualization/hostpools' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default AVD Host Pool - - # - stage: deploy_rsv - # displayName: Deploy recovery services vault - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - # variables: - # resourceType: 'Microsoft.RecoveryServices/vaults' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default recovery services vault - - # - stage: deploy_kv - # displayName: Deploy key vaults - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - # variables: - # resourceType: 'Microsoft.KeyVault/vaults' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Key Vault - # jobName: default_kv - # - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Private Endpoint Key Vault - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQLMI key vault - # jobName: sqlmi_kv - # - job: - # displayName: Set key vault secrets keys and certificates - # dependsOn: - # - default_kv - # pool: - # ${{ if eq(variables['vmImage'], '') }}: - # name: $(poolName) - # ${{ if eq(variables['poolName'], '') }}: - # vmImage: $(vmImage) - # steps: - # - task: PowerShell@2 - # displayName: 'Setup agent' - # inputs: - # targetType: inline - # pwsh: true - # script: | - # # Load used functions - # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Define PS modules to install on the runner - # $Modules = @( - # @{ Name = 'Az.KeyVault' } - # ) - - # # Set agent up - # Set-EnvironmentOnAgent -PSModules $Modules - # - task: AzurePowerShell@5 - # displayName: Set key vault secrets keys and certificates - # inputs: - # azureSubscription: $(serviceConnection) - # ScriptType: 'InlineScript' - # Inline: | - # # Get key vault name - # $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' - # $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters - # $keyVaultName = $keyVaultParameters.name.value - - # # Generate values - # $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length - # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - # $passwordString = (New-Guid).Guid.SubString(0, 19) - # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - # $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) - # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - - # # Set secrets - # # ------- - # @( - # @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS - # @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS - # @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer - # @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer - # @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway - # @{ name = 'apimClientId'; secretValue = $username } # API management - # @{ name = 'apimClientSecret'; secretValue = $password } # API management - # ) | ForEach-Object { - # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue - # Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - - # # Certificats - # # ----------- - # $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal - # @( - # @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway - # ) | ForEach-Object { - # $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy - # Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - - # # Set keys - # # ---- - # @( - # @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS - # ) | ForEach-Object { - # $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination - # Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - # azurePowerShellVersion: 'LatestVersion' - # pwsh: true - - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - job: - # displayName: Set sqlmi key vault secrets and keys - # condition: eq(${{ parameters.deploySqlMiDependencies }}, true) - # dependsOn: - # - sqlmi_kv - # pool: - # ${{ if eq(variables['vmImage'], '') }}: - # name: $(poolName) - # ${{ if eq(variables['poolName'], '') }}: - # vmImage: $(vmImage) - # steps: - # - task: PowerShell@2 - # displayName: 'Setup agent' - # inputs: - # targetType: inline - # pwsh: true - # script: | - # # Load used functions - # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Define PS modules to install on the runner - # $Modules = @( - # @{ Name = 'Az.KeyVault' } - # ) - - # # Set agent up - # Set-EnvironmentOnAgent -PSModules $Modules - # - task: AzurePowerShell@5 - # displayName: Set sqlmi key vault secrets and keys - # inputs: - # azureSubscription: $(serviceConnection) - # ScriptType: 'InlineScript' - # Inline: | - # # Get key vault name - # $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'sqlmi.parameters.json' - # $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters - # $keyVaultName = $keyVaultParameters.name.value - - # # Generate values - # $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length - # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - # $passwordString = (New-Guid).Guid.SubString(0, 19) - # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - - # # Set secrets - # # ------- - # @( - # @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances - # @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances - # ) | ForEach-Object { - # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue - # Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - - # # Set keys - # # ---- - # @( - # @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances - # ) | ForEach-Object { - # $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination - # Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - # azurePowerShellVersion: 'LatestVersion' - # pwsh: true - - # - stage: deploy_avdag - # displayName: Deploy AVD application group - # dependsOn: - # - deploy_avdhp - # variables: - # resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Application Group - - # - stage: deploy_rolea - # displayName: Deploy role assignments - # dependsOn: - # - deploy_msi - # variables: - # resourceType: 'Microsoft.Authorization\roleAssignments' - # templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: MSI Role Assignment - - # - stage: deploy_vnet - # displayName: Deploy virtual networks - # dependsOn: - # - deploy_nsg - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - deploy_udr - # variables: - # resourceType: 'Microsoft.Network/virtualNetworks' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Bastion Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: VNET PEering 1 Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: VNET Peering 2 Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Azure Firewall Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: AKS Virtual Network - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQL MI Virtual Network - - # - stage: deploy_dnszone - # displayName: Deploy private DNS zones - # dependsOn: - # - deploy_vnet - # variables: - # resourceType: 'Microsoft.Network/privateDnsZones' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Private DNS Zones - - # - stage: deploy_vm - # displayName: Deploy virtual machines - # dependsOn: - # - deploy_vnet - # - deploy_rsv - # - deploy_kv - # variables: - # resourceType: 'Microsoft.Compute/virtualMachines' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Virtual Machine + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Private DNS Zones + + - stage: deploy_vm + displayName: Deploy virtual machines + dependsOn: + - deploy_vnet + - deploy_rsv + - deploy_kv + variables: + resourceType: 'Microsoft.Compute/virtualMachines' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Virtual Machine From 5c88da539f435b1e666886655908ebbe230ff05e Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Thu, 13 Jan 2022 10:32:54 +0100 Subject: [PATCH 19/19] ado dependencies back job name --- .azuredevops/platformPipelines/platform.dependencies.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index f0682ef6d5..9abe3c0aea 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -57,7 +57,6 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: User Assigned Identity - jobName: default_msi_job - stage: deploy_pa displayName: Deploy policy assignment