From 0778370133fae54637d9175dace104d95f465a55 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Fri, 14 Jan 2022 17:45:36 +0100 Subject: [PATCH 01/69] test msi out --- .github/workflows/platform.dependencies.yml | 1793 ++++++++++--------- 1 file changed, 906 insertions(+), 887 deletions(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 3a7c306611..13a801d682 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -30,549 +30,40 @@ env: DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: - job_deploy_rg: - runs-on: ubuntu-20.04 - name: 'Deploy resource group' - env: - namespace: 'Microsoft.Resources\resourceGroups' - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['validation.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_msi: - runs-on: ubuntu-20.04 - name: 'Deploy user assigned identity' - env: - namespace: 'Microsoft.ManagedIdentity\userAssignedIdentities' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_pa: - runs-on: ubuntu-20.04 - name: 'Deploy policy assignment' - env: - namespace: 'Microsoft.Authorization\policyAssignments' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_policyAssignments_sub.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_evh: - runs-on: ubuntu-20.04 - name: 'Deploy eventhub' - env: - namespace: 'Microsoft.EventHub\namespaces' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_law: - runs-on: ubuntu-20.04 - name: 'Deploy log analytics workspace' - env: - namespace: 'Microsoft.OperationalInsights\workspaces' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['appi.parameters.json', 'parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sa: - runs-on: ubuntu-20.04 - name: 'Deploy storage account' - env: - namespace: 'Microsoft.Storage\storageAccounts' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: - ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_sa_upload_storage_files: - runs-on: ubuntu-20.04 - name: 'Upload files to storage account' - env: - namespace: 'Microsoft.Storage\storageAccounts' - needs: - - job_deploy_sa - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Setup agent' - shell: pwsh - run: | - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Define PS modules to install on the runner - $Modules = @( - @{ Name = 'Az.Storage' } - ) - - # Set agent up - Set-EnvironmentOnAgent -PSModules $Modules - - name: Azure Login - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - enable-AzPSSession: true - - name: Run PowerShell - uses: azure/powershell@v1 - with: - inlineScript: | - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') - - # Get storage account name - $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'parameters' 'parameters.json' - $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # Upload files to storage account - $functionInput = @{ - ResourceGroupName = '${{ env.defaultResourceGroupName }}' - StorageAccountName = $storageAccountParameters.name.value - contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'uploads' - targetContainer = $storageAccountParameters.blobServices.value.containers[0].name - } - - Write-Verbose "Invoke task with" -Verbose - Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - Export-ContentToBlob @functionInput -Verbose - azPSVersion: 'latest' - - job_deploy_sig: - runs-on: ubuntu-20.04 - name: 'Deploy shared image gallery and definition' - env: - namespace: 'Microsoft.Compute\galleries' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_ag: - runs-on: ubuntu-20.04 - name: 'Deploy action groups' - env: - namespace: 'Microsoft.Insights\actionGroups' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_asg: - runs-on: ubuntu-20.04 - name: 'Deploy application security groups' - env: - namespace: 'Microsoft.Network\applicationSecurityGroups' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_udr: - runs-on: ubuntu-20.04 - name: 'Deploy route tables' - env: - namespace: 'Microsoft.Network\routeTables' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sqlmi_udr: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi route tables' - if: github.event.inputs.deploySqlMiDependencies == 'true' - env: - namespace: 'Microsoft.Network\routeTables' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['sqlMi.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_nsg: - runs-on: ubuntu-20.04 - name: 'Deploy network security groups' - env: - namespace: 'Microsoft.Network\networkSecurityGroups' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: - [ - 'apgw.parameters.json', - 'ase.parameters.json', - 'bastion.parameters.json', - 'parameters.json', - ] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sqlmi_nsg: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi network security group' - if: github.event.inputs.deploySqlMiDependencies == 'true' - env: - namespace: 'Microsoft.Network\networkSecurityGroups' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['sqlmi.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_pip: - runs-on: ubuntu-20.04 - name: 'Deploy public IP addresses' - env: - namespace: 'Microsoft.Network\publicIPAddresses' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: - ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' + # job_deploy_rg: + # runs-on: ubuntu-20.04 + # name: 'Deploy resource group' + # env: + # namespace: 'Microsoft.Resources\resourceGroups' + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['validation.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' - job_deploy_appi: - runs-on: ubuntu-20.04 - name: 'Deploy application insight' - env: - namespace: 'Microsoft.Insights\components' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_aut: - runs-on: ubuntu-20.04 - name: 'Deploy automation account' - env: - namespace: 'Microsoft.Automation\automationAccounts' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_avdhp: - runs-on: ubuntu-20.04 - name: 'Deploy AVD host pool' - env: - namespace: 'Microsoft.DesktopVirtualization\hostpools' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_rsv: + job_deploy_msi: runs-on: ubuntu-20.04 - name: 'Deploy recovery services vault' + name: 'Deploy user assigned identity' env: - namespace: 'Microsoft.RecoveryServices\vaults' + namespace: 'Microsoft.ManagedIdentity\userAssignedIdentities' needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law + - job_deploy_rg + outputs: + msiPrincipalId: ${{ steps.deploy-msi-out.outputs.msiPrincipalId }} strategy: fail-fast: false matrix: @@ -583,6 +74,7 @@ jobs: with: fetch-depth: 0 - name: 'Deploy module' + id: deploy-msi uses: ./.github/actions/templates/validateModuleDeployment with: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' @@ -592,240 +84,760 @@ jobs: subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_kv: - runs-on: ubuntu-20.04 - name: 'Deploy key vaults' - env: - namespace: 'Microsoft.KeyVault\vaults' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json', 'pe.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_kv_secrets: - runs-on: ubuntu-20.04 - name: 'Set key vault secrets keys and certificates' - env: - namespace: 'Microsoft.KeyVault\vaults' - needs: - - job_deploy_kv - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Setup agent' - shell: pwsh - run: | - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Define PS modules to install on the runner - $Modules = @( - @{ Name = 'Az.KeyVault' } - ) - - # Set agent up - Set-EnvironmentOnAgent -PSModules $Modules - - name: Azure Login - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - enable-AzPSSession: true - - name: 'Set key vault secrets keys and certificates' - uses: azure/powershell@v1 - with: - inlineScript: | - # Get key vault name - $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'parameters.json' - $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters - $keyVaultName = $keyVaultParameters.name.value - - # Generate values - $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length - $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - $passwordString = (New-Guid).Guid.SubString(0, 19) - $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) - $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - - # Set secrets - # ------- - @( - @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS - @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS - @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer - @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer - @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway - @{ name = 'apimClientId'; secretValue = $username } # API management - @{ name = 'apimClientSecret'; secretValue = $password } # API management - ) | ForEach-Object { - $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue - Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - - # Set certificates - # ----------- - $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal - @( - @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway - ) | ForEach-Object { - $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy - Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - - # Set keys - # ---- - @( - @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS - ) | ForEach-Object { - $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination - Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - azPSVersion: 'latest' - - job_deploy_sqlmi_kv: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi key vault' - if: github.event.inputs.deploySqlMiDependencies == 'true' - env: - namespace: 'Microsoft.KeyVault\vaults' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['sqlmi.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sqlmi_kv_secrets: - runs-on: ubuntu-20.04 - name: 'Set sqlmi key vault secrets and keys' - if: github.event.inputs.deploySqlMiDependencies == 'true' - needs: - - job_deploy_sqlmi_kv - env: - namespace: 'Microsoft.KeyVault\vaults' - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Setup agent' - shell: pwsh - run: | - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Define PS modules to install on the runner - $Modules = @( - @{ Name = 'Az.KeyVault' } - ) - - # Set agent up - Set-EnvironmentOnAgent -PSModules $Modules - - name: Azure Login - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - enable-AzPSSession: true - - name: 'Set sqlmi key vault secrets and keys' + - name: Set msi principal ID output + id: deploy-msi-out uses: azure/powershell@v1 with: inlineScript: | - # Get key vault name - $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'sqlmi.parameters.json' - $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters - $keyVaultName = $keyVaultParameters.name.value - - # Generate values - $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length - $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - $passwordString = (New-Guid).Guid.SubString(0, 19) - $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - - # Set secrets - # ------- - @( - @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances - @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances - ) | ForEach-Object { - $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue - Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - - # Set keys - # ---- - @( - @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances - ) | ForEach-Object { - $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination - Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } + $deploymentOutput = '${{ steps.deploy-msi.outputs.deploymentOutput }}' + $msiPrincipalId = (ConvertFrom-Json $deploymentOutput).msiPrincipalId + Write-Output ('::set-output name=msiPrincipalId::{0}' -f $msiPrincipalId) azPSVersion: 'latest' - job_deploy_avdag: - runs-on: ubuntu-20.04 - name: 'Deploy AVD application group' - env: - namespace: 'Microsoft.DesktopVirtualization\applicationgroups' - needs: - - job_deploy_avdhp - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' + # job_deploy_pa: + # runs-on: ubuntu-20.04 + # name: 'Deploy policy assignment' + # env: + # namespace: 'Microsoft.Authorization\policyAssignments' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_policyAssignments_sub.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_evh: + # runs-on: ubuntu-20.04 + # name: 'Deploy eventhub' + # env: + # namespace: 'Microsoft.EventHub\namespaces' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_law: + # runs-on: ubuntu-20.04 + # name: 'Deploy log analytics workspace' + # env: + # namespace: 'Microsoft.OperationalInsights\workspaces' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['appi.parameters.json', 'parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sa: + # runs-on: ubuntu-20.04 + # name: 'Deploy storage account' + # env: + # namespace: 'Microsoft.Storage\storageAccounts' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_sa_upload_storage_files: + # runs-on: ubuntu-20.04 + # name: 'Upload files to storage account' + # env: + # namespace: 'Microsoft.Storage\storageAccounts' + # needs: + # - job_deploy_sa + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Setup agent' + # shell: pwsh + # run: | + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # # Define PS modules to install on the runner + # $Modules = @( + # @{ Name = 'Az.Storage' } + # ) + + # # Set agent up + # Set-EnvironmentOnAgent -PSModules $Modules + # - name: Azure Login + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_CREDENTIALS }} + # enable-AzPSSession: true + # - name: Run PowerShell + # uses: azure/powershell@v1 + # with: + # inlineScript: | + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + + # # Get storage account name + # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'parameters' 'parameters.json' + # $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # # Upload files to storage account + # $functionInput = @{ + # ResourceGroupName = '${{ env.defaultResourceGroupName }}' + # StorageAccountName = $storageAccountParameters.name.value + # contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'uploads' + # targetContainer = $storageAccountParameters.blobServices.value.containers[0].name + # } + + # Write-Verbose "Invoke task with" -Verbose + # Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + # Export-ContentToBlob @functionInput -Verbose + # azPSVersion: 'latest' + + # job_deploy_sig: + # runs-on: ubuntu-20.04 + # name: 'Deploy shared image gallery and definition' + # env: + # namespace: 'Microsoft.Compute\galleries' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_ag: + # runs-on: ubuntu-20.04 + # name: 'Deploy action groups' + # env: + # namespace: 'Microsoft.Insights\actionGroups' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_asg: + # runs-on: ubuntu-20.04 + # name: 'Deploy application security groups' + # env: + # namespace: 'Microsoft.Network\applicationSecurityGroups' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_udr: + # runs-on: ubuntu-20.04 + # name: 'Deploy route tables' + # env: + # namespace: 'Microsoft.Network\routeTables' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sqlmi_udr: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi route tables' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # env: + # namespace: 'Microsoft.Network\routeTables' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['sqlMi.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_nsg: + # runs-on: ubuntu-20.04 + # name: 'Deploy network security groups' + # env: + # namespace: 'Microsoft.Network\networkSecurityGroups' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # [ + # 'apgw.parameters.json', + # 'ase.parameters.json', + # 'bastion.parameters.json', + # 'parameters.json', + # ] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sqlmi_nsg: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi network security group' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # env: + # namespace: 'Microsoft.Network\networkSecurityGroups' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['sqlmi.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_pip: + # runs-on: ubuntu-20.04 + # name: 'Deploy public IP addresses' + # env: + # namespace: 'Microsoft.Network\publicIPAddresses' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_appi: + # runs-on: ubuntu-20.04 + # name: 'Deploy application insight' + # env: + # namespace: 'Microsoft.Insights\components' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_aut: + # runs-on: ubuntu-20.04 + # name: 'Deploy automation account' + # env: + # namespace: 'Microsoft.Automation\automationAccounts' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_avdhp: + # runs-on: ubuntu-20.04 + # name: 'Deploy AVD host pool' + # env: + # namespace: 'Microsoft.DesktopVirtualization\hostpools' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_rsv: + # runs-on: ubuntu-20.04 + # name: 'Deploy recovery services vault' + # env: + # namespace: 'Microsoft.RecoveryServices\vaults' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_kv: + # runs-on: ubuntu-20.04 + # name: 'Deploy key vaults' + # env: + # namespace: 'Microsoft.KeyVault\vaults' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json', 'pe.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_kv_secrets: + # runs-on: ubuntu-20.04 + # name: 'Set key vault secrets keys and certificates' + # env: + # namespace: 'Microsoft.KeyVault\vaults' + # needs: + # - job_deploy_kv + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Setup agent' + # shell: pwsh + # run: | + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # # Define PS modules to install on the runner + # $Modules = @( + # @{ Name = 'Az.KeyVault' } + # ) + + # # Set agent up + # Set-EnvironmentOnAgent -PSModules $Modules + # - name: Azure Login + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_CREDENTIALS }} + # enable-AzPSSession: true + # - name: 'Set key vault secrets keys and certificates' + # uses: azure/powershell@v1 + # with: + # inlineScript: | + # # Get key vault name + # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'parameters.json' + # $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + # $keyVaultName = $keyVaultParameters.name.value + + # # Generate values + # $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length + # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + # $passwordString = (New-Guid).Guid.SubString(0, 19) + # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + # $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) + # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + + # # Set secrets + # # ------- + # @( + # @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS + # @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS + # @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer + # @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer + # @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway + # @{ name = 'apimClientId'; secretValue = $username } # API management + # @{ name = 'apimClientSecret'; secretValue = $password } # API management + # ) | ForEach-Object { + # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + # Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + + # # Set certificates + # # ----------- + # $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal + # @( + # @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway + # ) | ForEach-Object { + # $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy + # Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + + # # Set keys + # # ---- + # @( + # @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS + # ) | ForEach-Object { + # $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + # Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + # azPSVersion: 'latest' + + # job_deploy_sqlmi_kv: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi key vault' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # env: + # namespace: 'Microsoft.KeyVault\vaults' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['sqlmi.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sqlmi_kv_secrets: + # runs-on: ubuntu-20.04 + # name: 'Set sqlmi key vault secrets and keys' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # needs: + # - job_deploy_sqlmi_kv + # env: + # namespace: 'Microsoft.KeyVault\vaults' + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Setup agent' + # shell: pwsh + # run: | + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # # Define PS modules to install on the runner + # $Modules = @( + # @{ Name = 'Az.KeyVault' } + # ) + + # # Set agent up + # Set-EnvironmentOnAgent -PSModules $Modules + # - name: Azure Login + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_CREDENTIALS }} + # enable-AzPSSession: true + # - name: 'Set sqlmi key vault secrets and keys' + # uses: azure/powershell@v1 + # with: + # inlineScript: | + # # Get key vault name + # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'sqlmi.parameters.json' + # $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + # $keyVaultName = $keyVaultParameters.name.value + + # # Generate values + # $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length + # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + # $passwordString = (New-Guid).Guid.SubString(0, 19) + # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + + # # Set secrets + # # ------- + # @( + # @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances + # @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances + # ) | ForEach-Object { + # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + # Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + + # # Set keys + # # ---- + # @( + # @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances + # ) | ForEach-Object { + # $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + # Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + # azPSVersion: 'latest' + + # job_deploy_avdag: + # runs-on: ubuntu-20.04 + # name: 'Deploy AVD application group' + # env: + # namespace: 'Microsoft.DesktopVirtualization\applicationgroups' + # needs: + # - job_deploy_avdhp + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' job_deploy_rolea: runs-on: ubuntu-20.04 @@ -843,101 +855,17 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_rbac_sub.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_vnet: - runs-on: ubuntu-20.04 - name: 'Deploy virtual networks' - env: - namespace: 'Microsoft.Network\virtualNetworks' - needs: - - job_deploy_nsg - strategy: - fail-fast: false - matrix: - parameterFilePaths: - [ - '1.bastion.parameters.json', - '2.vnetpeer01.parameters.json', - '3.vnetpeer02.parameters.json', - '4.azfw.parameters.json', - '5.aks.parameters.json', - 'parameters.json', - ] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sqlmi_vnet: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi virtual network' - if: github.event.inputs.deploySqlMiDependencies == 'true' - env: - namespace: 'Microsoft.Network\virtualNetworks' - needs: - - job_deploy_sqlmi_udr - - job_deploy_sqlmi_nsg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['6.sqlmi.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_dnszone: - runs-on: ubuntu-20.04 - name: 'Deploy private DNS zones' - env: - namespace: 'Microsoft.Network\privateDnsZones' - needs: - - job_deploy_vnet - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 + - name: Get msi principal ID output + uses: azure/powershell@v1 with: - fetch-depth: 0 + inlineScript: | + $msiPrincipalId = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' + Write-Verbose $msiPrincipalId -Verbose + azPSVersion: 'latest' - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_rbac_sub.bicep' parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.defaultResourceGroupName }}' @@ -945,31 +873,122 @@ jobs: managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' - job_deploy_vm: - runs-on: ubuntu-20.04 - name: 'Deploy virtual machines' - env: - namespace: 'Microsoft.Compute\virtualMachines' - needs: - - job_deploy_kv_secrets - - job_deploy_vnet - - job_deploy_rsv - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' + # job_deploy_vnet: + # runs-on: ubuntu-20.04 + # name: 'Deploy virtual networks' + # env: + # namespace: 'Microsoft.Network\virtualNetworks' + # needs: + # - job_deploy_nsg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # [ + # '1.bastion.parameters.json', + # '2.vnetpeer01.parameters.json', + # '3.vnetpeer02.parameters.json', + # '4.azfw.parameters.json', + # '5.aks.parameters.json', + # 'parameters.json', + # ] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sqlmi_vnet: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi virtual network' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # env: + # namespace: 'Microsoft.Network\virtualNetworks' + # needs: + # - job_deploy_sqlmi_udr + # - job_deploy_sqlmi_nsg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['6.sqlmi.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_dnszone: + # runs-on: ubuntu-20.04 + # name: 'Deploy private DNS zones' + # env: + # namespace: 'Microsoft.Network\privateDnsZones' + # needs: + # - job_deploy_vnet + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_vm: + # runs-on: ubuntu-20.04 + # name: 'Deploy virtual machines' + # env: + # namespace: 'Microsoft.Compute\virtualMachines' + # needs: + # - job_deploy_kv_secrets + # - job_deploy_vnet + # - job_deploy_rsv + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' From d2f52f593ad03111f12aa1c2cbad0a70f0052051 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Fri, 14 Jan 2022 17:45:56 +0100 Subject: [PATCH 02/69] comment pipeline jobs --- .github/workflows/platform.dependencies.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 13a801d682..f3e44122ba 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -60,8 +60,8 @@ jobs: name: 'Deploy user assigned identity' env: namespace: 'Microsoft.ManagedIdentity\userAssignedIdentities' - needs: - - job_deploy_rg + # needs: + # - job_deploy_rg outputs: msiPrincipalId: ${{ steps.deploy-msi-out.outputs.msiPrincipalId }} strategy: From e1a42ae179b741c28aca488b9b2f33003fe78f83 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Fri, 14 Jan 2022 18:05:38 +0100 Subject: [PATCH 03/69] test live token replacement --- .github/workflows/platform.dependencies.yml | 25 +++++++++++++++++++ .../parameters/parameters.json | 2 +- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index f3e44122ba..325c5db1e3 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -862,6 +862,31 @@ jobs: $msiPrincipalId = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' Write-Verbose $msiPrincipalId -Verbose azPSVersion: 'latest' + - name: 'Replace msi principal ID in parameter file' + shell: pwsh + run: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') + + # Load Settings File + $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json + + # Initialize Default Parameter File Tokens + $DefaultParameterFileTokens = @( + @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } + ) + $DefaultParameterFileTokens = $DefaultParameterFileTokens | ForEach-Object { [PSCustomObject]$PSItem } + + # Construct Token Function Input + $ConvertTokensInputs = @{ + ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + DefaultParameterFileTokens = $DefaultParameterFileTokens + TokenPrefix = $Settings.parameterFileTokens.tokenPrefix + TokenSuffix = $Settings.parameterFileTokens.tokenSuffix + } + + # Invoke Token Replacement Functionality + $null = Convert-TokensInParameterFile @ConvertTokensInputs -Verbose - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: diff --git a/utilities/pipelines/dependencies/Microsoft.Authorization/roleAssignments/parameters/parameters.json b/utilities/pipelines/dependencies/Microsoft.Authorization/roleAssignments/parameters/parameters.json index 4a63cc7d1e..123e22dcc4 100644 --- a/utilities/pipelines/dependencies/Microsoft.Authorization/roleAssignments/parameters/parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.Authorization/roleAssignments/parameters/parameters.json @@ -6,7 +6,7 @@ "value": "Contributor" }, "principalId": { - "value": "cf33fea8-b30f-424f-ab73-c48d99e0b222" // The object ID of the deployed MSI + "value": "<>" // The object ID of the deployed MSI }, "subscriptionId": { "value": "<>" From 10b3f33e6fe107a8f30c2b8bf0f4ab5401177db0 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Fri, 14 Jan 2022 18:26:58 +0100 Subject: [PATCH 04/69] LocalCustomParameterFileTokens --- .github/workflows/platform.dependencies.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 325c5db1e3..b79635db92 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -881,6 +881,7 @@ jobs: $ConvertTokensInputs = @{ ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' DefaultParameterFileTokens = $DefaultParameterFileTokens + LocalCustomParameterFileTokens = $Settings.parameterFileTokens.localTokens.tokens TokenPrefix = $Settings.parameterFileTokens.tokenPrefix TokenSuffix = $Settings.parameterFileTokens.tokenSuffix } From a8a8d9638ec7c2b9a3ce457ff340c33ec1a591d5 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Fri, 14 Jan 2022 18:33:06 +0100 Subject: [PATCH 05/69] remove get step --- .github/workflows/platform.dependencies.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index b79635db92..8c725cfc83 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -855,13 +855,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: Get msi principal ID output - uses: azure/powershell@v1 - with: - inlineScript: | - $msiPrincipalId = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' - Write-Verbose $msiPrincipalId -Verbose - azPSVersion: 'latest' - name: 'Replace msi principal ID in parameter file' shell: pwsh run: | From dcb17546c251a064a82aad99a89e705cd3be2309 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Fri, 14 Jan 2022 18:39:36 +0100 Subject: [PATCH 06/69] array 2 --- .github/workflows/platform.dependencies.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 8c725cfc83..c6ba6b7d3e 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -867,6 +867,7 @@ jobs: # Initialize Default Parameter File Tokens $DefaultParameterFileTokens = @( @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } + @{ Name = 'subscriptionId'; Value = '${{ secrets.ARM_SUBSCRIPTION_ID }}' } ) $DefaultParameterFileTokens = $DefaultParameterFileTokens | ForEach-Object { [PSCustomObject]$PSItem } From 5729e4cf4a3ef19a5c8847c90aa9f463f42b6b87 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Fri, 14 Jan 2022 18:55:36 +0100 Subject: [PATCH 07/69] remove local token param --- .github/workflows/platform.dependencies.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index c6ba6b7d3e..fa70423a8d 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -855,7 +855,7 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Replace msi principal ID in parameter file' + - name: 'Get msi principal ID and replace token in parameter file' shell: pwsh run: | # Load used functions @@ -875,7 +875,6 @@ jobs: $ConvertTokensInputs = @{ ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' DefaultParameterFileTokens = $DefaultParameterFileTokens - LocalCustomParameterFileTokens = $Settings.parameterFileTokens.localTokens.tokens TokenPrefix = $Settings.parameterFileTokens.tokenPrefix TokenSuffix = $Settings.parameterFileTokens.tokenSuffix } From 01ebf77a356221bfb1a73ffe27c672f24f24bdfb Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Sun, 16 Jan 2022 17:23:57 +0100 Subject: [PATCH 08/69] replace all hardcoded msi obj id --- .../Microsoft.KeyVault/vaults/parameters/parameters.json | 2 +- .../Microsoft.KeyVault/vaults/parameters/pe.parameters.json | 2 +- .../Microsoft.KeyVault/vaults/parameters/sqlmi.parameters.json | 2 +- .../vaults/parameters/parameters.json | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/parameters.json b/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/parameters.json index 6d32bb2116..8b77bfacd2 100644 --- a/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/parameters.json @@ -26,7 +26,7 @@ }, { "tenantId": "<>", - "objectId": "cf33fea8-b30f-424f-ab73-c48d99e0b222", // adding adp-sxx-az-msi-x-001 to get secrets + "objectId": "<>", // The object ID of the deployed MSI "permissions": { "keys": [], "secrets": [ diff --git a/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/pe.parameters.json b/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/pe.parameters.json index 86d8b66830..0e74968bf1 100644 --- a/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/pe.parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/pe.parameters.json @@ -9,7 +9,7 @@ "value": [ { "tenantId": "<>", - "objectId": "cf33fea8-b30f-424f-ab73-c48d99e0b222", // adding adp-sxx-az-msi-x-001 to get secrets + "objectId": "<>", // The object ID of the deployed MSI "permissions": { "keys": [], "secrets": [ diff --git a/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/sqlmi.parameters.json b/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/sqlmi.parameters.json index 8c586acbcf..f319210528 100644 --- a/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/sqlmi.parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/sqlmi.parameters.json @@ -26,7 +26,7 @@ }, { "tenantId": "<>", - "objectId": "cf33fea8-b30f-424f-ab73-c48d99e0b222", // adding adp-sxx-az-msi-x-001 to get secrets + "objectId": "<>", // The object ID of the deployed MSI "permissions": { "keys": [ "Get", diff --git a/utilities/pipelines/dependencies/Microsoft.RecoveryServices/vaults/parameters/parameters.json b/utilities/pipelines/dependencies/Microsoft.RecoveryServices/vaults/parameters/parameters.json index 7a84003ad2..c5f02f223b 100644 --- a/utilities/pipelines/dependencies/Microsoft.RecoveryServices/vaults/parameters/parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.RecoveryServices/vaults/parameters/parameters.json @@ -254,7 +254,7 @@ { "roleDefinitionIdOrName": "Reader", "principalIds": [ - "cf33fea8-b30f-424f-ab73-c48d99e0b222" // The object ID of the deployed MSI + "<>" // The object ID of the deployed MSI ] } ] From 86623d7a58808b7728e3c99da296f251dba7e8dd Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Sun, 16 Jan 2022 17:33:32 +0100 Subject: [PATCH 09/69] single list token --- .github/workflows/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index fa70423a8d..067844ac3a 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -867,7 +867,7 @@ jobs: # Initialize Default Parameter File Tokens $DefaultParameterFileTokens = @( @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } - @{ Name = 'subscriptionId'; Value = '${{ secrets.ARM_SUBSCRIPTION_ID }}' } + # @{ Name = 'subscriptionId'; Value = '${{ secrets.ARM_SUBSCRIPTION_ID }}' } ) $DefaultParameterFileTokens = $DefaultParameterFileTokens | ForEach-Object { [PSCustomObject]$PSItem } From d2c22f920db9e289ae097bac7787b16097a2c23f Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Sun, 16 Jan 2022 17:42:38 +0100 Subject: [PATCH 10/69] single list token array --- .github/workflows/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 067844ac3a..c3e8741173 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -869,7 +869,7 @@ jobs: @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } # @{ Name = 'subscriptionId'; Value = '${{ secrets.ARM_SUBSCRIPTION_ID }}' } ) - $DefaultParameterFileTokens = $DefaultParameterFileTokens | ForEach-Object { [PSCustomObject]$PSItem } + # $DefaultParameterFileTokens = $DefaultParameterFileTokens | ForEach-Object { [PSCustomObject]$PSItem } # Construct Token Function Input $ConvertTokensInputs = @{ From bd0f51248543f2c0a4da1d89423f689963bbdb84 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Sun, 16 Jan 2022 17:49:08 +0100 Subject: [PATCH 11/69] single list token OtherCustomParameterFileTokens --- .github/workflows/platform.dependencies.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index c3e8741173..e3f0d5fd78 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -865,16 +865,14 @@ jobs: $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json # Initialize Default Parameter File Tokens - $DefaultParameterFileTokens = @( + $OtherCustomParameterFileTokens = @( @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } - # @{ Name = 'subscriptionId'; Value = '${{ secrets.ARM_SUBSCRIPTION_ID }}' } ) - # $DefaultParameterFileTokens = $DefaultParameterFileTokens | ForEach-Object { [PSCustomObject]$PSItem } # Construct Token Function Input $ConvertTokensInputs = @{ ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - DefaultParameterFileTokens = $DefaultParameterFileTokens + OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens TokenPrefix = $Settings.parameterFileTokens.tokenPrefix TokenSuffix = $Settings.parameterFileTokens.tokenSuffix } From 96484650cb04966828209bb9f63419590e7c4316 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Sun, 16 Jan 2022 17:54:10 +0100 Subject: [PATCH 12/69] replace msi principal id in kv dep --- .github/workflows/platform.dependencies.yml | 81 ++++++++++++++------- 1 file changed, 53 insertions(+), 28 deletions(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index e3f0d5fd78..86ea47924f 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -605,34 +605,59 @@ jobs: # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' # removeDeployment: '${{ env.removeDeployment }}' - # job_deploy_kv: - # runs-on: ubuntu-20.04 - # name: 'Deploy key vaults' - # env: - # namespace: 'Microsoft.KeyVault\vaults' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json', 'pe.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_kv: + runs-on: ubuntu-20.04 + name: 'Deploy key vaults' + env: + namespace: 'Microsoft.KeyVault\vaults' + needs: + - job_deploy_msi + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json', 'pe.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Get msi principal ID and replace token in parameter file' + shell: pwsh + run: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') + + # Load Settings File + $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json + + # Initialize Default Parameter File Tokens + $OtherCustomParameterFileTokens = @( + @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } + ) + + # Construct Token Function Input + $ConvertTokensInputs = @{ + ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens + TokenPrefix = $Settings.parameterFileTokens.tokenPrefix + TokenSuffix = $Settings.parameterFileTokens.tokenSuffix + } + + # Invoke Token Replacement Functionality + $null = Convert-TokensInParameterFile @ConvertTokensInputs -Verbose + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' # job_deploy_kv_secrets: # runs-on: ubuntu-20.04 From 1c3e4469aaf82fa47af87ae4d10e04a55ba58e4e Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Sun, 16 Jan 2022 18:03:53 +0100 Subject: [PATCH 13/69] replace msi principal id in kv sql and rsv dep --- .github/workflows/platform.dependencies.yml | 164 +++++++++++++------- 1 file changed, 107 insertions(+), 57 deletions(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 86ea47924f..fbaf6a7895 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -576,34 +576,59 @@ jobs: # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' # removeDeployment: '${{ env.removeDeployment }}' - # job_deploy_rsv: - # runs-on: ubuntu-20.04 - # name: 'Deploy recovery services vault' - # env: - # namespace: 'Microsoft.RecoveryServices\vaults' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_rsv: + runs-on: ubuntu-20.04 + name: 'Deploy recovery services vault' + env: + namespace: 'Microsoft.RecoveryServices\vaults' + needs: + - job_deploy_msi + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Get msi principal ID and replace token in parameter file' + shell: pwsh + run: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') + + # Load Settings File + $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json + + # Initialize Default Parameter File Tokens + $OtherCustomParameterFileTokens = @( + @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } + ) + + # Construct Token Function Input + $ConvertTokensInputs = @{ + ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens + TokenPrefix = $Settings.parameterFileTokens.tokenPrefix + TokenSuffix = $Settings.parameterFileTokens.tokenSuffix + } + + # Invoke Token Replacement Functionality + $null = Convert-TokensInParameterFile @ConvertTokensInputs -Verbose + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' job_deploy_kv: runs-on: ubuntu-20.04 @@ -741,35 +766,60 @@ jobs: # } # azPSVersion: 'latest' - # job_deploy_sqlmi_kv: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi key vault' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # env: - # namespace: 'Microsoft.KeyVault\vaults' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['sqlmi.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_sqlmi_kv: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi key vault' + if: github.event.inputs.deploySqlMiDependencies == 'true' + env: + namespace: 'Microsoft.KeyVault\vaults' + needs: + - job_deploy_msi + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['sqlmi.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Get msi principal ID and replace token in parameter file' + shell: pwsh + run: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') + + # Load Settings File + $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json + + # Initialize Default Parameter File Tokens + $OtherCustomParameterFileTokens = @( + @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } + ) + + # Construct Token Function Input + $ConvertTokensInputs = @{ + ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens + TokenPrefix = $Settings.parameterFileTokens.tokenPrefix + TokenSuffix = $Settings.parameterFileTokens.tokenSuffix + } + + # Invoke Token Replacement Functionality + $null = Convert-TokensInParameterFile @ConvertTokensInputs -Verbose + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' # job_deploy_sqlmi_kv_secrets: # runs-on: ubuntu-20.04 From 012b23af9965674a4f86523da70ce9063e2a3551 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Sun, 16 Jan 2022 18:30:00 +0100 Subject: [PATCH 14/69] all dep back --- .github/workflows/platform.dependencies.yml | 1654 ++++++++--------- docs/wiki/TestingDesign.md | 4 +- .../parameters/parameters.json | 2 +- .../vaults/parameters/parameters.json | 2 +- .../vaults/parameters/pe.parameters.json | 2 +- .../vaults/parameters/sqlmi.parameters.json | 2 +- .../vaults/parameters/parameters.json | 2 +- 7 files changed, 834 insertions(+), 834 deletions(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index fbaf6a7895..6fc542db2a 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -30,40 +30,474 @@ env: DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: - # job_deploy_rg: - # runs-on: ubuntu-20.04 - # name: 'Deploy resource group' - # env: - # namespace: 'Microsoft.Resources\resourceGroups' - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['validation.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_rg: + runs-on: ubuntu-20.04 + name: 'Deploy resource group' + env: + namespace: 'Microsoft.Resources\resourceGroups' + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['validation.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_msi: + runs-on: ubuntu-20.04 + name: 'Deploy user assigned identity' + env: + namespace: 'Microsoft.ManagedIdentity\userAssignedIdentities' + needs: + - job_deploy_rg + outputs: + msiPrincipalId: ${{ steps.deploy-msi-out.outputs.msiPrincipalId }} + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + id: deploy-msi + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + - name: Set msi principal ID output + id: deploy-msi-out + uses: azure/powershell@v1 + with: + inlineScript: | + $deploymentOutput = '${{ steps.deploy-msi.outputs.deploymentOutput }}' + $msiPrincipalId = (ConvertFrom-Json $deploymentOutput).msiPrincipalId + Write-Output ('::set-output name=msiPrincipalId::{0}' -f $msiPrincipalId) + azPSVersion: 'latest' + + job_deploy_pa: + runs-on: ubuntu-20.04 + name: 'Deploy policy assignment' + env: + namespace: 'Microsoft.Authorization\policyAssignments' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_policyAssignments_sub.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_evh: + runs-on: ubuntu-20.04 + name: 'Deploy eventhub' + env: + namespace: 'Microsoft.EventHub\namespaces' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_law: + runs-on: ubuntu-20.04 + name: 'Deploy log analytics workspace' + env: + namespace: 'Microsoft.OperationalInsights\workspaces' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['appi.parameters.json', 'parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_sa: + runs-on: ubuntu-20.04 + name: 'Deploy storage account' + env: + namespace: 'Microsoft.Storage\storageAccounts' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: + ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_sa_upload_storage_files: + runs-on: ubuntu-20.04 + name: 'Upload files to storage account' + env: + namespace: 'Microsoft.Storage\storageAccounts' + needs: + - job_deploy_sa + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Setup agent' + shell: pwsh + run: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.Storage' } + ) + + # Set agent up + Set-EnvironmentOnAgent -PSModules $Modules + - name: Azure Login + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + enable-AzPSSession: true + - name: Run PowerShell + uses: azure/powershell@v1 + with: + inlineScript: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + + # Get storage account name + $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'parameters' 'parameters.json' + $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # Upload files to storage account + $functionInput = @{ + ResourceGroupName = '${{ env.defaultResourceGroupName }}' + StorageAccountName = $storageAccountParameters.name.value + contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'uploads' + targetContainer = $storageAccountParameters.blobServices.value.containers[0].name + } + + Write-Verbose "Invoke task with" -Verbose + Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + Export-ContentToBlob @functionInput -Verbose + azPSVersion: 'latest' + + job_deploy_sig: + runs-on: ubuntu-20.04 + name: 'Deploy shared image gallery and definition' + env: + namespace: 'Microsoft.Compute\galleries' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_ag: + runs-on: ubuntu-20.04 + name: 'Deploy action groups' + env: + namespace: 'Microsoft.Insights\actionGroups' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_asg: + runs-on: ubuntu-20.04 + name: 'Deploy application security groups' + env: + namespace: 'Microsoft.Network\applicationSecurityGroups' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_udr: + runs-on: ubuntu-20.04 + name: 'Deploy route tables' + env: + namespace: 'Microsoft.Network\routeTables' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_sqlmi_udr: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi route tables' + if: github.event.inputs.deploySqlMiDependencies == 'true' + env: + namespace: 'Microsoft.Network\routeTables' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['sqlMi.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_nsg: + runs-on: ubuntu-20.04 + name: 'Deploy network security groups' + env: + namespace: 'Microsoft.Network\networkSecurityGroups' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: + [ + 'apgw.parameters.json', + 'ase.parameters.json', + 'bastion.parameters.json', + 'parameters.json', + ] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_sqlmi_nsg: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi network security group' + if: github.event.inputs.deploySqlMiDependencies == 'true' + env: + namespace: 'Microsoft.Network\networkSecurityGroups' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['sqlmi.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' - job_deploy_msi: + job_deploy_pip: runs-on: ubuntu-20.04 - name: 'Deploy user assigned identity' + name: 'Deploy public IP addresses' env: - namespace: 'Microsoft.ManagedIdentity\userAssignedIdentities' - # needs: - # - job_deploy_rg - outputs: - msiPrincipalId: ${{ steps.deploy-msi-out.outputs.msiPrincipalId }} + namespace: 'Microsoft.Network\publicIPAddresses' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: + ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_appi: + runs-on: ubuntu-20.04 + name: 'Deploy application insight' + env: + namespace: 'Microsoft.Insights\components' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law strategy: fail-fast: false matrix: @@ -74,7 +508,6 @@ jobs: with: fetch-depth: 0 - name: 'Deploy module' - id: deploy-msi uses: ./.github/actions/templates/validateModuleDeployment with: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' @@ -84,497 +517,64 @@ jobs: subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' - - name: Set msi principal ID output - id: deploy-msi-out - uses: azure/powershell@v1 + + job_deploy_aut: + runs-on: ubuntu-20.04 + name: 'Deploy automation account' + env: + namespace: 'Microsoft.Automation\automationAccounts' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 with: - inlineScript: | - $deploymentOutput = '${{ steps.deploy-msi.outputs.deploymentOutput }}' - $msiPrincipalId = (ConvertFrom-Json $deploymentOutput).msiPrincipalId - Write-Output ('::set-output name=msiPrincipalId::{0}' -f $msiPrincipalId) - azPSVersion: 'latest' + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' - # job_deploy_pa: - # runs-on: ubuntu-20.04 - # name: 'Deploy policy assignment' - # env: - # namespace: 'Microsoft.Authorization\policyAssignments' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_policyAssignments_sub.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_evh: - # runs-on: ubuntu-20.04 - # name: 'Deploy eventhub' - # env: - # namespace: 'Microsoft.EventHub\namespaces' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_law: - # runs-on: ubuntu-20.04 - # name: 'Deploy log analytics workspace' - # env: - # namespace: 'Microsoft.OperationalInsights\workspaces' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['appi.parameters.json', 'parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_sa: - # runs-on: ubuntu-20.04 - # name: 'Deploy storage account' - # env: - # namespace: 'Microsoft.Storage\storageAccounts' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_sa_upload_storage_files: - # runs-on: ubuntu-20.04 - # name: 'Upload files to storage account' - # env: - # namespace: 'Microsoft.Storage\storageAccounts' - # needs: - # - job_deploy_sa - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Setup agent' - # shell: pwsh - # run: | - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Define PS modules to install on the runner - # $Modules = @( - # @{ Name = 'Az.Storage' } - # ) - - # # Set agent up - # Set-EnvironmentOnAgent -PSModules $Modules - # - name: Azure Login - # uses: azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - # enable-AzPSSession: true - # - name: Run PowerShell - # uses: azure/powershell@v1 - # with: - # inlineScript: | - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') - - # # Get storage account name - # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'parameters' 'parameters.json' - # $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # # Upload files to storage account - # $functionInput = @{ - # ResourceGroupName = '${{ env.defaultResourceGroupName }}' - # StorageAccountName = $storageAccountParameters.name.value - # contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'uploads' - # targetContainer = $storageAccountParameters.blobServices.value.containers[0].name - # } - - # Write-Verbose "Invoke task with" -Verbose - # Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - # Export-ContentToBlob @functionInput -Verbose - # azPSVersion: 'latest' - - # job_deploy_sig: - # runs-on: ubuntu-20.04 - # name: 'Deploy shared image gallery and definition' - # env: - # namespace: 'Microsoft.Compute\galleries' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_ag: - # runs-on: ubuntu-20.04 - # name: 'Deploy action groups' - # env: - # namespace: 'Microsoft.Insights\actionGroups' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_asg: - # runs-on: ubuntu-20.04 - # name: 'Deploy application security groups' - # env: - # namespace: 'Microsoft.Network\applicationSecurityGroups' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_udr: - # runs-on: ubuntu-20.04 - # name: 'Deploy route tables' - # env: - # namespace: 'Microsoft.Network\routeTables' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_sqlmi_udr: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi route tables' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # env: - # namespace: 'Microsoft.Network\routeTables' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['sqlMi.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_nsg: - # runs-on: ubuntu-20.04 - # name: 'Deploy network security groups' - # env: - # namespace: 'Microsoft.Network\networkSecurityGroups' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # [ - # 'apgw.parameters.json', - # 'ase.parameters.json', - # 'bastion.parameters.json', - # 'parameters.json', - # ] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_sqlmi_nsg: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi network security group' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # env: - # namespace: 'Microsoft.Network\networkSecurityGroups' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['sqlmi.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_pip: - # runs-on: ubuntu-20.04 - # name: 'Deploy public IP addresses' - # env: - # namespace: 'Microsoft.Network\publicIPAddresses' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_appi: - # runs-on: ubuntu-20.04 - # name: 'Deploy application insight' - # env: - # namespace: 'Microsoft.Insights\components' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_aut: - # runs-on: ubuntu-20.04 - # name: 'Deploy automation account' - # env: - # namespace: 'Microsoft.Automation\automationAccounts' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_avdhp: - # runs-on: ubuntu-20.04 - # name: 'Deploy AVD host pool' - # env: - # namespace: 'Microsoft.DesktopVirtualization\hostpools' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_avdhp: + runs-on: ubuntu-20.04 + name: 'Deploy AVD host pool' + env: + namespace: 'Microsoft.DesktopVirtualization\hostpools' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' job_deploy_rsv: runs-on: ubuntu-20.04 @@ -583,9 +583,9 @@ jobs: namespace: 'Microsoft.RecoveryServices\vaults' needs: - job_deploy_msi - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law + - job_deploy_sa + - job_deploy_evh + - job_deploy_law strategy: fail-fast: false matrix: @@ -637,9 +637,9 @@ jobs: namespace: 'Microsoft.KeyVault\vaults' needs: - job_deploy_msi - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law + - job_deploy_sa + - job_deploy_evh + - job_deploy_law strategy: fail-fast: false matrix: @@ -684,87 +684,87 @@ jobs: managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' - # job_deploy_kv_secrets: - # runs-on: ubuntu-20.04 - # name: 'Set key vault secrets keys and certificates' - # env: - # namespace: 'Microsoft.KeyVault\vaults' - # needs: - # - job_deploy_kv - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Setup agent' - # shell: pwsh - # run: | - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Define PS modules to install on the runner - # $Modules = @( - # @{ Name = 'Az.KeyVault' } - # ) - - # # Set agent up - # Set-EnvironmentOnAgent -PSModules $Modules - # - name: Azure Login - # uses: azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - # enable-AzPSSession: true - # - name: 'Set key vault secrets keys and certificates' - # uses: azure/powershell@v1 - # with: - # inlineScript: | - # # Get key vault name - # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'parameters.json' - # $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters - # $keyVaultName = $keyVaultParameters.name.value - - # # Generate values - # $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length - # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - # $passwordString = (New-Guid).Guid.SubString(0, 19) - # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - # $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) - # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - - # # Set secrets - # # ------- - # @( - # @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS - # @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS - # @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer - # @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer - # @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway - # @{ name = 'apimClientId'; secretValue = $username } # API management - # @{ name = 'apimClientSecret'; secretValue = $password } # API management - # ) | ForEach-Object { - # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue - # Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - - # # Set certificates - # # ----------- - # $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal - # @( - # @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway - # ) | ForEach-Object { - # $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy - # Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - - # # Set keys - # # ---- - # @( - # @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS - # ) | ForEach-Object { - # $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination - # Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - # azPSVersion: 'latest' + job_deploy_kv_secrets: + runs-on: ubuntu-20.04 + name: 'Set key vault secrets keys and certificates' + env: + namespace: 'Microsoft.KeyVault\vaults' + needs: + - job_deploy_kv + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Setup agent' + shell: pwsh + run: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.KeyVault' } + ) + + # Set agent up + Set-EnvironmentOnAgent -PSModules $Modules + - name: Azure Login + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + enable-AzPSSession: true + - name: 'Set key vault secrets keys and certificates' + uses: azure/powershell@v1 + with: + inlineScript: | + # Get key vault name + $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'parameters.json' + $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + $keyVaultName = $keyVaultParameters.name.value + + # Generate values + $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $passwordString = (New-Guid).Guid.SubString(0, 19) + $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) + $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + + # Set secrets + # ------- + @( + @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS + @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS + @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer + @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer + @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway + @{ name = 'apimClientId'; secretValue = $username } # API management + @{ name = 'apimClientSecret'; secretValue = $password } # API management + ) | ForEach-Object { + $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + + # Set certificates + # ----------- + $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal + @( + @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway + ) | ForEach-Object { + $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy + Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + + # Set keys + # ---- + @( + @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS + ) | ForEach-Object { + $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + azPSVersion: 'latest' job_deploy_sqlmi_kv: runs-on: ubuntu-20.04 @@ -774,9 +774,9 @@ jobs: namespace: 'Microsoft.KeyVault\vaults' needs: - job_deploy_msi - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law + - job_deploy_sa + - job_deploy_evh + - job_deploy_law strategy: fail-fast: false matrix: @@ -821,98 +821,98 @@ jobs: managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' - # job_deploy_sqlmi_kv_secrets: - # runs-on: ubuntu-20.04 - # name: 'Set sqlmi key vault secrets and keys' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # needs: - # - job_deploy_sqlmi_kv - # env: - # namespace: 'Microsoft.KeyVault\vaults' - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Setup agent' - # shell: pwsh - # run: | - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Define PS modules to install on the runner - # $Modules = @( - # @{ Name = 'Az.KeyVault' } - # ) - - # # Set agent up - # Set-EnvironmentOnAgent -PSModules $Modules - # - name: Azure Login - # uses: azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - # enable-AzPSSession: true - # - name: 'Set sqlmi key vault secrets and keys' - # uses: azure/powershell@v1 - # with: - # inlineScript: | - # # Get key vault name - # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'sqlmi.parameters.json' - # $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters - # $keyVaultName = $keyVaultParameters.name.value - - # # Generate values - # $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length - # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - # $passwordString = (New-Guid).Guid.SubString(0, 19) - # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - - # # Set secrets - # # ------- - # @( - # @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances - # @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances - # ) | ForEach-Object { - # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue - # Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - - # # Set keys - # # ---- - # @( - # @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances - # ) | ForEach-Object { - # $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination - # Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - # azPSVersion: 'latest' - - # job_deploy_avdag: - # runs-on: ubuntu-20.04 - # name: 'Deploy AVD application group' - # env: - # namespace: 'Microsoft.DesktopVirtualization\applicationgroups' - # needs: - # - job_deploy_avdhp - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_sqlmi_kv_secrets: + runs-on: ubuntu-20.04 + name: 'Set sqlmi key vault secrets and keys' + if: github.event.inputs.deploySqlMiDependencies == 'true' + needs: + - job_deploy_sqlmi_kv + env: + namespace: 'Microsoft.KeyVault\vaults' + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Setup agent' + shell: pwsh + run: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.KeyVault' } + ) + + # Set agent up + Set-EnvironmentOnAgent -PSModules $Modules + - name: Azure Login + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + enable-AzPSSession: true + - name: 'Set sqlmi key vault secrets and keys' + uses: azure/powershell@v1 + with: + inlineScript: | + # Get key vault name + $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'sqlmi.parameters.json' + $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + $keyVaultName = $keyVaultParameters.name.value + + # Generate values + $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $passwordString = (New-Guid).Guid.SubString(0, 19) + $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + + # Set secrets + # ------- + @( + @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances + @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances + ) | ForEach-Object { + $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + + # Set keys + # ---- + @( + @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances + ) | ForEach-Object { + $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + azPSVersion: 'latest' + + job_deploy_avdag: + runs-on: ubuntu-20.04 + name: 'Deploy AVD application group' + env: + namespace: 'Microsoft.DesktopVirtualization\applicationgroups' + needs: + - job_deploy_avdhp + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' job_deploy_rolea: runs-on: ubuntu-20.04 @@ -933,18 +933,18 @@ jobs: - name: 'Get msi principal ID and replace token in parameter file' shell: pwsh run: | - # Load used functions + Load used functions . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') - # Load Settings File + Load Settings File $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json - # Initialize Default Parameter File Tokens + Initialize Default Parameter File Tokens $OtherCustomParameterFileTokens = @( @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } ) - # Construct Token Function Input + Construct Token Function Input $ConvertTokensInputs = @{ ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens @@ -952,7 +952,7 @@ jobs: TokenSuffix = $Settings.parameterFileTokens.tokenSuffix } - # Invoke Token Replacement Functionality + Invoke Token Replacement Functionality $null = Convert-TokensInParameterFile @ConvertTokensInputs -Verbose - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment @@ -965,122 +965,122 @@ jobs: managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' - # job_deploy_vnet: - # runs-on: ubuntu-20.04 - # name: 'Deploy virtual networks' - # env: - # namespace: 'Microsoft.Network\virtualNetworks' - # needs: - # - job_deploy_nsg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # [ - # '1.bastion.parameters.json', - # '2.vnetpeer01.parameters.json', - # '3.vnetpeer02.parameters.json', - # '4.azfw.parameters.json', - # '5.aks.parameters.json', - # 'parameters.json', - # ] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_sqlmi_vnet: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi virtual network' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # env: - # namespace: 'Microsoft.Network\virtualNetworks' - # needs: - # - job_deploy_sqlmi_udr - # - job_deploy_sqlmi_nsg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['6.sqlmi.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_dnszone: - # runs-on: ubuntu-20.04 - # name: 'Deploy private DNS zones' - # env: - # namespace: 'Microsoft.Network\privateDnsZones' - # needs: - # - job_deploy_vnet - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_vm: - # runs-on: ubuntu-20.04 - # name: 'Deploy virtual machines' - # env: - # namespace: 'Microsoft.Compute\virtualMachines' - # needs: - # - job_deploy_kv_secrets - # - job_deploy_vnet - # - job_deploy_rsv - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_vnet: + runs-on: ubuntu-20.04 + name: 'Deploy virtual networks' + env: + namespace: 'Microsoft.Network\virtualNetworks' + needs: + - job_deploy_nsg + strategy: + fail-fast: false + matrix: + parameterFilePaths: + [ + '1.bastion.parameters.json', + '2.vnetpeer01.parameters.json', + '3.vnetpeer02.parameters.json', + '4.azfw.parameters.json', + '5.aks.parameters.json', + 'parameters.json', + ] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_sqlmi_vnet: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi virtual network' + if: github.event.inputs.deploySqlMiDependencies == 'true' + env: + namespace: 'Microsoft.Network\virtualNetworks' + needs: + - job_deploy_sqlmi_udr + - job_deploy_sqlmi_nsg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['6.sqlmi.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_dnszone: + runs-on: ubuntu-20.04 + name: 'Deploy private DNS zones' + env: + namespace: 'Microsoft.Network\privateDnsZones' + needs: + - job_deploy_vnet + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_vm: + runs-on: ubuntu-20.04 + name: 'Deploy virtual machines' + env: + namespace: 'Microsoft.Compute\virtualMachines' + needs: + - job_deploy_kv_secrets + - job_deploy_vnet + - job_deploy_rsv + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' diff --git a/docs/wiki/TestingDesign.md b/docs/wiki/TestingDesign.md index 4dd6a84ef1..8087640f93 100644 --- a/docs/wiki/TestingDesign.md +++ b/docs/wiki/TestingDesign.md @@ -113,8 +113,8 @@ Since also dependency resources are in turn subject to dependencies with each ot **Second level resources**: This group of resources has a dependency only on the resource group which will host them. Resources in this group can be deployed in parallel. - 1. User assigned identity: This resource is leveraged by all dependency resources - > **Note**: The object ID of the [user assigned identity] must be set in several dependency parameter files. However, when you first run the pipeline, this object ID will be unknown. It is hence recommended to either manually create the MSI beforehand - or - run the pipeline without the ID once (which will cause the pipeline to fail during the ID's usage, but **after** the MSI was deployed), then update the value in the parameter files and finally re-run the pipeline. + 1. User assigned identity: This resource is leveraged by the [role assignment], [key vault] and [recovery services vault] dependency resources. + > **Note**: The object ID of the [user assigned identity] is needed by several dependency parameter files. However, before running the dependency pipeline for the first time, the [user assigned identity] resource does not exist yet, thus its object ID is unknown. For this reason, instead of the object ID value, some dependency parameter files contain an `"<>"` token, for which the correct value is retrieved and replaced by the pipeline at runtime. 1. Policy assignment: This resource is leveraged by the [policy exemption] resource. 1. Log analytics workspace: This resource is leveraged by all resources supporting diagnostic settings on LAW. 1. Storage account: This resource is leveraged by all resources supporting diagnostic settings on a storage account. diff --git a/utilities/pipelines/dependencies/Microsoft.Authorization/roleAssignments/parameters/parameters.json b/utilities/pipelines/dependencies/Microsoft.Authorization/roleAssignments/parameters/parameters.json index 123e22dcc4..d7f912954c 100644 --- a/utilities/pipelines/dependencies/Microsoft.Authorization/roleAssignments/parameters/parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.Authorization/roleAssignments/parameters/parameters.json @@ -6,7 +6,7 @@ "value": "Contributor" }, "principalId": { - "value": "<>" // The object ID of the deployed MSI + "value": "<>" // The object ID of the deployed MSI. Replaced by the pipeline }, "subscriptionId": { "value": "<>" diff --git a/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/parameters.json b/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/parameters.json index 8b77bfacd2..626ac4d03a 100644 --- a/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/parameters.json @@ -26,7 +26,7 @@ }, { "tenantId": "<>", - "objectId": "<>", // The object ID of the deployed MSI + "objectId": "<>", // The object ID of the deployed MSI. Replaced by the pipeline "permissions": { "keys": [], "secrets": [ diff --git a/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/pe.parameters.json b/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/pe.parameters.json index 0e74968bf1..e921e73da9 100644 --- a/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/pe.parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/pe.parameters.json @@ -9,7 +9,7 @@ "value": [ { "tenantId": "<>", - "objectId": "<>", // The object ID of the deployed MSI + "objectId": "<>", // The object ID of the deployed MSI. Replaced by the pipeline "permissions": { "keys": [], "secrets": [ diff --git a/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/sqlmi.parameters.json b/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/sqlmi.parameters.json index f319210528..ead3ca98aa 100644 --- a/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/sqlmi.parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.KeyVault/vaults/parameters/sqlmi.parameters.json @@ -26,7 +26,7 @@ }, { "tenantId": "<>", - "objectId": "<>", // The object ID of the deployed MSI + "objectId": "<>", // The object ID of the deployed MSI. Replaced by the pipeline "permissions": { "keys": [ "Get", diff --git a/utilities/pipelines/dependencies/Microsoft.RecoveryServices/vaults/parameters/parameters.json b/utilities/pipelines/dependencies/Microsoft.RecoveryServices/vaults/parameters/parameters.json index c5f02f223b..258acb9495 100644 --- a/utilities/pipelines/dependencies/Microsoft.RecoveryServices/vaults/parameters/parameters.json +++ b/utilities/pipelines/dependencies/Microsoft.RecoveryServices/vaults/parameters/parameters.json @@ -254,7 +254,7 @@ { "roleDefinitionIdOrName": "Reader", "principalIds": [ - "<>" // The object ID of the deployed MSI + "<>" // The object ID of the deployed MSI. Replaced by the pipeline ] } ] From 30fc91f49e323be40d8e83eb6d9dd608e142daf6 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Sun, 16 Jan 2022 18:32:12 +0100 Subject: [PATCH 15/69] a --- docs/wiki/TestingDesign.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/wiki/TestingDesign.md b/docs/wiki/TestingDesign.md index 8087640f93..16d255850e 100644 --- a/docs/wiki/TestingDesign.md +++ b/docs/wiki/TestingDesign.md @@ -114,7 +114,7 @@ Since also dependency resources are in turn subject to dependencies with each ot **Second level resources**: This group of resources has a dependency only on the resource group which will host them. Resources in this group can be deployed in parallel. 1. User assigned identity: This resource is leveraged by the [role assignment], [key vault] and [recovery services vault] dependency resources. - > **Note**: The object ID of the [user assigned identity] is needed by several dependency parameter files. However, before running the dependency pipeline for the first time, the [user assigned identity] resource does not exist yet, thus its object ID is unknown. For this reason, instead of the object ID value, some dependency parameter files contain an `"<>"` token, for which the correct value is retrieved and replaced by the pipeline at runtime. + > **Note**: The object ID of the [user assigned identity] is needed by several dependency parameter files. However, before running the dependency pipeline for the first time, the [user assigned identity] resource does not exist yet, thus its object ID is unknown. For this reason, instead of the object ID value, some dependency parameter files contain the `"<>"` token, for which the correct value is retrieved and replaced by the pipeline at runtime. 1. Policy assignment: This resource is leveraged by the [policy exemption] resource. 1. Log analytics workspace: This resource is leveraged by all resources supporting diagnostic settings on LAW. 1. Storage account: This resource is leveraged by all resources supporting diagnostic settings on a storage account. From d424cece81846a1643a5474a12351f0b7ec0d699 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Sun, 16 Jan 2022 18:59:09 +0100 Subject: [PATCH 16/69] ado pipeline --- .../platform.dependencies.yml | 1180 +++++++++-------- 1 file changed, 601 insertions(+), 579 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 9abe3c0aea..286e5d9da7 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -30,23 +30,23 @@ variables: value: 'validation-rg' stages: - - stage: deploy_rg - displayName: Deploy resource group - variables: - resourceType: 'Microsoft.Resources/resourceGroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json - templateFilePath: $(templateFilePath) - displayName: Validation Resource Group + # - stage: deploy_rg + # displayName: Deploy resource group + # variables: + # resourceType: 'Microsoft.Resources/resourceGroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Validation Resource Group - stage: deploy_msi displayName: Deploy user assigned identity - dependsOn: - - deploy_rg + # dependsOn: + # - deploy_rg variables: resourceType: 'Microsoft.ManagedIdentity/userAssignedIdentities' templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep @@ -57,581 +57,603 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: User Assigned Identity - - - stage: deploy_pa - displayName: Deploy policy assignment - dependsOn: - - deploy_rg - variables: - resourceType: 'Microsoft.Authorization/policyAssignments' - templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Policy assignment - - - stage: deploy_evh - displayName: Deploy event hub - dependsOn: - - deploy_rg - variables: - resourceType: 'Microsoft.EventHub/namespaces' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: EventHub - - - stage: deploy_law - displayName: Deploy log analytics workspace - dependsOn: - - deploy_rg - variables: - resourceType: 'Microsoft.OperationalInsights/workspaces' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default LAW - - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json - templateFilePath: $(templateFilePath) - displayName: AppInsights LAW - - - stage: deploy_sa - displayName: Deploy storage account - dependsOn: - - deploy_rg - variables: - resourceType: 'Microsoft.Storage/storageAccounts' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default storage account - jobName: default_sa - - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json - templateFilePath: $(templateFilePath) - displayName: LAW storage account - - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json - templateFilePath: $(templateFilePath) - displayName: FunctionApp storage account + jobName: job_deploy_msi - job: - displayName: Upload files to storage account + displayName: Set msi principal ID output dependsOn: - - default_sa + - job_deploy_msi pool: ${{ if eq(variables['vmImage'], '') }}: name: $(poolName) ${{ if eq(variables['poolName'], '') }}: vmImage: $(vmImage) + variables: + deploymentOutput: $[ dependencies.job_deploy_msi.outputs['DeployModule.deploymentOutput'] ] steps: - task: PowerShell@2 - displayName: 'Setup agent' inputs: targetType: inline pwsh: true script: | - # Load used functions - . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Define PS modules to install on the runner - $Modules = @( - @{ Name = 'Az.Storage' } - ) - - # Set agent up - Set-EnvironmentOnAgent -PSModules $Modules - - task: AzurePowerShell@5 - displayName: Upload files to storage account - inputs: - azureSubscription: $(serviceConnection) - ScriptType: 'InlineScript' - Inline: | - # Load used functions - . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') - - # Get storage account name - $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' - $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # Upload files to storage account - $functionInput = @{ - ResourceGroupName = '$(defaultResourceGroupName)' - StorageAccountName = $storageAccountParameters.name.value - contentDirectories = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'uploads' - targetContainer = $storageAccountParameters.blobServices.value.containers[0].name - } - - Write-Verbose "Invoke task with" -Verbose - Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - Export-ContentToBlob @functionInput -Verbose - azurePowerShellVersion: 'LatestVersion' - pwsh: true - - - stage: deploy_sig - displayName: Deploy shared image gallery and definition - dependsOn: - - deploy_rg - variables: - resourceType: 'Microsoft.Compute/galleries' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default SIG and SID - - - stage: deploy_ag - displayName: Deploy action groups - dependsOn: - - deploy_rg - variables: - resourceType: 'Microsoft.Insights/actionGroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Action Group - - - stage: deploy_asg - displayName: Deploy application security groups - dependsOn: - - deploy_rg - variables: - resourceType: 'Microsoft.Network/applicationSecurityGroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Application Security Groups - - - stage: deploy_udr - displayName: Deploy route tables - dependsOn: - - deploy_rg - variables: - resourceType: 'Microsoft.Network/routeTables' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default User Defined Routes - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json - templateFilePath: $(templateFilePath) - displayName: SQLMI User Defined Routes - - - stage: deploy_nsg - displayName: Deploy network security groups - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - variables: - resourceType: 'Microsoft.Network/networkSecurityGroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default NSG - - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json - templateFilePath: $(templateFilePath) - displayName: App Gateway NSG - - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json - templateFilePath: $(templateFilePath) - displayName: ASE NSG - - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json - templateFilePath: $(templateFilePath) - displayName: Bastion NSG - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json - templateFilePath: $(templateFilePath) - displayName: SQLMI NSG - - - stage: deploy_pip - displayName: Deploy public IP addresses - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - variables: - resourceType: 'Microsoft.Network\publicIPAddresses' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json - templateFilePath: $(templateFilePath) - displayName: App Gateway Public IP - - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json - templateFilePath: $(templateFilePath) - displayName: Bastion Public IP - - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json - templateFilePath: $(templateFilePath) - displayName: Load balancer Public IP - - - stage: deploy_appi - displayName: Deploy application insight - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - variables: - resourceType: 'Microsoft.Insights/components' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Application Insights - - - stage: deploy_aut - displayName: Deploy automation account - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - variables: - resourceType: 'Microsoft.Automation/automationAccounts' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Automation Account - - - stage: deploy_avdhp - displayName: Deploy AVD host pool - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - variables: - resourceType: 'Microsoft.DesktopVirtualization/hostpools' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default AVD Host Pool - - - stage: deploy_rsv - displayName: Deploy recovery services vault - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - variables: - resourceType: 'Microsoft.RecoveryServices/vaults' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default recovery services vault - - - stage: deploy_kv - displayName: Deploy key vaults - dependsOn: - - deploy_sa - - deploy_evh - - deploy_law - variables: - resourceType: 'Microsoft.KeyVault/vaults' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Key Vault - jobName: default_kv - - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json - templateFilePath: $(templateFilePath) - displayName: Private Endpoint Key Vault - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json - templateFilePath: $(templateFilePath) - displayName: SQLMI key vault - jobName: sqlmi_kv - - job: - displayName: Set key vault secrets keys and certificates - dependsOn: - - default_kv - pool: - ${{ if eq(variables['vmImage'], '') }}: - name: $(poolName) - ${{ if eq(variables['poolName'], '') }}: - vmImage: $(vmImage) - steps: - - task: PowerShell@2 - displayName: 'Setup agent' - inputs: - targetType: inline - pwsh: true - script: | - # Load used functions - . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Define PS modules to install on the runner - $Modules = @( - @{ Name = 'Az.KeyVault' } - ) - - # Set agent up - Set-EnvironmentOnAgent -PSModules $Modules - - task: AzurePowerShell@5 - displayName: Set key vault secrets keys and certificates - inputs: - azureSubscription: $(serviceConnection) - ScriptType: 'InlineScript' - Inline: | - # Get key vault name - $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' - $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters - $keyVaultName = $keyVaultParameters.name.value - - # Generate values - $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length - $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - $passwordString = (New-Guid).Guid.SubString(0, 19) - $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) - $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - - # Set secrets - # ------- - @( - @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS - @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS - @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer - @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer - @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway - @{ name = 'apimClientId'; secretValue = $username } # API management - @{ name = 'apimClientSecret'; secretValue = $password } # API management - ) | ForEach-Object { - $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue - Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - - # Certificats - # ----------- - $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal - @( - @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway - ) | ForEach-Object { - $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy - Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - - # Set keys - # ---- - @( - @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS - ) | ForEach-Object { - $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination - Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - azurePowerShellVersion: 'LatestVersion' - pwsh: true - - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - job: - displayName: Set sqlmi key vault secrets and keys - condition: eq(${{ parameters.deploySqlMiDependencies }}, true) - dependsOn: - - sqlmi_kv - pool: - ${{ if eq(variables['vmImage'], '') }}: - name: $(poolName) - ${{ if eq(variables['poolName'], '') }}: - vmImage: $(vmImage) - steps: - - task: PowerShell@2 - displayName: 'Setup agent' - inputs: - targetType: inline - pwsh: true - script: | - # Load used functions - . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Define PS modules to install on the runner - $Modules = @( - @{ Name = 'Az.KeyVault' } - ) - - # Set agent up - Set-EnvironmentOnAgent -PSModules $Modules - - task: AzurePowerShell@5 - displayName: Set sqlmi key vault secrets and keys - inputs: - azureSubscription: $(serviceConnection) - ScriptType: 'InlineScript' - Inline: | - # Get key vault name - $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'sqlmi.parameters.json' - $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters - $keyVaultName = $keyVaultParameters.name.value - - # Generate values - $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length - $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - $passwordString = (New-Guid).Guid.SubString(0, 19) - $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - - # Set secrets - # ------- - @( - @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances - @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances - ) | ForEach-Object { - $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue - Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - - # Set keys - # ---- - @( - @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances - ) | ForEach-Object { - $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination - Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - azurePowerShellVersion: 'LatestVersion' - pwsh: true - - - stage: deploy_avdag - displayName: Deploy AVD application group - dependsOn: - - deploy_avdhp - variables: - resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Application Group - - - stage: deploy_rolea - displayName: Deploy role assignments - dependsOn: - - deploy_msi - variables: - resourceType: 'Microsoft.Authorization\roleAssignments' - templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: MSI Role Assignment - - - stage: deploy_vnet - displayName: Deploy virtual networks - dependsOn: - - deploy_nsg - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - deploy_udr - variables: - resourceType: 'Microsoft.Network/virtualNetworks' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json - templateFilePath: $(templateFilePath) - displayName: Bastion Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json - templateFilePath: $(templateFilePath) - displayName: VNET PEering 1 Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json - templateFilePath: $(templateFilePath) - displayName: VNET Peering 2 Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json - templateFilePath: $(templateFilePath) - displayName: Azure Firewall Virtual Network - - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json - templateFilePath: $(templateFilePath) - displayName: AKS Virtual Network - - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json - templateFilePath: $(templateFilePath) - displayName: SQL MI Virtual Network - - - stage: deploy_dnszone - displayName: Deploy private DNS zones - dependsOn: - - deploy_vnet - variables: - resourceType: 'Microsoft.Network/privateDnsZones' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Private DNS Zones - - - stage: deploy_vm - displayName: Deploy virtual machines - dependsOn: - - deploy_vnet - - deploy_rsv - - deploy_kv - variables: - resourceType: 'Microsoft.Compute/virtualMachines' - templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - jobs: - - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - parameters: - deploymentBlocks: - - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - templateFilePath: $(templateFilePath) - displayName: Default Virtual Machine + $msiPrincipalId = (ConvertFrom-Json $deploymentOutput).msiPrincipalId + Write-Verbose "msiPrincipalId: $msiPrincipalId" -Verbose + Write-Output ('##vso[task.setvariable variable={0};isOutput=true]{1}' -f 'msiPrincipalId', $msiPrincipalId) + + # - stage: deploy_pa + # displayName: Deploy policy assignment + # dependsOn: + # - deploy_rg + # variables: + # resourceType: 'Microsoft.Authorization/policyAssignments' + # templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Policy assignment + + # - stage: deploy_evh + # displayName: Deploy event hub + # dependsOn: + # - deploy_rg + # variables: + # resourceType: 'Microsoft.EventHub/namespaces' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: EventHub + + # - stage: deploy_law + # displayName: Deploy log analytics workspace + # dependsOn: + # - deploy_rg + # variables: + # resourceType: 'Microsoft.OperationalInsights/workspaces' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default LAW + # - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: AppInsights LAW + + # - stage: deploy_sa + # displayName: Deploy storage account + # dependsOn: + # - deploy_rg + # variables: + # resourceType: 'Microsoft.Storage/storageAccounts' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default storage account + # jobName: default_sa + # - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: LAW storage account + # - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: FunctionApp storage account + # - job: + # displayName: Upload files to storage account + # dependsOn: + # - default_sa + # pool: + # ${{ if eq(variables['vmImage'], '') }}: + # name: $(poolName) + # ${{ if eq(variables['poolName'], '') }}: + # vmImage: $(vmImage) + # steps: + # - task: PowerShell@2 + # displayName: 'Setup agent' + # inputs: + # targetType: inline + # pwsh: true + # script: | + # # Load used functions + # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # # Define PS modules to install on the runner + # $Modules = @( + # @{ Name = 'Az.Storage' } + # ) + + # # Set agent up + # Set-EnvironmentOnAgent -PSModules $Modules + # - task: AzurePowerShell@5 + # displayName: Upload files to storage account + # inputs: + # azureSubscription: $(serviceConnection) + # ScriptType: 'InlineScript' + # Inline: | + # # Load used functions + # . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + + # # Get storage account name + # $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' + # $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # # Upload files to storage account + # $functionInput = @{ + # ResourceGroupName = '$(defaultResourceGroupName)' + # StorageAccountName = $storageAccountParameters.name.value + # contentDirectories = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'uploads' + # targetContainer = $storageAccountParameters.blobServices.value.containers[0].name + # } + + # Write-Verbose "Invoke task with" -Verbose + # Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + # Export-ContentToBlob @functionInput -Verbose + # azurePowerShellVersion: 'LatestVersion' + # pwsh: true + + # - stage: deploy_sig + # displayName: Deploy shared image gallery and definition + # dependsOn: + # - deploy_rg + # variables: + # resourceType: 'Microsoft.Compute/galleries' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default SIG and SID + + # - stage: deploy_ag + # displayName: Deploy action groups + # dependsOn: + # - deploy_rg + # variables: + # resourceType: 'Microsoft.Insights/actionGroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Action Group + + # - stage: deploy_asg + # displayName: Deploy application security groups + # dependsOn: + # - deploy_rg + # variables: + # resourceType: 'Microsoft.Network/applicationSecurityGroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Application Security Groups + + # - stage: deploy_udr + # displayName: Deploy route tables + # dependsOn: + # - deploy_rg + # variables: + # resourceType: 'Microsoft.Network/routeTables' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default User Defined Routes + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQLMI User Defined Routes + + # - stage: deploy_nsg + # displayName: Deploy network security groups + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + # variables: + # resourceType: 'Microsoft.Network/networkSecurityGroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default NSG + # - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: App Gateway NSG + # - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: ASE NSG + # - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Bastion NSG + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQLMI NSG + + # - stage: deploy_pip + # displayName: Deploy public IP addresses + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + # variables: + # resourceType: 'Microsoft.Network\publicIPAddresses' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: App Gateway Public IP + # - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Bastion Public IP + # - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Load balancer Public IP + + # - stage: deploy_appi + # displayName: Deploy application insight + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + # variables: + # resourceType: 'Microsoft.Insights/components' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Application Insights + + # - stage: deploy_aut + # displayName: Deploy automation account + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + # variables: + # resourceType: 'Microsoft.Automation/automationAccounts' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Automation Account + + # - stage: deploy_avdhp + # displayName: Deploy AVD host pool + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + # variables: + # resourceType: 'Microsoft.DesktopVirtualization/hostpools' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default AVD Host Pool + + # - stage: deploy_rsv + # displayName: Deploy recovery services vault + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + # variables: + # resourceType: 'Microsoft.RecoveryServices/vaults' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default recovery services vault + + # - stage: deploy_kv + # displayName: Deploy key vaults + # dependsOn: + # - deploy_sa + # - deploy_evh + # - deploy_law + # variables: + # resourceType: 'Microsoft.KeyVault/vaults' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Key Vault + # jobName: default_kv + # - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Private Endpoint Key Vault + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQLMI key vault + # jobName: sqlmi_kv + # - job: + # displayName: Set key vault secrets keys and certificates + # dependsOn: + # - default_kv + # pool: + # ${{ if eq(variables['vmImage'], '') }}: + # name: $(poolName) + # ${{ if eq(variables['poolName'], '') }}: + # vmImage: $(vmImage) + # steps: + # - task: PowerShell@2 + # displayName: 'Setup agent' + # inputs: + # targetType: inline + # pwsh: true + # script: | + # # Load used functions + # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # # Define PS modules to install on the runner + # $Modules = @( + # @{ Name = 'Az.KeyVault' } + # ) + + # # Set agent up + # Set-EnvironmentOnAgent -PSModules $Modules + # - task: AzurePowerShell@5 + # displayName: Set key vault secrets keys and certificates + # inputs: + # azureSubscription: $(serviceConnection) + # ScriptType: 'InlineScript' + # Inline: | + # # Get key vault name + # $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' + # $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + # $keyVaultName = $keyVaultParameters.name.value + + # # Generate values + # $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length + # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + # $passwordString = (New-Guid).Guid.SubString(0, 19) + # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + # $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) + # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + + # # Set secrets + # # ------- + # @( + # @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS + # @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS + # @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer + # @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer + # @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway + # @{ name = 'apimClientId'; secretValue = $username } # API management + # @{ name = 'apimClientSecret'; secretValue = $password } # API management + # ) | ForEach-Object { + # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + # Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + + # # Certificats + # # ----------- + # $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal + # @( + # @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway + # ) | ForEach-Object { + # $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy + # Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + + # # Set keys + # # ---- + # @( + # @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS + # ) | ForEach-Object { + # $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + # Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + # azurePowerShellVersion: 'LatestVersion' + # pwsh: true + + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - job: + # displayName: Set sqlmi key vault secrets and keys + # condition: eq(${{ parameters.deploySqlMiDependencies }}, true) + # dependsOn: + # - sqlmi_kv + # pool: + # ${{ if eq(variables['vmImage'], '') }}: + # name: $(poolName) + # ${{ if eq(variables['poolName'], '') }}: + # vmImage: $(vmImage) + # steps: + # - task: PowerShell@2 + # displayName: 'Setup agent' + # inputs: + # targetType: inline + # pwsh: true + # script: | + # # Load used functions + # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # # Define PS modules to install on the runner + # $Modules = @( + # @{ Name = 'Az.KeyVault' } + # ) + + # # Set agent up + # Set-EnvironmentOnAgent -PSModules $Modules + # - task: AzurePowerShell@5 + # displayName: Set sqlmi key vault secrets and keys + # inputs: + # azureSubscription: $(serviceConnection) + # ScriptType: 'InlineScript' + # Inline: | + # # Get key vault name + # $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'sqlmi.parameters.json' + # $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + # $keyVaultName = $keyVaultParameters.name.value + + # # Generate values + # $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length + # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + # $passwordString = (New-Guid).Guid.SubString(0, 19) + # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + + # # Set secrets + # # ------- + # @( + # @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances + # @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances + # ) | ForEach-Object { + # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + # Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + + # # Set keys + # # ---- + # @( + # @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances + # ) | ForEach-Object { + # $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + # Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + # azurePowerShellVersion: 'LatestVersion' + # pwsh: true + + # - stage: deploy_avdag + # displayName: Deploy AVD application group + # dependsOn: + # - deploy_avdhp + # variables: + # resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Application Group + + # - stage: deploy_rolea + # displayName: Deploy role assignments + # dependsOn: + # - deploy_msi + # variables: + # resourceType: 'Microsoft.Authorization\roleAssignments' + # templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: MSI Role Assignment + + + # - stage: deploy_vnet + # displayName: Deploy virtual networks + # dependsOn: + # - deploy_nsg + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - deploy_udr + # variables: + # resourceType: 'Microsoft.Network/virtualNetworks' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Bastion Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: VNET PEering 1 Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: VNET Peering 2 Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Azure Firewall Virtual Network + # - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: AKS Virtual Network + # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + # - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json + # templateFilePath: $(templateFilePath) + # displayName: SQL MI Virtual Network + + # - stage: deploy_dnszone + # displayName: Deploy private DNS zones + # dependsOn: + # - deploy_vnet + # variables: + # resourceType: 'Microsoft.Network/privateDnsZones' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Private DNS Zones + + # - stage: deploy_vm + # displayName: Deploy virtual machines + # dependsOn: + # - deploy_vnet + # - deploy_rsv + # - deploy_kv + # variables: + # resourceType: 'Microsoft.Compute/virtualMachines' + # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + # jobs: + # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + # parameters: + # deploymentBlocks: + # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + # templateFilePath: $(templateFilePath) + # displayName: Default Virtual Machine From 22b4ea44119c73d8155c87defc0c0039d2c2111f Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Sun, 16 Jan 2022 19:03:48 +0100 Subject: [PATCH 17/69] Load used functions --- .github/workflows/platform.dependencies.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 6fc542db2a..df58c6b8d6 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -933,18 +933,18 @@ jobs: - name: 'Get msi principal ID and replace token in parameter file' shell: pwsh run: | - Load used functions + # Load used functions . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') - Load Settings File + # Load Settings File $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json - Initialize Default Parameter File Tokens + # Initialize Default Parameter File Tokens $OtherCustomParameterFileTokens = @( @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } ) - Construct Token Function Input + # Construct Token Function Input $ConvertTokensInputs = @{ ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens @@ -952,7 +952,7 @@ jobs: TokenSuffix = $Settings.parameterFileTokens.tokenSuffix } - Invoke Token Replacement Functionality + # Invoke Token Replacement Functionality $null = Convert-TokensInParameterFile @ConvertTokensInputs -Verbose - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment From 5d8bfd2f489ae7821271bd402a07e5ca565522d2 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Sun, 16 Jan 2022 19:12:48 +0100 Subject: [PATCH 18/69] access out --- .azuredevops/platformPipelines/platform.dependencies.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 286e5d9da7..48ed58105a 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -75,7 +75,8 @@ stages: targetType: inline pwsh: true script: | - $msiPrincipalId = (ConvertFrom-Json $deploymentOutput).msiPrincipalId + # Write-Verbose $(deploymentOutput) -Verbose + $msiPrincipalId = (ConvertFrom-Json $(deploymentOutput)).msiPrincipalId Write-Verbose "msiPrincipalId: $msiPrincipalId" -Verbose Write-Output ('##vso[task.setvariable variable={0};isOutput=true]{1}' -f 'msiPrincipalId', $msiPrincipalId) From eff019e6c686913df844b0131329cb01a1f92d99 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Sun, 16 Jan 2022 19:18:47 +0100 Subject: [PATCH 19/69] access out quotes --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 48ed58105a..27ee922709 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -76,7 +76,7 @@ stages: pwsh: true script: | # Write-Verbose $(deploymentOutput) -Verbose - $msiPrincipalId = (ConvertFrom-Json $(deploymentOutput)).msiPrincipalId + $msiPrincipalId = (ConvertFrom-Json '$(deploymentOutput)').msiPrincipalId Write-Verbose "msiPrincipalId: $msiPrincipalId" -Verbose Write-Output ('##vso[task.setvariable variable={0};isOutput=true]{1}' -f 'msiPrincipalId', $msiPrincipalId) From 1bd2be3552402caac6ef91c56e40fcc9e28bd110 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 09:39:49 +0100 Subject: [PATCH 20/69] replace token ado --- .../platform.dependencies.yml | 66 +++++++++++++++---- .github/workflows/platform.dependencies.yml | 8 +-- 2 files changed, 56 insertions(+), 18 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 27ee922709..7a3781d2f6 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -71,6 +71,7 @@ stages: deploymentOutput: $[ dependencies.job_deploy_msi.outputs['DeployModule.deploymentOutput'] ] steps: - task: PowerShell@2 + name: print_msi_prinId inputs: targetType: inline pwsh: true @@ -575,20 +576,57 @@ stages: # templateFilePath: $(templateFilePath) # displayName: Default Application Group - # - stage: deploy_rolea - # displayName: Deploy role assignments - # dependsOn: - # - deploy_msi - # variables: - # resourceType: 'Microsoft.Authorization\roleAssignments' - # templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: MSI Role Assignment + - stage: deploy_rolea + displayName: Deploy role assignments + dependsOn: + - deploy_msi + variables: + resourceType: 'Microsoft.Authorization\roleAssignments' + templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep + varFromStageA: $[ stageDependencies.deploy_msi.default_msi_job.outputs['DeployModule.deploymentOutput'] ] + jobs: + - job: + displayName: Set msi principal ID output + pool: + ${{ if eq(variables['vmImage'], '') }}: + name: $(poolName) + ${{ if eq(variables['poolName'], '') }}: + vmImage: $(vmImage) + variables: + msiPrincipalId: $[ stageDependencies.deploy_msi.job_deploy_msi.outputs['print_msi_prinId.msiPrincipalId'] ] + steps: + - task: PowerShell@2 + inputs: + targetType: inline + pwsh: true + script: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') + + # Load Settings File + $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json + + # Initialize Default Parameter File Tokens + $OtherCustomParameterFileTokens = @( + @{ Name = 'msiPrincipalId'; Value = '$msiPrincipalId' } + ) + + # Construct Token Function Input + $ConvertTokensInputs = @{ + ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens + TokenPrefix = $Settings.parameterFileTokens.tokenPrefix + TokenSuffix = $Settings.parameterFileTokens.tokenSuffix + } + + # Invoke Token Replacement Functionality + $null = Convert-TokensInParameterFile @ConvertTokensInputs -Verbose + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: MSI Role Assignment # - stage: deploy_vnet diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index df58c6b8d6..4eb1efd48d 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -63,7 +63,7 @@ jobs: needs: - job_deploy_rg outputs: - msiPrincipalId: ${{ steps.deploy-msi-out.outputs.msiPrincipalId }} + msiPrincipalId: ${{ steps.print_msi_prinId.outputs.msiPrincipalId }} strategy: fail-fast: false matrix: @@ -74,7 +74,7 @@ jobs: with: fetch-depth: 0 - name: 'Deploy module' - id: deploy-msi + id: deploy_msi uses: ./.github/actions/templates/validateModuleDeployment with: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' @@ -85,11 +85,11 @@ jobs: managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' - name: Set msi principal ID output - id: deploy-msi-out + id: print_msi_prinId uses: azure/powershell@v1 with: inlineScript: | - $deploymentOutput = '${{ steps.deploy-msi.outputs.deploymentOutput }}' + $deploymentOutput = '${{ steps.deploy_msi.outputs.deploymentOutput }}' $msiPrincipalId = (ConvertFrom-Json $deploymentOutput).msiPrincipalId Write-Output ('::set-output name=msiPrincipalId::{0}' -f $msiPrincipalId) azPSVersion: 'latest' From 3a35a2b7501819621d7cb07983b212e2babeca38 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 09:42:55 +0100 Subject: [PATCH 21/69] replace token ado next stage --- .azuredevops/platformPipelines/platform.dependencies.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 7a3781d2f6..85b37227c1 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -601,14 +601,14 @@ stages: pwsh: true script: | # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') + . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') # Load Settings File $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json # Initialize Default Parameter File Tokens $OtherCustomParameterFileTokens = @( - @{ Name = 'msiPrincipalId'; Value = '$msiPrincipalId' } + @{ Name = 'msiPrincipalId'; Value = '$(msiPrincipalId)' } ) # Construct Token Function Input From 12bd0b31e33ba459ea3f6162fd80ce564c08381e Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 09:47:46 +0100 Subject: [PATCH 22/69] param path --- .azuredevops/platformPipelines/platform.dependencies.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 85b37227c1..af3719d434 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -581,7 +581,7 @@ stages: dependsOn: - deploy_msi variables: - resourceType: 'Microsoft.Authorization\roleAssignments' + resourceType: 'Microsoft.Authorization/roleAssignments' templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep varFromStageA: $[ stageDependencies.deploy_msi.default_msi_job.outputs['DeployModule.deploymentOutput'] ] jobs: @@ -613,7 +613,7 @@ stages: # Construct Token Function Input $ConvertTokensInputs = @{ - ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + ParameterFilePath = Join-Path '$(System.DefaultWorkingDirectory)' '$(dependencyPath)/$(resourceType)/parameters/parameters.json' OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens TokenPrefix = $Settings.parameterFileTokens.tokenPrefix TokenSuffix = $Settings.parameterFileTokens.tokenSuffix From 97c33e1280d49f6ce518b10c96571c8c9ddcf3e3 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 09:56:51 +0100 Subject: [PATCH 23/69] rolea displayname --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index af3719d434..db0077b69e 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -626,7 +626,7 @@ stages: deploymentBlocks: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) - displayName: MSI Role Assignment + displayName: Default Role Assignment # - stage: deploy_vnet From 6eaef45bc3abdcd5f434a633ea39fb42a55f398e Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 09:59:13 +0100 Subject: [PATCH 24/69] rolea displayname msi --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index db0077b69e..0425154277 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -626,7 +626,7 @@ stages: deploymentBlocks: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) - displayName: Default Role Assignment + displayName: Default MSI Role Assignment # - stage: deploy_vnet From 5aed5b3592feb37187f32e9de48e25ae03d8567c Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 10:48:46 +0100 Subject: [PATCH 25/69] ado action input --- .azuredevops/pipelineTemplates/module.jobs.deploy.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml index 56faf474cd..def311e6d8 100644 --- a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml +++ b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml @@ -62,6 +62,7 @@ parameters: managementGroupId: '$(ARM_MGMTGROUP_ID)' parametersRepository: '$(Build.Repository.Name)' modulesRepository: '$(modulesRepository)' + customParameterFileTokens: '' # Azure PowerShell Version parameters azurePowerShellVersion: '$(azurePowerShellVersion)' preferredAzurePowerShellVersion: '$(preferredAzurePowerShellVersion)' @@ -176,10 +177,14 @@ jobs: @{ Name = "deploymentSpId"; Value = '$(DEPLOYMENT_SP_ID)' } ) | ForEach-Object { [PSCustomObject]$PSItem } + # Get additional Custom Parameter File Tokens from input + $OtherCustomParameterFileTokens = '${{ parameters.customParameterFileTokens }}' | ConvertFrom-Json + # Construct Token Function Input $ConvertTokensInputs = @{ ParameterFilePath = Join-Path '$(parametersRepoRoot)' '${{ deploymentBlock.path }}' DefaultParameterFileTokens = $DefaultParameterFileTokens + OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens LocalCustomParameterFileTokens = $Settings.parameterFileTokens.localTokens.tokens TokenPrefix = $Settings.parameterFileTokens.tokenPrefix TokenSuffix = $Settings.parameterFileTokens.tokenSuffix From 89b8d03ed133c212aa65c760924e54b79d93e70e Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 11:02:32 +0100 Subject: [PATCH 26/69] custom token to json --- .../platform.dependencies.yml | 42 +++++++++++-------- 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 0425154277..3d8c6078e8 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -583,7 +583,6 @@ stages: variables: resourceType: 'Microsoft.Authorization/roleAssignments' templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep - varFromStageA: $[ stageDependencies.deploy_msi.default_msi_job.outputs['DeployModule.deploymentOutput'] ] jobs: - job: displayName: Set msi principal ID output @@ -600,33 +599,42 @@ stages: targetType: inline pwsh: true script: | - # Load used functions - . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') + # # Load used functions + # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') - # Load Settings File - $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json + # # Load Settings File + # $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json - # Initialize Default Parameter File Tokens - $OtherCustomParameterFileTokens = @( + # # Initialize Default Parameter File Tokens + # $OtherCustomParameterFileTokens = @( + # @{ Name = 'msiPrincipalId'; Value = '$(msiPrincipalId)' } + # ) + + # # Construct Token Function Input + # $ConvertTokensInputs = @{ + # ParameterFilePath = Join-Path '$(System.DefaultWorkingDirectory)' '$(dependencyPath)/$(resourceType)/parameters/parameters.json' + # OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens + # TokenPrefix = $Settings.parameterFileTokens.tokenPrefix + # TokenSuffix = $Settings.parameterFileTokens.tokenSuffix + # } + + # # Invoke Token Replacement Functionality + + # Initialize Additional Custom Parameter File Tokens + $otherCustomParameterFileTokens = @( @{ Name = 'msiPrincipalId'; Value = '$(msiPrincipalId)' } ) - # Construct Token Function Input - $ConvertTokensInputs = @{ - ParameterFilePath = Join-Path '$(System.DefaultWorkingDirectory)' '$(dependencyPath)/$(resourceType)/parameters/parameters.json' - OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens - TokenPrefix = $Settings.parameterFileTokens.tokenPrefix - TokenSuffix = $Settings.parameterFileTokens.tokenSuffix - } - - # Invoke Token Replacement Functionality - $null = Convert-TokensInParameterFile @ConvertTokensInputs -Verbose + $customParameterFileTokens = $otherCustomParameterFileTokens | ConvertTo-Json + Write-Verbose "customParameterFileTokens: $customParameterFileTokens" -Verbose + Write-Output ('##vso[task.setvariable variable={0};isOutput=true]{1}' -f 'customParameterFileTokens', $customParameterFileTokens) - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml parameters: deploymentBlocks: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: Default MSI Role Assignment + customParameterFileTokens: '$(customParameterFileTokens)' # - stage: deploy_vnet From 01960277aef61a76178117e8877cb78632ae4369 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 11:28:16 +0100 Subject: [PATCH 27/69] custom token to json var --- .../platformPipelines/platform.dependencies.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 3d8c6078e8..4834dce683 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -583,18 +583,18 @@ stages: variables: resourceType: 'Microsoft.Authorization/roleAssignments' templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep + msiPrincipalId: $[ stageDependencies.deploy_msi.job_deploy_msi.outputs['print_msi_prinId.msiPrincipalId'] ] jobs: - - job: - displayName: Set msi principal ID output + - job: job_get_msi + displayName: Get msi principal ID output pool: ${{ if eq(variables['vmImage'], '') }}: name: $(poolName) ${{ if eq(variables['poolName'], '') }}: vmImage: $(vmImage) - variables: - msiPrincipalId: $[ stageDependencies.deploy_msi.job_deploy_msi.outputs['print_msi_prinId.msiPrincipalId'] ] steps: - task: PowerShell@2 + name: print_custom_token inputs: targetType: inline pwsh: true @@ -620,7 +620,7 @@ stages: # # Invoke Token Replacement Functionality - # Initialize Additional Custom Parameter File Tokens + # Initialize Additional Custom Parameter File Tokens for Token Replacement Functionality $otherCustomParameterFileTokens = @( @{ Name = 'msiPrincipalId'; Value = '$(msiPrincipalId)' } ) @@ -634,7 +634,8 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: Default MSI Role Assignment - customParameterFileTokens: '$(customParameterFileTokens)' + # customParameterFileTokens: '$(customParameterFileTokens)' + customParameterFileTokens: $[ dependencies.job_get_msi.outputs['print_custom_token.customParameterFileTokens'] ] # - stage: deploy_vnet From 056b768e6fcfa8051f5e54fe27fda55d30b05829 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 11:47:47 +0100 Subject: [PATCH 28/69] custom token print --- .azuredevops/pipelineTemplates/module.jobs.deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml index def311e6d8..7ed635d896 100644 --- a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml +++ b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml @@ -178,6 +178,7 @@ jobs: ) | ForEach-Object { [PSCustomObject]$PSItem } # Get additional Custom Parameter File Tokens from input + Write-Verbose "OtherCustomParameterFileTokens: '${{ parameters.customParameterFileTokens }}'" -Verbose $OtherCustomParameterFileTokens = '${{ parameters.customParameterFileTokens }}' | ConvertFrom-Json # Construct Token Function Input From a54dcb5920a71a88bd2d9f4ef25ddfcf0de1579e Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 12:00:14 +0100 Subject: [PATCH 29/69] customParameterFileTokens --- .azuredevops/platformPipelines/platform.dependencies.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 4834dce683..d7d8c03b1b 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -634,8 +634,8 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: Default MSI Role Assignment - # customParameterFileTokens: '$(customParameterFileTokens)' - customParameterFileTokens: $[ dependencies.job_get_msi.outputs['print_custom_token.customParameterFileTokens'] ] + customParameterFileTokens: '[{"name":"msiPrincipalId","value":"msiPrincipalIdddd"}]' + # customParameterFileTokens: $[ dependencies.job_get_msi.outputs['print_custom_token.customParameterFileTokens'] ] # - stage: deploy_vnet From 783d187a2b1f0032e9ffa5f37bb2c12aa1fac654 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 12:05:05 +0100 Subject: [PATCH 30/69] customParameterFileTokens deploymentBlock --- .azuredevops/pipelineTemplates/module.jobs.deploy.yml | 2 +- .azuredevops/platformPipelines/platform.dependencies.yml | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml index 7ed635d896..dae29aff21 100644 --- a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml +++ b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml @@ -179,7 +179,7 @@ jobs: # Get additional Custom Parameter File Tokens from input Write-Verbose "OtherCustomParameterFileTokens: '${{ parameters.customParameterFileTokens }}'" -Verbose - $OtherCustomParameterFileTokens = '${{ parameters.customParameterFileTokens }}' | ConvertFrom-Json + $OtherCustomParameterFileTokens = '${{ deploymentBlock.customParameterFileTokens }}' | ConvertFrom-Json # Construct Token Function Input $ConvertTokensInputs = @{ diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index d7d8c03b1b..a8b5b79afd 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -634,8 +634,9 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: Default MSI Role Assignment - customParameterFileTokens: '[{"name":"msiPrincipalId","value":"msiPrincipalIdddd"}]' - # customParameterFileTokens: $[ dependencies.job_get_msi.outputs['print_custom_token.customParameterFileTokens'] ] + customParameterFileTokens: $[ dependencies.job_get_msi.outputs['print_custom_token.customParameterFileTokens'] ] + # customParameterFileTokens: '[{"name":"msiPrincipalId","value":"msiPrincipalIdddd"}]' + # customParameterFileTokens: $[ dependencies.job_get_msi.outputs['print_custom_token.customParameterFileTokens'] ] # - stage: deploy_vnet From 777a86f12e54aaf2a328ac58a6ed956837c1f50d Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 12:22:22 +0100 Subject: [PATCH 31/69] customParameterFileTokens deploymentBlock print --- .azuredevops/pipelineTemplates/module.jobs.deploy.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml index dae29aff21..be64247a96 100644 --- a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml +++ b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml @@ -178,8 +178,9 @@ jobs: ) | ForEach-Object { [PSCustomObject]$PSItem } # Get additional Custom Parameter File Tokens from input - Write-Verbose "OtherCustomParameterFileTokens: '${{ parameters.customParameterFileTokens }}'" -Verbose - $OtherCustomParameterFileTokens = '${{ deploymentBlock.customParameterFileTokens }}' | ConvertFrom-Json + Write-Verbose "OtherCustomParameterFileTokens: '${{ deploymentBlock.customParameterFileTokens }}'" -Verbose + $OtherCustomParameterFileTokens = @() + # $OtherCustomParameterFileTokens = '${{ deploymentBlock.customParameterFileTokens }}' | ConvertFrom-Json # Construct Token Function Input $ConvertTokensInputs = @{ From 38f5cef790825afb4ad7591c1177f725bb2a7b97 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 12:25:42 +0100 Subject: [PATCH 32/69] msi prin id print --- .azuredevops/platformPipelines/platform.dependencies.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index a8b5b79afd..71372d8766 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -620,6 +620,7 @@ stages: # # Invoke Token Replacement Functionality + Write-Verbose "msiPrincipalId: $(msiPrincipalId)" -Verbose # Initialize Additional Custom Parameter File Tokens for Token Replacement Functionality $otherCustomParameterFileTokens = @( @{ Name = 'msiPrincipalId'; Value = '$(msiPrincipalId)' } From e61e0fbee88ab1ed80597fcdc39c40a266c8e0f5 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 12:34:29 +0100 Subject: [PATCH 33/69] msi prin id print var job --- .azuredevops/platformPipelines/platform.dependencies.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 71372d8766..3aff5803a5 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -583,7 +583,7 @@ stages: variables: resourceType: 'Microsoft.Authorization/roleAssignments' templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep - msiPrincipalId: $[ stageDependencies.deploy_msi.job_deploy_msi.outputs['print_msi_prinId.msiPrincipalId'] ] + jobs: - job: job_get_msi displayName: Get msi principal ID output @@ -592,6 +592,8 @@ stages: name: $(poolName) ${{ if eq(variables['poolName'], '') }}: vmImage: $(vmImage) + variables: + msiPrincipalId: $[ stageDependencies.deploy_msi.job_deploy_msi.outputs['print_msi_prinId.msiPrincipalId'] ] steps: - task: PowerShell@2 name: print_custom_token From 6700736262564217c3bfb3cb1f56a64bdab173c8 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 12:40:33 +0100 Subject: [PATCH 34/69] msi prin id print var job quotes --- .azuredevops/platformPipelines/platform.dependencies.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 3aff5803a5..5921f7942b 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -622,10 +622,11 @@ stages: # # Invoke Token Replacement Functionality - Write-Verbose "msiPrincipalId: $(msiPrincipalId)" -Verbose + Write-Verbose "msiPrincipalId: '$(msiPrincipalId)'" -Verbose + $msiPrincipalId = '$(msiPrincipalId)' # Initialize Additional Custom Parameter File Tokens for Token Replacement Functionality $otherCustomParameterFileTokens = @( - @{ Name = 'msiPrincipalId'; Value = '$(msiPrincipalId)' } + @{ Name = 'msiPrincipalId'; Value = $msiPrincipalId } ) $customParameterFileTokens = $otherCustomParameterFileTokens | ConvertTo-Json From 06959b99d602673902413856bd456dacad455acd Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 12:52:29 +0100 Subject: [PATCH 35/69] test print msi --- .../platform.dependencies.yml | 29 +++++++++++++------ 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 5921f7942b..68a65db975 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -58,7 +58,7 @@ stages: templateFilePath: $(templateFilePath) displayName: User Assigned Identity jobName: job_deploy_msi - - job: + - job: job_set_msi_id displayName: Set msi principal ID output dependsOn: - job_deploy_msi @@ -576,6 +576,18 @@ stages: # templateFilePath: $(templateFilePath) # displayName: Default Application Group + - stage: print_msi + dependsOn: deploy_msi + jobs: + - job: print_msi_job + variables: + varFromStageA: $[ stageDependencies.deploy_msi.job_set_msi_id.outputs['print_msi_prinId.msiPrincipalId'] ] + steps: + - checkout: none + - script: | + echo "This Job will print value from deploy_msi stage" + echo $(varFromStageA) + - stage: deploy_rolea displayName: Deploy role assignments dependsOn: @@ -583,9 +595,8 @@ stages: variables: resourceType: 'Microsoft.Authorization/roleAssignments' templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep - jobs: - - job: job_get_msi + - job: job_get_msi_id displayName: Get msi principal ID output pool: ${{ if eq(variables['vmImage'], '') }}: @@ -593,7 +604,7 @@ stages: ${{ if eq(variables['poolName'], '') }}: vmImage: $(vmImage) variables: - msiPrincipalId: $[ stageDependencies.deploy_msi.job_deploy_msi.outputs['print_msi_prinId.msiPrincipalId'] ] + msiPrincipalId: $[ stageDependencies.deploy_msi.job_set_msi_id.outputs['print_msi_prinId.msiPrincipalId'] ] steps: - task: PowerShell@2 name: print_custom_token @@ -622,11 +633,11 @@ stages: # # Invoke Token Replacement Functionality - Write-Verbose "msiPrincipalId: '$(msiPrincipalId)'" -Verbose - $msiPrincipalId = '$(msiPrincipalId)' + # Write-Verbose "msiPrincipalId: '$(msiPrincipalId)'" -Verbose + # $msiPrincipalId = '$(msiPrincipalId)' # Initialize Additional Custom Parameter File Tokens for Token Replacement Functionality $otherCustomParameterFileTokens = @( - @{ Name = 'msiPrincipalId'; Value = $msiPrincipalId } + @{ Name = 'msiPrincipalId'; Value = '$(msiPrincipalId)' } ) $customParameterFileTokens = $otherCustomParameterFileTokens | ConvertTo-Json @@ -638,9 +649,9 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: Default MSI Role Assignment - customParameterFileTokens: $[ dependencies.job_get_msi.outputs['print_custom_token.customParameterFileTokens'] ] + customParameterFileTokens: $[ dependencies.job_get_msi_id.outputs['print_custom_token.customParameterFileTokens'] ] # customParameterFileTokens: '[{"name":"msiPrincipalId","value":"msiPrincipalIdddd"}]' - # customParameterFileTokens: $[ dependencies.job_get_msi.outputs['print_custom_token.customParameterFileTokens'] ] + # customParameterFileTokens: $[ dependencies.job_get_msi_id.outputs['print_custom_token.customParameterFileTokens'] ] # - stage: deploy_vnet From da35a2a4c9074f88d8f9434db15b03dfa7fb8cc9 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 13:40:00 +0100 Subject: [PATCH 36/69] test print msi in template --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 68a65db975..fb88aaebc2 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -649,7 +649,7 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: Default MSI Role Assignment - customParameterFileTokens: $[ dependencies.job_get_msi_id.outputs['print_custom_token.customParameterFileTokens'] ] + customParameterFileTokens: $(msiPrincipalId) # customParameterFileTokens: '[{"name":"msiPrincipalId","value":"msiPrincipalIdddd"}]' # customParameterFileTokens: $[ dependencies.job_get_msi_id.outputs['print_custom_token.customParameterFileTokens'] ] From 6ec46a6bcfbe02a97e12bc8fef9e9e8a7dd4f793 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 13:46:21 +0100 Subject: [PATCH 37/69] test print msi in template quotes --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index fb88aaebc2..09c7e47ab4 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -649,7 +649,7 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: Default MSI Role Assignment - customParameterFileTokens: $(msiPrincipalId) + customParameterFileTokens: '$(msiPrincipalId)' # customParameterFileTokens: '[{"name":"msiPrincipalId","value":"msiPrincipalIdddd"}]' # customParameterFileTokens: $[ dependencies.job_get_msi_id.outputs['print_custom_token.customParameterFileTokens'] ] From 28aa9f87fb00691da6f4e9894df763cc50f549d2 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 13:54:17 +0100 Subject: [PATCH 38/69] template var --- .azuredevops/pipelineTemplates/module.jobs.deploy.yml | 4 +++- .azuredevops/platformPipelines/platform.dependencies.yml | 6 ++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml index be64247a96..62c91d014c 100644 --- a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml +++ b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml @@ -178,7 +178,9 @@ jobs: ) | ForEach-Object { [PSCustomObject]$PSItem } # Get additional Custom Parameter File Tokens from input - Write-Verbose "OtherCustomParameterFileTokens: '${{ deploymentBlock.customParameterFileTokens }}'" -Verbose + # Write-Verbose "OtherCustomParameterFileTokens: '${{ deploymentBlock.customParameterFileTokens }}'" -Verbose + Write-Verbose "OtherCustomParameterFileTokens: '$(customParameterFileTokens)'" -Verbose + $OtherCustomParameterFileTokens = @() # $OtherCustomParameterFileTokens = '${{ deploymentBlock.customParameterFileTokens }}' | ConvertFrom-Json diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 09c7e47ab4..9d632973bf 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -645,12 +645,14 @@ stages: Write-Output ('##vso[task.setvariable variable={0};isOutput=true]{1}' -f 'customParameterFileTokens', $customParameterFileTokens) - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml parameters: + variables: + customParameterFileTokens: $[ dependencies.job_get_msi_id.outputs['print_custom_token.customParameterFileTokens'] ] deploymentBlocks: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: Default MSI Role Assignment - customParameterFileTokens: '$(msiPrincipalId)' - # customParameterFileTokens: '[{"name":"msiPrincipalId","value":"msiPrincipalIdddd"}]' + # customParameterFileTokens: '$(msiPrincipalId)' + customParameterFileTokens: '[{"name":"msiPrincipalId","value":"msiPrincipalIdddd"}]' # customParameterFileTokens: $[ dependencies.job_get_msi_id.outputs['print_custom_token.customParameterFileTokens'] ] From 9baaf0fc9998d191b1e60b4c3ecc1b2dc72324b6 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 13:55:03 +0100 Subject: [PATCH 39/69] template var print double --- .azuredevops/pipelineTemplates/module.jobs.deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml index 62c91d014c..cf8ade68e4 100644 --- a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml +++ b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml @@ -178,7 +178,7 @@ jobs: ) | ForEach-Object { [PSCustomObject]$PSItem } # Get additional Custom Parameter File Tokens from input - # Write-Verbose "OtherCustomParameterFileTokens: '${{ deploymentBlock.customParameterFileTokens }}'" -Verbose + Write-Verbose "OtherCustomParameterFileTokens: '${{ deploymentBlock.customParameterFileTokens }}'" -Verbose Write-Verbose "OtherCustomParameterFileTokens: '$(customParameterFileTokens)'" -Verbose $OtherCustomParameterFileTokens = @() From e4ee3b09a9c62cc443a0509d183d2d3032fc3783 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 13:58:13 +0100 Subject: [PATCH 40/69] template var print --- .azuredevops/pipelineTemplates/module.jobs.deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml index cf8ade68e4..2c9648ca84 100644 --- a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml +++ b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml @@ -179,7 +179,7 @@ jobs: # Get additional Custom Parameter File Tokens from input Write-Verbose "OtherCustomParameterFileTokens: '${{ deploymentBlock.customParameterFileTokens }}'" -Verbose - Write-Verbose "OtherCustomParameterFileTokens: '$(customParameterFileTokens)'" -Verbose + # Write-Verbose "OtherCustomParameterFileTokens: '$(customParameterFileTokens)'" -Verbose $OtherCustomParameterFileTokens = @() # $OtherCustomParameterFileTokens = '${{ deploymentBlock.customParameterFileTokens }}' | ConvertFrom-Json From 49443dd4d338b9a72f1490c81dcb18a619899e4a Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 14:28:46 +0100 Subject: [PATCH 41/69] template var up --- .azuredevops/platformPipelines/platform.dependencies.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 9d632973bf..902ad73906 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -644,9 +644,9 @@ stages: Write-Verbose "customParameterFileTokens: $customParameterFileTokens" -Verbose Write-Output ('##vso[task.setvariable variable={0};isOutput=true]{1}' -f 'customParameterFileTokens', $customParameterFileTokens) - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + variables: + customParameterFileTokens: $[ dependencies.job_get_msi_id.outputs['print_custom_token.customParameterFileTokens'] ] parameters: - variables: - customParameterFileTokens: $[ dependencies.job_get_msi_id.outputs['print_custom_token.customParameterFileTokens'] ] deploymentBlocks: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) From cf2da54f7717f87605ca74f37b747898f1169dc8 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 14:38:14 +0100 Subject: [PATCH 42/69] template var up escape --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 902ad73906..8cf75364f6 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -644,8 +644,6 @@ stages: Write-Verbose "customParameterFileTokens: $customParameterFileTokens" -Verbose Write-Output ('##vso[task.setvariable variable={0};isOutput=true]{1}' -f 'customParameterFileTokens', $customParameterFileTokens) - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - variables: - customParameterFileTokens: $[ dependencies.job_get_msi_id.outputs['print_custom_token.customParameterFileTokens'] ] parameters: deploymentBlocks: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json From 0dc2915318b14b9254a12612dac975bdb546913d Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 14:51:29 +0100 Subject: [PATCH 43/69] stage var --- .azuredevops/pipelineTemplates/module.jobs.deploy.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml index 2c9648ca84..d75c63fdf8 100644 --- a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml +++ b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml @@ -179,7 +179,6 @@ jobs: # Get additional Custom Parameter File Tokens from input Write-Verbose "OtherCustomParameterFileTokens: '${{ deploymentBlock.customParameterFileTokens }}'" -Verbose - # Write-Verbose "OtherCustomParameterFileTokens: '$(customParameterFileTokens)'" -Verbose $OtherCustomParameterFileTokens = @() # $OtherCustomParameterFileTokens = '${{ deploymentBlock.customParameterFileTokens }}' | ConvertFrom-Json From bda16746ddc21ea2ce0cc05a94c7850e05e214d7 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 14:52:03 +0100 Subject: [PATCH 44/69] stage var --- .azuredevops/platformPipelines/platform.dependencies.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 8cf75364f6..3e532b48cd 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -595,6 +595,8 @@ stages: variables: resourceType: 'Microsoft.Authorization/roleAssignments' templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep + msiPrincipalId: $[ dependencies.deploy_msi.outputs['job_set_msi_id.print_msi_prinId.msiPrincipalId'] ] + # dependencies.STAGE.outputs['JOB.TASK.VARIABLE'] jobs: - job: job_get_msi_id displayName: Get msi principal ID output @@ -603,8 +605,8 @@ stages: name: $(poolName) ${{ if eq(variables['poolName'], '') }}: vmImage: $(vmImage) - variables: - msiPrincipalId: $[ stageDependencies.deploy_msi.job_set_msi_id.outputs['print_msi_prinId.msiPrincipalId'] ] + # variables: + # msiPrincipalId: $[ stageDependencies.deploy_msi.job_set_msi_id.outputs['print_msi_prinId.msiPrincipalId'] ] steps: - task: PowerShell@2 name: print_custom_token @@ -650,7 +652,8 @@ stages: templateFilePath: $(templateFilePath) displayName: Default MSI Role Assignment # customParameterFileTokens: '$(msiPrincipalId)' - customParameterFileTokens: '[{"name":"msiPrincipalId","value":"msiPrincipalIdddd"}]' + # customParameterFileTokens: '[{\"name\":\"msiPrincipalId\",\"value\":\"msiPrincipalIdddd\"}]' + customParameterFileTokens: '[{\"name\":\"msiPrincipalId\",\"value\":\"msiPrincipalIdddd\"}]' # customParameterFileTokens: $[ dependencies.job_get_msi_id.outputs['print_custom_token.customParameterFileTokens'] ] From c1847a1fcaaf094934acb2beac1077ab9324a887 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 15:10:13 +0100 Subject: [PATCH 45/69] concat --- .azuredevops/platformPipelines/platform.dependencies.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 3e532b48cd..7cf9f8eec6 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -653,7 +653,11 @@ stages: displayName: Default MSI Role Assignment # customParameterFileTokens: '$(msiPrincipalId)' # customParameterFileTokens: '[{\"name\":\"msiPrincipalId\",\"value\":\"msiPrincipalIdddd\"}]' - customParameterFileTokens: '[{\"name\":\"msiPrincipalId\",\"value\":\"msiPrincipalIdddd\"}]' + customParameterFileTokens: > + [ + { "name": "msiPrincipalId", + "value": "$(msiPrincipalId)" } + ] # customParameterFileTokens: $[ dependencies.job_get_msi_id.outputs['print_custom_token.customParameterFileTokens'] ] From 90d74eed33a15642c09453c662f7bb085e5a0dff Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 15:32:34 +0100 Subject: [PATCH 46/69] msi stage var --- .../platformPipelines/platform.dependencies.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 7cf9f8eec6..2808bd9634 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -605,8 +605,9 @@ stages: name: $(poolName) ${{ if eq(variables['poolName'], '') }}: vmImage: $(vmImage) - # variables: - # msiPrincipalId: $[ stageDependencies.deploy_msi.job_set_msi_id.outputs['print_msi_prinId.msiPrincipalId'] ] + variables: + # msiPrincipalId: $[ stageDependencies.deploy_msi.job_set_msi_id.outputs['print_msi_prinId.msiPrincipalId'] ] + msiPrincipalId: $(msiPrincipalId) steps: - task: PowerShell@2 name: print_custom_token @@ -651,13 +652,13 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: Default MSI Role Assignment - # customParameterFileTokens: '$(msiPrincipalId)' + customParameterFileTokens: $(msiPrincipalId) # customParameterFileTokens: '[{\"name\":\"msiPrincipalId\",\"value\":\"msiPrincipalIdddd\"}]' - customParameterFileTokens: > - [ - { "name": "msiPrincipalId", - "value": "$(msiPrincipalId)" } - ] + # customParameterFileTokens: > + # [ + # { "name": "msiPrincipalId", + # "value": "$(msiPrincipalId)" } + # ] # customParameterFileTokens: $[ dependencies.job_get_msi_id.outputs['print_custom_token.customParameterFileTokens'] ] From 76e8813a899ebb1a513bbcd5569bc0a42b1595b4 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 15:59:26 +0100 Subject: [PATCH 47/69] multiline value --- .../platformPipelines/platform.dependencies.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 2808bd9634..a0309f6294 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -652,13 +652,13 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: Default MSI Role Assignment - customParameterFileTokens: $(msiPrincipalId) + # customParameterFileTokens: $(msiPrincipalId) # customParameterFileTokens: '[{\"name\":\"msiPrincipalId\",\"value\":\"msiPrincipalIdddd\"}]' - # customParameterFileTokens: > - # [ - # { "name": "msiPrincipalId", - # "value": "$(msiPrincipalId)" } - # ] + customParameterFileTokens: > + [ + { "name": "msiPrincipalId", + "value": "msiPrincipalIdValue" } + ] # customParameterFileTokens: $[ dependencies.job_get_msi_id.outputs['print_custom_token.customParameterFileTokens'] ] From 167758b34efe4f906b824e9934df9e3a31efa20d Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 17:03:00 +0100 Subject: [PATCH 48/69] sq brac --- .../platformPipelines/platform.dependencies.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index a0309f6294..a057269e21 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -652,13 +652,14 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: Default MSI Role Assignment + customParameterFileTokens: \[\] # customParameterFileTokens: $(msiPrincipalId) - # customParameterFileTokens: '[{\"name\":\"msiPrincipalId\",\"value\":\"msiPrincipalIdddd\"}]' - customParameterFileTokens: > - [ - { "name": "msiPrincipalId", - "value": "msiPrincipalIdValue" } - ] + # customParameterFileTokens: \[\{"name":"msiPrincipalId","value":"msiPrincipalIdddd"\}\] + # customParameterFileTokens: > + # [ + # { "name": "msiPrincipalId", + # "value": "msiPrincipalIdValue" } + # ] # customParameterFileTokens: $[ dependencies.job_get_msi_id.outputs['print_custom_token.customParameterFileTokens'] ] From b728ee6a2cebabf1d1043e3a369a72ba40fb775d Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 17:10:32 +0100 Subject: [PATCH 49/69] stageDependencies --- .azuredevops/platformPipelines/platform.dependencies.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index a057269e21..b0beaad022 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -595,7 +595,8 @@ stages: variables: resourceType: 'Microsoft.Authorization/roleAssignments' templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep - msiPrincipalId: $[ dependencies.deploy_msi.outputs['job_set_msi_id.print_msi_prinId.msiPrincipalId'] ] + # msiPrincipalId: $[ dependencies.deploy_msi.outputs['job_set_msi_id.print_msi_prinId.msiPrincipalId'] ] + msiPrincipalId: $[ stageDependencies.deploy_msi.job_set_msi_id.outputs['print_msi_prinId.msiPrincipalId'] ] # dependencies.STAGE.outputs['JOB.TASK.VARIABLE'] jobs: - job: job_get_msi_id From 66a0f0e192f76c0db3f52ab894ed22dd3068b68d Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 17:20:28 +0100 Subject: [PATCH 50/69] sq brac 1 pair --- .azuredevops/platformPipelines/platform.dependencies.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index b0beaad022..0a974f28e9 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -58,6 +58,7 @@ stages: templateFilePath: $(templateFilePath) displayName: User Assigned Identity jobName: job_deploy_msi + customParameterFileTokens: [{"name":"value"}] - job: job_set_msi_id displayName: Set msi principal ID output dependsOn: @@ -653,7 +654,7 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: Default MSI Role Assignment - customParameterFileTokens: \[\] + customParameterFileTokens: $(msiPrincipalId) # customParameterFileTokens: $(msiPrincipalId) # customParameterFileTokens: \[\{"name":"msiPrincipalId","value":"msiPrincipalIdddd"\}\] # customParameterFileTokens: > From 432e61d3a57e924d8315b94de493a5dfcc9b4e04 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 17:23:03 +0100 Subject: [PATCH 51/69] sq brac 1 pair quotes --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 0a974f28e9..5967b9c58f 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -58,7 +58,7 @@ stages: templateFilePath: $(templateFilePath) displayName: User Assigned Identity jobName: job_deploy_msi - customParameterFileTokens: [{"name":"value"}] + customParameterFileTokens: '[{"name":"value"}]' - job: job_set_msi_id displayName: Set msi principal ID output dependsOn: From 922bee23426c06cfa36daf46bfcaefc686ff2982 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 17:27:00 +0100 Subject: [PATCH 52/69] sq brac 1 pair quotes escape --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 5967b9c58f..b578d09bab 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -58,7 +58,7 @@ stages: templateFilePath: $(templateFilePath) displayName: User Assigned Identity jobName: job_deploy_msi - customParameterFileTokens: '[{"name":"value"}]' + customParameterFileTokens: '[{\"name\":\"value\"}]' - job: job_set_msi_id displayName: Set msi principal ID output dependsOn: From 2e41cd2eaeaa58af4958d0be3e4b8b0cbc33c51c Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 17:34:16 +0100 Subject: [PATCH 53/69] sq brac 1 pair 2 quotes escape --- .azuredevops/pipelineTemplates/module.jobs.deploy.yml | 4 ++-- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml index d75c63fdf8..bfc283cad9 100644 --- a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml +++ b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml @@ -178,10 +178,10 @@ jobs: ) | ForEach-Object { [PSCustomObject]$PSItem } # Get additional Custom Parameter File Tokens from input - Write-Verbose "OtherCustomParameterFileTokens: '${{ deploymentBlock.customParameterFileTokens }}'" -Verbose + Write-Verbose "OtherCustomParameterFileTokens: ${{ deploymentBlock.customParameterFileTokens }}" -Verbose $OtherCustomParameterFileTokens = @() - # $OtherCustomParameterFileTokens = '${{ deploymentBlock.customParameterFileTokens }}' | ConvertFrom-Json + # $OtherCustomParameterFileTokens2 = '${{ deploymentBlock.customParameterFileTokens }}' | ConvertFrom-Json # Construct Token Function Input $ConvertTokensInputs = @{ diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index b578d09bab..4a277fe53d 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -58,7 +58,7 @@ stages: templateFilePath: $(templateFilePath) displayName: User Assigned Identity jobName: job_deploy_msi - customParameterFileTokens: '[{\"name\":\"value\"}]' + customParameterFileTokens: "[{\"name\":\"value\"}]" - job: job_set_msi_id displayName: Set msi principal ID output dependsOn: From 321c7899c628c2d580b05fa8029cb41f4be429b4 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 17:44:39 +0100 Subject: [PATCH 54/69] write verbose single quote --- .azuredevops/pipelineTemplates/module.jobs.deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml index bfc283cad9..240a71a38c 100644 --- a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml +++ b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml @@ -178,7 +178,7 @@ jobs: ) | ForEach-Object { [PSCustomObject]$PSItem } # Get additional Custom Parameter File Tokens from input - Write-Verbose "OtherCustomParameterFileTokens: ${{ deploymentBlock.customParameterFileTokens }}" -Verbose + Write-Verbose 'OtherCustomParameterFileTokens: ${{ deploymentBlock.customParameterFileTokens }}' -Verbose $OtherCustomParameterFileTokens = @() # $OtherCustomParameterFileTokens2 = '${{ deploymentBlock.customParameterFileTokens }}' | ConvertFrom-Json From 7ea17499bc8711a8922fe749737a31a5baf10b3e Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 17:45:18 +0100 Subject: [PATCH 55/69] write verbose single quote --- .azuredevops/pipelineTemplates/module.jobs.deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml index 240a71a38c..8b4970f8d4 100644 --- a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml +++ b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml @@ -178,7 +178,7 @@ jobs: ) | ForEach-Object { [PSCustomObject]$PSItem } # Get additional Custom Parameter File Tokens from input - Write-Verbose 'OtherCustomParameterFileTokens: ${{ deploymentBlock.customParameterFileTokens }}' -Verbose + Write-Verbose 'OtherCustomParameterFileTokens: ${{ deploymentBlock.customParameterFileTokens }}' -Verbose $OtherCustomParameterFileTokens = @() # $OtherCustomParameterFileTokens2 = '${{ deploymentBlock.customParameterFileTokens }}' | ConvertFrom-Json From 808538c47401a5660c0915bde2d30942488bf779 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 17:50:19 +0100 Subject: [PATCH 56/69] single quote param --- .azuredevops/platformPipelines/platform.dependencies.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 4a277fe53d..0c36e58c96 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -58,7 +58,8 @@ stages: templateFilePath: $(templateFilePath) displayName: User Assigned Identity jobName: job_deploy_msi - customParameterFileTokens: "[{\"name\":\"value\"}]" + # customParameterFileTokens: "[{\"name\":\"value\"}]" + customParameterFileTokens: '[{"name":"msiPrincipalId","value":"msiPrincipalIdValue"}]' - job: job_set_msi_id displayName: Set msi principal ID output dependsOn: From 33c2bc1d7ccda9b738fc360171e806e744ea6b0d Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 17:54:36 +0100 Subject: [PATCH 57/69] single quote param var --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 0c36e58c96..1028f3ff05 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -59,7 +59,7 @@ stages: displayName: User Assigned Identity jobName: job_deploy_msi # customParameterFileTokens: "[{\"name\":\"value\"}]" - customParameterFileTokens: '[{"name":"msiPrincipalId","value":"msiPrincipalIdValue"}]' + customParameterFileTokens: '[{"Name":"msiPrincipalId","Value":"$(templateFilePath)"}]' - job: job_set_msi_id displayName: Set msi principal ID output dependsOn: From 4a93cb4f3a0c1c983c1007a3a6cc7aae209cafba Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 17:57:34 +0100 Subject: [PATCH 58/69] OtherCustomParameterFileTokens --- .azuredevops/pipelineTemplates/module.jobs.deploy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml index 8b4970f8d4..0c56ea52f0 100644 --- a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml +++ b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml @@ -180,8 +180,8 @@ jobs: # Get additional Custom Parameter File Tokens from input Write-Verbose 'OtherCustomParameterFileTokens: ${{ deploymentBlock.customParameterFileTokens }}' -Verbose - $OtherCustomParameterFileTokens = @() - # $OtherCustomParameterFileTokens2 = '${{ deploymentBlock.customParameterFileTokens }}' | ConvertFrom-Json + # $OtherCustomParameterFileTokens = @() + $OtherCustomParameterFileTokens = '${{ deploymentBlock.customParameterFileTokens }}' | ConvertFrom-Json # Construct Token Function Input $ConvertTokensInputs = @{ From 4fb595658db4b0e93c339d09cd4ed35591be5de5 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 18:01:29 +0100 Subject: [PATCH 59/69] OtherCustomParameterFileTokens in second stage --- .azuredevops/platformPipelines/platform.dependencies.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 1028f3ff05..1df3f6cab7 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -58,8 +58,6 @@ stages: templateFilePath: $(templateFilePath) displayName: User Assigned Identity jobName: job_deploy_msi - # customParameterFileTokens: "[{\"name\":\"value\"}]" - customParameterFileTokens: '[{"Name":"msiPrincipalId","Value":"$(templateFilePath)"}]' - job: job_set_msi_id displayName: Set msi principal ID output dependsOn: @@ -655,7 +653,7 @@ stages: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) displayName: Default MSI Role Assignment - customParameterFileTokens: $(msiPrincipalId) + customParameterFileTokens: '[{"Name":"msiPrincipalId","Value":"$(msiPrincipalId)"}]' # customParameterFileTokens: $(msiPrincipalId) # customParameterFileTokens: \[\{"name":"msiPrincipalId","value":"msiPrincipalIdddd"\}\] # customParameterFileTokens: > From a76b97f1d12774091e69c625b757bcd43d563935 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 18:17:47 +0100 Subject: [PATCH 60/69] cleanup --- .../platform.dependencies.yml | 70 ------------------- 1 file changed, 70 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 1df3f6cab7..b5b90657e3 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -576,18 +576,6 @@ stages: # templateFilePath: $(templateFilePath) # displayName: Default Application Group - - stage: print_msi - dependsOn: deploy_msi - jobs: - - job: print_msi_job - variables: - varFromStageA: $[ stageDependencies.deploy_msi.job_set_msi_id.outputs['print_msi_prinId.msiPrincipalId'] ] - steps: - - checkout: none - - script: | - echo "This Job will print value from deploy_msi stage" - echo $(varFromStageA) - - stage: deploy_rolea displayName: Deploy role assignments dependsOn: @@ -595,58 +583,8 @@ stages: variables: resourceType: 'Microsoft.Authorization/roleAssignments' templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_rbac_sub.bicep - # msiPrincipalId: $[ dependencies.deploy_msi.outputs['job_set_msi_id.print_msi_prinId.msiPrincipalId'] ] msiPrincipalId: $[ stageDependencies.deploy_msi.job_set_msi_id.outputs['print_msi_prinId.msiPrincipalId'] ] - # dependencies.STAGE.outputs['JOB.TASK.VARIABLE'] jobs: - - job: job_get_msi_id - displayName: Get msi principal ID output - pool: - ${{ if eq(variables['vmImage'], '') }}: - name: $(poolName) - ${{ if eq(variables['poolName'], '') }}: - vmImage: $(vmImage) - variables: - # msiPrincipalId: $[ stageDependencies.deploy_msi.job_set_msi_id.outputs['print_msi_prinId.msiPrincipalId'] ] - msiPrincipalId: $(msiPrincipalId) - steps: - - task: PowerShell@2 - name: print_custom_token - inputs: - targetType: inline - pwsh: true - script: | - # # Load used functions - # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') - - # # Load Settings File - # $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json - - # # Initialize Default Parameter File Tokens - # $OtherCustomParameterFileTokens = @( - # @{ Name = 'msiPrincipalId'; Value = '$(msiPrincipalId)' } - # ) - - # # Construct Token Function Input - # $ConvertTokensInputs = @{ - # ParameterFilePath = Join-Path '$(System.DefaultWorkingDirectory)' '$(dependencyPath)/$(resourceType)/parameters/parameters.json' - # OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens - # TokenPrefix = $Settings.parameterFileTokens.tokenPrefix - # TokenSuffix = $Settings.parameterFileTokens.tokenSuffix - # } - - # # Invoke Token Replacement Functionality - - # Write-Verbose "msiPrincipalId: '$(msiPrincipalId)'" -Verbose - # $msiPrincipalId = '$(msiPrincipalId)' - # Initialize Additional Custom Parameter File Tokens for Token Replacement Functionality - $otherCustomParameterFileTokens = @( - @{ Name = 'msiPrincipalId'; Value = '$(msiPrincipalId)' } - ) - - $customParameterFileTokens = $otherCustomParameterFileTokens | ConvertTo-Json - Write-Verbose "customParameterFileTokens: $customParameterFileTokens" -Verbose - Write-Output ('##vso[task.setvariable variable={0};isOutput=true]{1}' -f 'customParameterFileTokens', $customParameterFileTokens) - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml parameters: deploymentBlocks: @@ -654,14 +592,6 @@ stages: templateFilePath: $(templateFilePath) displayName: Default MSI Role Assignment customParameterFileTokens: '[{"Name":"msiPrincipalId","Value":"$(msiPrincipalId)"}]' - # customParameterFileTokens: $(msiPrincipalId) - # customParameterFileTokens: \[\{"name":"msiPrincipalId","value":"msiPrincipalIdddd"\}\] - # customParameterFileTokens: > - # [ - # { "name": "msiPrincipalId", - # "value": "msiPrincipalIdValue" } - # ] - # customParameterFileTokens: $[ dependencies.job_get_msi_id.outputs['print_custom_token.customParameterFileTokens'] ] # - stage: deploy_vnet From 4f17321bcd7dd0cbda96504df0828f536e22a22d Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 18:19:21 +0100 Subject: [PATCH 61/69] cleanup template --- .azuredevops/pipelineTemplates/module.jobs.deploy.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml index 0c56ea52f0..f136983f29 100644 --- a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml +++ b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml @@ -178,9 +178,7 @@ jobs: ) | ForEach-Object { [PSCustomObject]$PSItem } # Get additional Custom Parameter File Tokens from input - Write-Verbose 'OtherCustomParameterFileTokens: ${{ deploymentBlock.customParameterFileTokens }}' -Verbose - - # $OtherCustomParameterFileTokens = @() + Write-Verbose 'Additional Custom Parameter File Tokens: ${{ deploymentBlock.customParameterFileTokens }}' -Verbose $OtherCustomParameterFileTokens = '${{ deploymentBlock.customParameterFileTokens }}' | ConvertFrom-Json # Construct Token Function Input From a8bb43157d45fc446b2e72f85b566f9c1faf9b3b Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 18:24:45 +0100 Subject: [PATCH 62/69] all jobs using msi id --- .../platform.dependencies.yml | 90 ++++++++++--------- 1 file changed, 49 insertions(+), 41 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index b5b90657e3..052fe6bb82 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -372,48 +372,56 @@ stages: # templateFilePath: $(templateFilePath) # displayName: Default AVD Host Pool - # - stage: deploy_rsv - # displayName: Deploy recovery services vault - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - # variables: - # resourceType: 'Microsoft.RecoveryServices/vaults' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default recovery services vault + - stage: deploy_rsv + displayName: Deploy recovery services vault + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + - deploy_msi + variables: + resourceType: 'Microsoft.RecoveryServices/vaults' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + msiPrincipalId: $[ stageDependencies.deploy_msi.job_set_msi_id.outputs['print_msi_prinId.msiPrincipalId'] ] + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default recovery services vault + customParameterFileTokens: '[{"Name":"msiPrincipalId","Value":"$(msiPrincipalId)"}]' - # - stage: deploy_kv - # displayName: Deploy key vaults - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - # variables: - # resourceType: 'Microsoft.KeyVault/vaults' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Key Vault - # jobName: default_kv - # - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Private Endpoint Key Vault - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQLMI key vault - # jobName: sqlmi_kv + - stage: deploy_kv + displayName: Deploy key vaults + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + - deploy_msi + variables: + resourceType: 'Microsoft.KeyVault/vaults' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + msiPrincipalId: $[ stageDependencies.deploy_msi.job_set_msi_id.outputs['print_msi_prinId.msiPrincipalId'] ] + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Key Vault + jobName: default_kv + customParameterFileTokens: '[{"Name":"msiPrincipalId","Value":"$(msiPrincipalId)"}]' + - path: $(dependencyPath)/$(resourceType)/parameters/pe.parameters.json + templateFilePath: $(templateFilePath) + displayName: Private Endpoint Key Vault + customParameterFileTokens: '[{"Name":"msiPrincipalId","Value":"$(msiPrincipalId)"}]' + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI key vault + jobName: sqlmi_kv + customParameterFileTokens: '[{"Name":"msiPrincipalId","Value":"$(msiPrincipalId)"}]' # - job: # displayName: Set key vault secrets keys and certificates # dependsOn: From 99c1be87fa1c3e0c9519ce06ad5ae17bbcfabc52 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 18:26:58 +0100 Subject: [PATCH 63/69] comment not used stages --- .../platformPipelines/platform.dependencies.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 052fe6bb82..f8b27eb58d 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -375,9 +375,9 @@ stages: - stage: deploy_rsv displayName: Deploy recovery services vault dependsOn: - - deploy_sa - - deploy_evh - - deploy_law + # - deploy_sa + # - deploy_evh + # - deploy_law - deploy_msi variables: resourceType: 'Microsoft.RecoveryServices/vaults' @@ -395,9 +395,9 @@ stages: - stage: deploy_kv displayName: Deploy key vaults dependsOn: - - deploy_sa - - deploy_evh - - deploy_law + # - deploy_sa + # - deploy_evh + # - deploy_law - deploy_msi variables: resourceType: 'Microsoft.KeyVault/vaults' From a1bd9bc7062c89dfe3563ff39989fdfb1d37fbd6 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 18:41:18 +0100 Subject: [PATCH 64/69] gh alternative --- .../pipelineTemplates/module.jobs.deploy.yml | 1 - .../validateModuleDeployment/action.yml | 10 +- .github/workflows/platform.dependencies.yml | 2014 +++++++++-------- 3 files changed, 1029 insertions(+), 996 deletions(-) diff --git a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml index f136983f29..28bf6c7497 100644 --- a/.azuredevops/pipelineTemplates/module.jobs.deploy.yml +++ b/.azuredevops/pipelineTemplates/module.jobs.deploy.yml @@ -62,7 +62,6 @@ parameters: managementGroupId: '$(ARM_MGMTGROUP_ID)' parametersRepository: '$(Build.Repository.Name)' modulesRepository: '$(modulesRepository)' - customParameterFileTokens: '' # Azure PowerShell Version parameters azurePowerShellVersion: '$(azurePowerShellVersion)' preferredAzurePowerShellVersion: '$(preferredAzurePowerShellVersion)' diff --git a/.github/actions/templates/validateModuleDeployment/action.yml b/.github/actions/templates/validateModuleDeployment/action.yml index 8a6ae87cf1..7e87b017d1 100644 --- a/.github/actions/templates/validateModuleDeployment/action.yml +++ b/.github/actions/templates/validateModuleDeployment/action.yml @@ -20,6 +20,9 @@ inputs: managementGroupId: description: 'The managementGroupId to deploy to' required: false + customParameterFileTokens: + description: 'Additional parameter file token pairs in json format. e.g. [{"Name":"tokenName","Value":"tokenValue"}]' + required: false removeDeployment: description: 'Set "true" to set module up for removal' default: 'true' @@ -84,14 +87,17 @@ runs: @{ Name = 'managementGroupId'; Value = '${{ inputs.managementGroupId }}' } @{ Name = "tenantId"; Value = '${{ env.ARM_TENANT_ID }}' } @{ Name = "deploymentSpId"; Value = '${{ env.DEPLOYMENT_SP_ID }}' } - ) + ) | ForEach-Object { [PSCustomObject]$PSItem } - $DefaultParameterFileTokens = $DefaultParameterFileTokens | ForEach-Object { [PSCustomObject]$PSItem } + # Get additional Custom Parameter File Tokens from input + Write-Verbose 'Additional Custom Parameter File Tokens: ${{ inputs.customParameterFileTokens }}' -Verbose + $OtherCustomParameterFileTokens = '${{ inputs.customParameterFileTokens }}' | ConvertFrom-Json # Construct Token Function Input $ConvertTokensInputs = @{ ParameterFilePath = '${{ inputs.parameterFilePath }}' DefaultParameterFileTokens = $DefaultParameterFileTokens + OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens LocalCustomParameterFileTokens = $Settings.parameterFileTokens.localTokens.tokens TokenPrefix = $Settings.parameterFileTokens.tokenPrefix TokenSuffix = $Settings.parameterFileTokens.tokenSuffix diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 4eb1efd48d..fbaadf5a15 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -30,38 +30,38 @@ env: DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: - job_deploy_rg: - runs-on: ubuntu-20.04 - name: 'Deploy resource group' - env: - namespace: 'Microsoft.Resources\resourceGroups' - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['validation.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' + # job_deploy_rg: + # runs-on: ubuntu-20.04 + # name: 'Deploy resource group' + # env: + # namespace: 'Microsoft.Resources\resourceGroups' + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['validation.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' job_deploy_msi: runs-on: ubuntu-20.04 name: 'Deploy user assigned identity' env: namespace: 'Microsoft.ManagedIdentity\userAssignedIdentities' - needs: - - job_deploy_rg + # needs: + # - job_deploy_rg outputs: msiPrincipalId: ${{ steps.print_msi_prinId.outputs.msiPrincipalId }} strategy: @@ -94,258 +94,833 @@ jobs: Write-Output ('::set-output name=msiPrincipalId::{0}' -f $msiPrincipalId) azPSVersion: 'latest' - job_deploy_pa: - runs-on: ubuntu-20.04 - name: 'Deploy policy assignment' - env: - namespace: 'Microsoft.Authorization\policyAssignments' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_policyAssignments_sub.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_evh: - runs-on: ubuntu-20.04 - name: 'Deploy eventhub' - env: - namespace: 'Microsoft.EventHub\namespaces' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_law: - runs-on: ubuntu-20.04 - name: 'Deploy log analytics workspace' - env: - namespace: 'Microsoft.OperationalInsights\workspaces' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['appi.parameters.json', 'parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sa: - runs-on: ubuntu-20.04 - name: 'Deploy storage account' - env: - namespace: 'Microsoft.Storage\storageAccounts' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: - ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_sa_upload_storage_files: - runs-on: ubuntu-20.04 - name: 'Upload files to storage account' - env: - namespace: 'Microsoft.Storage\storageAccounts' - needs: - - job_deploy_sa - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Setup agent' - shell: pwsh - run: | - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Define PS modules to install on the runner - $Modules = @( - @{ Name = 'Az.Storage' } - ) - - # Set agent up - Set-EnvironmentOnAgent -PSModules $Modules - - name: Azure Login - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - enable-AzPSSession: true - - name: Run PowerShell - uses: azure/powershell@v1 - with: - inlineScript: | - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') - - # Get storage account name - $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'parameters' 'parameters.json' - $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # Upload files to storage account - $functionInput = @{ - ResourceGroupName = '${{ env.defaultResourceGroupName }}' - StorageAccountName = $storageAccountParameters.name.value - contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'uploads' - targetContainer = $storageAccountParameters.blobServices.value.containers[0].name - } - - Write-Verbose "Invoke task with" -Verbose - Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - Export-ContentToBlob @functionInput -Verbose - azPSVersion: 'latest' - - job_deploy_sig: - runs-on: ubuntu-20.04 - name: 'Deploy shared image gallery and definition' - env: - namespace: 'Microsoft.Compute\galleries' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_ag: - runs-on: ubuntu-20.04 - name: 'Deploy action groups' - env: - namespace: 'Microsoft.Insights\actionGroups' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_asg: - runs-on: ubuntu-20.04 - name: 'Deploy application security groups' - env: - namespace: 'Microsoft.Network\applicationSecurityGroups' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' + # job_deploy_pa: + # runs-on: ubuntu-20.04 + # name: 'Deploy policy assignment' + # env: + # namespace: 'Microsoft.Authorization\policyAssignments' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_policyAssignments_sub.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_evh: + # runs-on: ubuntu-20.04 + # name: 'Deploy eventhub' + # env: + # namespace: 'Microsoft.EventHub\namespaces' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_law: + # runs-on: ubuntu-20.04 + # name: 'Deploy log analytics workspace' + # env: + # namespace: 'Microsoft.OperationalInsights\workspaces' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['appi.parameters.json', 'parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sa: + # runs-on: ubuntu-20.04 + # name: 'Deploy storage account' + # env: + # namespace: 'Microsoft.Storage\storageAccounts' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_sa_upload_storage_files: + # runs-on: ubuntu-20.04 + # name: 'Upload files to storage account' + # env: + # namespace: 'Microsoft.Storage\storageAccounts' + # needs: + # - job_deploy_sa + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Setup agent' + # shell: pwsh + # run: | + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # # Define PS modules to install on the runner + # $Modules = @( + # @{ Name = 'Az.Storage' } + # ) + + # # Set agent up + # Set-EnvironmentOnAgent -PSModules $Modules + # - name: Azure Login + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_CREDENTIALS }} + # enable-AzPSSession: true + # - name: Run PowerShell + # uses: azure/powershell@v1 + # with: + # inlineScript: | + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + + # # Get storage account name + # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'parameters' 'parameters.json' + # $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # # Upload files to storage account + # $functionInput = @{ + # ResourceGroupName = '${{ env.defaultResourceGroupName }}' + # StorageAccountName = $storageAccountParameters.name.value + # contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'uploads' + # targetContainer = $storageAccountParameters.blobServices.value.containers[0].name + # } + + # Write-Verbose "Invoke task with" -Verbose + # Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + # Export-ContentToBlob @functionInput -Verbose + # azPSVersion: 'latest' + + # job_deploy_sig: + # runs-on: ubuntu-20.04 + # name: 'Deploy shared image gallery and definition' + # env: + # namespace: 'Microsoft.Compute\galleries' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_ag: + # runs-on: ubuntu-20.04 + # name: 'Deploy action groups' + # env: + # namespace: 'Microsoft.Insights\actionGroups' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_asg: + # runs-on: ubuntu-20.04 + # name: 'Deploy application security groups' + # env: + # namespace: 'Microsoft.Network\applicationSecurityGroups' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_udr: + # runs-on: ubuntu-20.04 + # name: 'Deploy route tables' + # env: + # namespace: 'Microsoft.Network\routeTables' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sqlmi_udr: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi route tables' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # env: + # namespace: 'Microsoft.Network\routeTables' + # needs: + # - job_deploy_rg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['sqlMi.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_nsg: + # runs-on: ubuntu-20.04 + # name: 'Deploy network security groups' + # env: + # namespace: 'Microsoft.Network\networkSecurityGroups' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # [ + # 'apgw.parameters.json', + # 'ase.parameters.json', + # 'bastion.parameters.json', + # 'parameters.json', + # ] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sqlmi_nsg: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi network security group' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # env: + # namespace: 'Microsoft.Network\networkSecurityGroups' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['sqlmi.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_pip: + # runs-on: ubuntu-20.04 + # name: 'Deploy public IP addresses' + # env: + # namespace: 'Microsoft.Network\publicIPAddresses' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_appi: + # runs-on: ubuntu-20.04 + # name: 'Deploy application insight' + # env: + # namespace: 'Microsoft.Insights\components' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_aut: + # runs-on: ubuntu-20.04 + # name: 'Deploy automation account' + # env: + # namespace: 'Microsoft.Automation\automationAccounts' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_avdhp: + # runs-on: ubuntu-20.04 + # name: 'Deploy AVD host pool' + # env: + # namespace: 'Microsoft.DesktopVirtualization\hostpools' + # needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_rsv: + # runs-on: ubuntu-20.04 + # name: 'Deploy recovery services vault' + # env: + # namespace: 'Microsoft.RecoveryServices\vaults' + # needs: + # - job_deploy_msi + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Get msi principal ID and replace token in parameter file' + # shell: pwsh + # run: | + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') + + # # Load Settings File + # $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json + + # # Initialize Default Parameter File Tokens + # $OtherCustomParameterFileTokens = @( + # @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } + # ) + + # # Construct Token Function Input + # $ConvertTokensInputs = @{ + # ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens + # TokenPrefix = $Settings.parameterFileTokens.tokenPrefix + # TokenSuffix = $Settings.parameterFileTokens.tokenSuffix + # } + + # # Invoke Token Replacement Functionality + # $null = Convert-TokensInParameterFile @ConvertTokensInputs -Verbose + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_kv: + # runs-on: ubuntu-20.04 + # name: 'Deploy key vaults' + # env: + # namespace: 'Microsoft.KeyVault\vaults' + # needs: + # - job_deploy_msi + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json', 'pe.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Get msi principal ID and replace token in parameter file' + # shell: pwsh + # run: | + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') + + # # Load Settings File + # $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json + + # # Initialize Default Parameter File Tokens + # $OtherCustomParameterFileTokens = @( + # @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } + # ) + + # # Construct Token Function Input + # $ConvertTokensInputs = @{ + # ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens + # TokenPrefix = $Settings.parameterFileTokens.tokenPrefix + # TokenSuffix = $Settings.parameterFileTokens.tokenSuffix + # } + + # # Invoke Token Replacement Functionality + # $null = Convert-TokensInParameterFile @ConvertTokensInputs -Verbose + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_kv_secrets: + # runs-on: ubuntu-20.04 + # name: 'Set key vault secrets keys and certificates' + # env: + # namespace: 'Microsoft.KeyVault\vaults' + # needs: + # - job_deploy_kv + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Setup agent' + # shell: pwsh + # run: | + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # # Define PS modules to install on the runner + # $Modules = @( + # @{ Name = 'Az.KeyVault' } + # ) + + # # Set agent up + # Set-EnvironmentOnAgent -PSModules $Modules + # - name: Azure Login + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_CREDENTIALS }} + # enable-AzPSSession: true + # - name: 'Set key vault secrets keys and certificates' + # uses: azure/powershell@v1 + # with: + # inlineScript: | + # # Get key vault name + # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'parameters.json' + # $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + # $keyVaultName = $keyVaultParameters.name.value + + # # Generate values + # $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length + # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + # $passwordString = (New-Guid).Guid.SubString(0, 19) + # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + # $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) + # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + + # # Set secrets + # # ------- + # @( + # @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS + # @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS + # @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer + # @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer + # @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway + # @{ name = 'apimClientId'; secretValue = $username } # API management + # @{ name = 'apimClientSecret'; secretValue = $password } # API management + # ) | ForEach-Object { + # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + # Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + + # # Set certificates + # # ----------- + # $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal + # @( + # @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway + # ) | ForEach-Object { + # $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy + # Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + + # # Set keys + # # ---- + # @( + # @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS + # ) | ForEach-Object { + # $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + # Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + # azPSVersion: 'latest' + + # job_deploy_sqlmi_kv: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi key vault' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # env: + # namespace: 'Microsoft.KeyVault\vaults' + # needs: + # - job_deploy_msi + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['sqlmi.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Get msi principal ID and replace token in parameter file' + # shell: pwsh + # run: | + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') + + # # Load Settings File + # $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json + + # # Initialize Default Parameter File Tokens + # $OtherCustomParameterFileTokens = @( + # @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } + # ) + + # # Construct Token Function Input + # $ConvertTokensInputs = @{ + # ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens + # TokenPrefix = $Settings.parameterFileTokens.tokenPrefix + # TokenSuffix = $Settings.parameterFileTokens.tokenSuffix + # } + + # # Invoke Token Replacement Functionality + # $null = Convert-TokensInParameterFile @ConvertTokensInputs -Verbose + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sqlmi_kv_secrets: + # runs-on: ubuntu-20.04 + # name: 'Set sqlmi key vault secrets and keys' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # needs: + # - job_deploy_sqlmi_kv + # env: + # namespace: 'Microsoft.KeyVault\vaults' + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Setup agent' + # shell: pwsh + # run: | + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # # Define PS modules to install on the runner + # $Modules = @( + # @{ Name = 'Az.KeyVault' } + # ) + + # # Set agent up + # Set-EnvironmentOnAgent -PSModules $Modules + # - name: Azure Login + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_CREDENTIALS }} + # enable-AzPSSession: true + # - name: 'Set sqlmi key vault secrets and keys' + # uses: azure/powershell@v1 + # with: + # inlineScript: | + # # Get key vault name + # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'sqlmi.parameters.json' + # $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + # $keyVaultName = $keyVaultParameters.name.value + + # # Generate values + # $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length + # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + # $passwordString = (New-Guid).Guid.SubString(0, 19) + # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + + # # Set secrets + # # ------- + # @( + # @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances + # @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances + # ) | ForEach-Object { + # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + # Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + + # # Set keys + # # ---- + # @( + # @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances + # ) | ForEach-Object { + # $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + # Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + # } + # azPSVersion: 'latest' + + # job_deploy_avdag: + # runs-on: ubuntu-20.04 + # name: 'Deploy AVD application group' + # env: + # namespace: 'Microsoft.DesktopVirtualization\applicationgroups' + # needs: + # - job_deploy_avdhp + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' - job_deploy_udr: + job_deploy_rolea: runs-on: ubuntu-20.04 - name: 'Deploy route tables' + name: 'Deploy role assignments' env: - namespace: 'Microsoft.Network\routeTables' + namespace: 'Microsoft.Authorization\roleAssignments' needs: - - job_deploy_rg + - job_deploy_msi strategy: fail-fast: false matrix: @@ -355,605 +930,6 @@ jobs: uses: actions/checkout@v2 with: fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sqlmi_udr: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi route tables' - if: github.event.inputs.deploySqlMiDependencies == 'true' - env: - namespace: 'Microsoft.Network\routeTables' - needs: - - job_deploy_rg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['sqlMi.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_nsg: - runs-on: ubuntu-20.04 - name: 'Deploy network security groups' - env: - namespace: 'Microsoft.Network\networkSecurityGroups' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: - [ - 'apgw.parameters.json', - 'ase.parameters.json', - 'bastion.parameters.json', - 'parameters.json', - ] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sqlmi_nsg: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi network security group' - if: github.event.inputs.deploySqlMiDependencies == 'true' - env: - namespace: 'Microsoft.Network\networkSecurityGroups' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['sqlmi.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_pip: - runs-on: ubuntu-20.04 - name: 'Deploy public IP addresses' - env: - namespace: 'Microsoft.Network\publicIPAddresses' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: - ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_appi: - runs-on: ubuntu-20.04 - name: 'Deploy application insight' - env: - namespace: 'Microsoft.Insights\components' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_aut: - runs-on: ubuntu-20.04 - name: 'Deploy automation account' - env: - namespace: 'Microsoft.Automation\automationAccounts' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_avdhp: - runs-on: ubuntu-20.04 - name: 'Deploy AVD host pool' - env: - namespace: 'Microsoft.DesktopVirtualization\hostpools' - needs: - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_rsv: - runs-on: ubuntu-20.04 - name: 'Deploy recovery services vault' - env: - namespace: 'Microsoft.RecoveryServices\vaults' - needs: - - job_deploy_msi - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Get msi principal ID and replace token in parameter file' - shell: pwsh - run: | - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') - - # Load Settings File - $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json - - # Initialize Default Parameter File Tokens - $OtherCustomParameterFileTokens = @( - @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } - ) - - # Construct Token Function Input - $ConvertTokensInputs = @{ - ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens - TokenPrefix = $Settings.parameterFileTokens.tokenPrefix - TokenSuffix = $Settings.parameterFileTokens.tokenSuffix - } - - # Invoke Token Replacement Functionality - $null = Convert-TokensInParameterFile @ConvertTokensInputs -Verbose - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_kv: - runs-on: ubuntu-20.04 - name: 'Deploy key vaults' - env: - namespace: 'Microsoft.KeyVault\vaults' - needs: - - job_deploy_msi - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json', 'pe.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Get msi principal ID and replace token in parameter file' - shell: pwsh - run: | - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') - - # Load Settings File - $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json - - # Initialize Default Parameter File Tokens - $OtherCustomParameterFileTokens = @( - @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } - ) - - # Construct Token Function Input - $ConvertTokensInputs = @{ - ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens - TokenPrefix = $Settings.parameterFileTokens.tokenPrefix - TokenSuffix = $Settings.parameterFileTokens.tokenSuffix - } - - # Invoke Token Replacement Functionality - $null = Convert-TokensInParameterFile @ConvertTokensInputs -Verbose - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_kv_secrets: - runs-on: ubuntu-20.04 - name: 'Set key vault secrets keys and certificates' - env: - namespace: 'Microsoft.KeyVault\vaults' - needs: - - job_deploy_kv - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Setup agent' - shell: pwsh - run: | - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Define PS modules to install on the runner - $Modules = @( - @{ Name = 'Az.KeyVault' } - ) - - # Set agent up - Set-EnvironmentOnAgent -PSModules $Modules - - name: Azure Login - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - enable-AzPSSession: true - - name: 'Set key vault secrets keys and certificates' - uses: azure/powershell@v1 - with: - inlineScript: | - # Get key vault name - $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'parameters.json' - $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters - $keyVaultName = $keyVaultParameters.name.value - - # Generate values - $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length - $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - $passwordString = (New-Guid).Guid.SubString(0, 19) - $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) - $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - - # Set secrets - # ------- - @( - @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS - @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS - @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer - @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer - @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway - @{ name = 'apimClientId'; secretValue = $username } # API management - @{ name = 'apimClientSecret'; secretValue = $password } # API management - ) | ForEach-Object { - $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue - Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - - # Set certificates - # ----------- - $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal - @( - @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway - ) | ForEach-Object { - $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy - Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - - # Set keys - # ---- - @( - @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS - ) | ForEach-Object { - $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination - Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - azPSVersion: 'latest' - - job_deploy_sqlmi_kv: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi key vault' - if: github.event.inputs.deploySqlMiDependencies == 'true' - env: - namespace: 'Microsoft.KeyVault\vaults' - needs: - - job_deploy_msi - - job_deploy_sa - - job_deploy_evh - - job_deploy_law - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['sqlmi.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Get msi principal ID and replace token in parameter file' - shell: pwsh - run: | - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') - - # Load Settings File - $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json - - # Initialize Default Parameter File Tokens - $OtherCustomParameterFileTokens = @( - @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } - ) - - # Construct Token Function Input - $ConvertTokensInputs = @{ - ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens - TokenPrefix = $Settings.parameterFileTokens.tokenPrefix - TokenSuffix = $Settings.parameterFileTokens.tokenSuffix - } - - # Invoke Token Replacement Functionality - $null = Convert-TokensInParameterFile @ConvertTokensInputs -Verbose - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sqlmi_kv_secrets: - runs-on: ubuntu-20.04 - name: 'Set sqlmi key vault secrets and keys' - if: github.event.inputs.deploySqlMiDependencies == 'true' - needs: - - job_deploy_sqlmi_kv - env: - namespace: 'Microsoft.KeyVault\vaults' - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Setup agent' - shell: pwsh - run: | - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # Define PS modules to install on the runner - $Modules = @( - @{ Name = 'Az.KeyVault' } - ) - - # Set agent up - Set-EnvironmentOnAgent -PSModules $Modules - - name: Azure Login - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - enable-AzPSSession: true - - name: 'Set sqlmi key vault secrets and keys' - uses: azure/powershell@v1 - with: - inlineScript: | - # Get key vault name - $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'sqlmi.parameters.json' - $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters - $keyVaultName = $keyVaultParameters.name.value - - # Generate values - $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length - $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - $passwordString = (New-Guid).Guid.SubString(0, 19) - $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - - # Set secrets - # ------- - @( - @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances - @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances - ) | ForEach-Object { - $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue - Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - - # Set keys - # ---- - @( - @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances - ) | ForEach-Object { - $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination - Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - } - azPSVersion: 'latest' - - job_deploy_avdag: - runs-on: ubuntu-20.04 - name: 'Deploy AVD application group' - env: - namespace: 'Microsoft.DesktopVirtualization\applicationgroups' - needs: - - job_deploy_avdhp - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_rolea: - runs-on: ubuntu-20.04 - name: 'Deploy role assignments' - env: - namespace: 'Microsoft.Authorization\roleAssignments' - needs: - - job_deploy_msi - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Get msi principal ID and replace token in parameter file' - shell: pwsh - run: | - # Load used functions - . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') - - # Load Settings File - $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json - - # Initialize Default Parameter File Tokens - $OtherCustomParameterFileTokens = @( - @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } - ) - - # Construct Token Function Input - $ConvertTokensInputs = @{ - ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens - TokenPrefix = $Settings.parameterFileTokens.tokenPrefix - TokenSuffix = $Settings.parameterFileTokens.tokenSuffix - } - - # Invoke Token Replacement Functionality - $null = Convert-TokensInParameterFile @ConvertTokensInputs -Verbose - name: 'Deploy module' uses: ./.github/actions/templates/validateModuleDeployment with: @@ -964,123 +940,175 @@ jobs: subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_vnet: - runs-on: ubuntu-20.04 - name: 'Deploy virtual networks' - env: - namespace: 'Microsoft.Network\virtualNetworks' - needs: - - job_deploy_nsg - strategy: - fail-fast: false - matrix: - parameterFilePaths: - [ - '1.bastion.parameters.json', - '2.vnetpeer01.parameters.json', - '3.vnetpeer02.parameters.json', - '4.azfw.parameters.json', - '5.aks.parameters.json', - 'parameters.json', - ] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_sqlmi_vnet: - runs-on: ubuntu-20.04 - name: 'Deploy sqlmi virtual network' - if: github.event.inputs.deploySqlMiDependencies == 'true' - env: - namespace: 'Microsoft.Network\virtualNetworks' - needs: - - job_deploy_sqlmi_udr - - job_deploy_sqlmi_nsg - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['6.sqlmi.parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_dnszone: - runs-on: ubuntu-20.04 - name: 'Deploy private DNS zones' - env: - namespace: 'Microsoft.Network\privateDnsZones' - needs: - - job_deploy_vnet - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' - - job_deploy_vm: - runs-on: ubuntu-20.04 - name: 'Deploy virtual machines' - env: - namespace: 'Microsoft.Compute\virtualMachines' - needs: - - job_deploy_kv_secrets - - job_deploy_vnet - - job_deploy_rsv - strategy: - fail-fast: false - matrix: - parameterFilePaths: ['parameters.json'] - steps: - - name: 'Checkout' - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: 'Deploy module' - uses: ./.github/actions/templates/validateModuleDeployment - with: - templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - location: '${{ env.defaultLocation }}' - resourceGroupName: '${{ env.defaultResourceGroupName }}' - subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - removeDeployment: '${{ env.removeDeployment }}' + customParameterFileTokens: '[{"Name":"msiPrincipalId","Value":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}]' + + # job_deploy_rolea: + # runs-on: ubuntu-20.04 + # name: 'Deploy role assignments' + # env: + # namespace: 'Microsoft.Authorization\roleAssignments' + # needs: + # - job_deploy_msi + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Get msi principal ID and replace token in parameter file' + # shell: pwsh + # run: | + # # Load used functions + # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') + + # # Load Settings File + # $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json + + # # Initialize Default Parameter File Tokens + # $OtherCustomParameterFileTokens = @( + # @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } + # ) + + # # Construct Token Function Input + # $ConvertTokensInputs = @{ + # ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens + # TokenPrefix = $Settings.parameterFileTokens.tokenPrefix + # TokenSuffix = $Settings.parameterFileTokens.tokenSuffix + # } + + # # Invoke Token Replacement Functionality + # $null = Convert-TokensInParameterFile @ConvertTokensInputs -Verbose + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_rbac_sub.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_vnet: + # runs-on: ubuntu-20.04 + # name: 'Deploy virtual networks' + # env: + # namespace: 'Microsoft.Network\virtualNetworks' + # needs: + # - job_deploy_nsg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: + # [ + # '1.bastion.parameters.json', + # '2.vnetpeer01.parameters.json', + # '3.vnetpeer02.parameters.json', + # '4.azfw.parameters.json', + # '5.aks.parameters.json', + # 'parameters.json', + # ] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_sqlmi_vnet: + # runs-on: ubuntu-20.04 + # name: 'Deploy sqlmi virtual network' + # if: github.event.inputs.deploySqlMiDependencies == 'true' + # env: + # namespace: 'Microsoft.Network\virtualNetworks' + # needs: + # - job_deploy_sqlmi_udr + # - job_deploy_sqlmi_nsg + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['6.sqlmi.parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_dnszone: + # runs-on: ubuntu-20.04 + # name: 'Deploy private DNS zones' + # env: + # namespace: 'Microsoft.Network\privateDnsZones' + # needs: + # - job_deploy_vnet + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' + + # job_deploy_vm: + # runs-on: ubuntu-20.04 + # name: 'Deploy virtual machines' + # env: + # namespace: 'Microsoft.Compute\virtualMachines' + # needs: + # - job_deploy_kv_secrets + # - job_deploy_vnet + # - job_deploy_rsv + # strategy: + # fail-fast: false + # matrix: + # parameterFilePaths: ['parameters.json'] + # steps: + # - name: 'Checkout' + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + # - name: 'Deploy module' + # uses: ./.github/actions/templates/validateModuleDeployment + # with: + # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + # location: '${{ env.defaultLocation }}' + # resourceGroupName: '${{ env.defaultResourceGroupName }}' + # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + # removeDeployment: '${{ env.removeDeployment }}' From 646a238c54b86f3b09a740fad3e3300eead67159 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 19:14:37 +0100 Subject: [PATCH 65/69] gh alternative all --- .github/workflows/platform.dependencies.yml | 251 +++++++------------- 1 file changed, 91 insertions(+), 160 deletions(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index fbaadf5a15..8944d85830 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -576,113 +576,67 @@ jobs: # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' # removeDeployment: '${{ env.removeDeployment }}' - # job_deploy_rsv: - # runs-on: ubuntu-20.04 - # name: 'Deploy recovery services vault' - # env: - # namespace: 'Microsoft.RecoveryServices\vaults' - # needs: - # - job_deploy_msi - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Get msi principal ID and replace token in parameter file' - # shell: pwsh - # run: | - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') - - # # Load Settings File - # $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json - - # # Initialize Default Parameter File Tokens - # $OtherCustomParameterFileTokens = @( - # @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } - # ) - - # # Construct Token Function Input - # $ConvertTokensInputs = @{ - # ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens - # TokenPrefix = $Settings.parameterFileTokens.tokenPrefix - # TokenSuffix = $Settings.parameterFileTokens.tokenSuffix - # } - - # # Invoke Token Replacement Functionality - # $null = Convert-TokensInParameterFile @ConvertTokensInputs -Verbose - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_kv: - # runs-on: ubuntu-20.04 - # name: 'Deploy key vaults' - # env: - # namespace: 'Microsoft.KeyVault\vaults' - # needs: - # - job_deploy_msi - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json', 'pe.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Get msi principal ID and replace token in parameter file' - # shell: pwsh - # run: | - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') - - # # Load Settings File - # $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json - - # # Initialize Default Parameter File Tokens - # $OtherCustomParameterFileTokens = @( - # @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } - # ) - - # # Construct Token Function Input - # $ConvertTokensInputs = @{ - # ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens - # TokenPrefix = $Settings.parameterFileTokens.tokenPrefix - # TokenSuffix = $Settings.parameterFileTokens.tokenSuffix - # } + job_deploy_rsv: + runs-on: ubuntu-20.04 + name: 'Deploy recovery services vault' + env: + namespace: 'Microsoft.RecoveryServices\vaults' + needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + - job_deploy_msi + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + customParameterFileTokens: '[{"Name":"msiPrincipalId","Value":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}]' - # # Invoke Token Replacement Functionality - # $null = Convert-TokensInParameterFile @ConvertTokensInputs -Verbose - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_kv: + runs-on: ubuntu-20.04 + name: 'Deploy key vaults' + env: + namespace: 'Microsoft.KeyVault\vaults' + needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + - job_deploy_msi + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json', 'pe.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + customParameterFileTokens: '[{"Name":"msiPrincipalId","Value":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}]' # job_deploy_kv_secrets: # runs-on: ubuntu-20.04 @@ -766,60 +720,37 @@ jobs: # } # azPSVersion: 'latest' - # job_deploy_sqlmi_kv: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi key vault' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # env: - # namespace: 'Microsoft.KeyVault\vaults' - # needs: - # - job_deploy_msi - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['sqlmi.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Get msi principal ID and replace token in parameter file' - # shell: pwsh - # run: | - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') - - # # Load Settings File - # $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json - - # # Initialize Default Parameter File Tokens - # $OtherCustomParameterFileTokens = @( - # @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } - # ) - - # # Construct Token Function Input - # $ConvertTokensInputs = @{ - # ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens - # TokenPrefix = $Settings.parameterFileTokens.tokenPrefix - # TokenSuffix = $Settings.parameterFileTokens.tokenSuffix - # } - - # # Invoke Token Replacement Functionality - # $null = Convert-TokensInParameterFile @ConvertTokensInputs -Verbose - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_sqlmi_kv: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi key vault' + if: github.event.inputs.deploySqlMiDependencies == 'true' + env: + namespace: 'Microsoft.KeyVault\vaults' + needs: + # - job_deploy_sa + # - job_deploy_evh + # - job_deploy_law + - job_deploy_msi + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['sqlmi.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + customParameterFileTokens: '[{"Name":"msiPrincipalId","Value":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}]' # job_deploy_sqlmi_kv_secrets: # runs-on: ubuntu-20.04 From a9b52190694a6809d18fb799bd882efd10f8754a Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 19:19:55 +0100 Subject: [PATCH 66/69] gh dep all back --- .github/workflows/platform.dependencies.yml | 1687 +++++++++---------- 1 file changed, 818 insertions(+), 869 deletions(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 8944d85830..8227012bfd 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -30,51 +30,455 @@ env: DEPLOYMENT_SP_ID: '${{ secrets.DEPLOYMENT_SP_ID }}' jobs: - # job_deploy_rg: - # runs-on: ubuntu-20.04 - # name: 'Deploy resource group' - # env: - # namespace: 'Microsoft.Resources\resourceGroups' - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['validation.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_rg: + runs-on: ubuntu-20.04 + name: 'Deploy resource group' + env: + namespace: 'Microsoft.Resources\resourceGroups' + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['validation.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_msi: + runs-on: ubuntu-20.04 + name: 'Deploy user assigned identity' + env: + namespace: 'Microsoft.ManagedIdentity\userAssignedIdentities' + needs: + - job_deploy_rg + outputs: + msiPrincipalId: ${{ steps.print_msi_prinId.outputs.msiPrincipalId }} + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + id: deploy_msi + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + - name: Set msi principal ID output + id: print_msi_prinId + uses: azure/powershell@v1 + with: + inlineScript: | + $deploymentOutput = '${{ steps.deploy_msi.outputs.deploymentOutput }}' + $msiPrincipalId = (ConvertFrom-Json $deploymentOutput).msiPrincipalId + Write-Output ('::set-output name=msiPrincipalId::{0}' -f $msiPrincipalId) + azPSVersion: 'latest' + + job_deploy_pa: + runs-on: ubuntu-20.04 + name: 'Deploy policy assignment' + env: + namespace: 'Microsoft.Authorization\policyAssignments' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_policyAssignments_sub.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_evh: + runs-on: ubuntu-20.04 + name: 'Deploy eventhub' + env: + namespace: 'Microsoft.EventHub\namespaces' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_law: + runs-on: ubuntu-20.04 + name: 'Deploy log analytics workspace' + env: + namespace: 'Microsoft.OperationalInsights\workspaces' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['appi.parameters.json', 'parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_sa: + runs-on: ubuntu-20.04 + name: 'Deploy storage account' + env: + namespace: 'Microsoft.Storage\storageAccounts' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: + ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_sa_upload_storage_files: + runs-on: ubuntu-20.04 + name: 'Upload files to storage account' + env: + namespace: 'Microsoft.Storage\storageAccounts' + needs: + - job_deploy_sa + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Setup agent' + shell: pwsh + run: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.Storage' } + ) + + # Set agent up + Set-EnvironmentOnAgent -PSModules $Modules + - name: Azure Login + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + enable-AzPSSession: true + - name: Run PowerShell + uses: azure/powershell@v1 + with: + inlineScript: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + + # Get storage account name + $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'parameters' 'parameters.json' + $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # Upload files to storage account + $functionInput = @{ + ResourceGroupName = '${{ env.defaultResourceGroupName }}' + StorageAccountName = $storageAccountParameters.name.value + contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'uploads' + targetContainer = $storageAccountParameters.blobServices.value.containers[0].name + } + + Write-Verbose "Invoke task with" -Verbose + Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + Export-ContentToBlob @functionInput -Verbose + azPSVersion: 'latest' + + job_deploy_sig: + runs-on: ubuntu-20.04 + name: 'Deploy shared image gallery and definition' + env: + namespace: 'Microsoft.Compute\galleries' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_ag: + runs-on: ubuntu-20.04 + name: 'Deploy action groups' + env: + namespace: 'Microsoft.Insights\actionGroups' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_asg: + runs-on: ubuntu-20.04 + name: 'Deploy application security groups' + env: + namespace: 'Microsoft.Network\applicationSecurityGroups' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_udr: + runs-on: ubuntu-20.04 + name: 'Deploy route tables' + env: + namespace: 'Microsoft.Network\routeTables' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_sqlmi_udr: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi route tables' + if: github.event.inputs.deploySqlMiDependencies == 'true' + env: + namespace: 'Microsoft.Network\routeTables' + needs: + - job_deploy_rg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['sqlMi.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_nsg: + runs-on: ubuntu-20.04 + name: 'Deploy network security groups' + env: + namespace: 'Microsoft.Network\networkSecurityGroups' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: + [ + 'apgw.parameters.json', + 'ase.parameters.json', + 'bastion.parameters.json', + 'parameters.json', + ] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' + + job_deploy_sqlmi_nsg: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi network security group' + if: github.event.inputs.deploySqlMiDependencies == 'true' + env: + namespace: 'Microsoft.Network\networkSecurityGroups' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['sqlmi.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' - job_deploy_msi: + job_deploy_pip: runs-on: ubuntu-20.04 - name: 'Deploy user assigned identity' + name: 'Deploy public IP addresses' env: - namespace: 'Microsoft.ManagedIdentity\userAssignedIdentities' - # needs: - # - job_deploy_rg - outputs: - msiPrincipalId: ${{ steps.print_msi_prinId.outputs.msiPrincipalId }} + namespace: 'Microsoft.Network\publicIPAddresses' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law strategy: fail-fast: false matrix: - parameterFilePaths: ['parameters.json'] + parameterFilePaths: + ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json'] steps: - name: 'Checkout' uses: actions/checkout@v2 with: fetch-depth: 0 - name: 'Deploy module' - id: deploy_msi uses: ./.github/actions/templates/validateModuleDeployment with: templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' @@ -84,497 +488,93 @@ jobs: subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' removeDeployment: '${{ env.removeDeployment }}' - - name: Set msi principal ID output - id: print_msi_prinId - uses: azure/powershell@v1 - with: - inlineScript: | - $deploymentOutput = '${{ steps.deploy_msi.outputs.deploymentOutput }}' - $msiPrincipalId = (ConvertFrom-Json $deploymentOutput).msiPrincipalId - Write-Output ('::set-output name=msiPrincipalId::{0}' -f $msiPrincipalId) - azPSVersion: 'latest' - - # job_deploy_pa: - # runs-on: ubuntu-20.04 - # name: 'Deploy policy assignment' - # env: - # namespace: 'Microsoft.Authorization\policyAssignments' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_policyAssignments_sub.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_evh: - # runs-on: ubuntu-20.04 - # name: 'Deploy eventhub' - # env: - # namespace: 'Microsoft.EventHub\namespaces' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_law: - # runs-on: ubuntu-20.04 - # name: 'Deploy log analytics workspace' - # env: - # namespace: 'Microsoft.OperationalInsights\workspaces' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['appi.parameters.json', 'parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_sa: - # runs-on: ubuntu-20.04 - # name: 'Deploy storage account' - # env: - # namespace: 'Microsoft.Storage\storageAccounts' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # ['fa.parameters.json', 'law.parameters.json', 'parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_sa_upload_storage_files: - # runs-on: ubuntu-20.04 - # name: 'Upload files to storage account' - # env: - # namespace: 'Microsoft.Storage\storageAccounts' - # needs: - # - job_deploy_sa - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Setup agent' - # shell: pwsh - # run: | - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Define PS modules to install on the runner - # $Modules = @( - # @{ Name = 'Az.Storage' } - # ) - - # # Set agent up - # Set-EnvironmentOnAgent -PSModules $Modules - # - name: Azure Login - # uses: azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - # enable-AzPSSession: true - # - name: Run PowerShell - # uses: azure/powershell@v1 - # with: - # inlineScript: | - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') - - # # Get storage account name - # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'parameters' 'parameters.json' - # $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # # Upload files to storage account - # $functionInput = @{ - # ResourceGroupName = '${{ env.defaultResourceGroupName }}' - # StorageAccountName = $storageAccountParameters.name.value - # contentDirectories = Join-Path $env:GITHUB_WORKSPACE '${{ env.dependencyPath }}' '${{ env.namespace }}' 'uploads' - # targetContainer = $storageAccountParameters.blobServices.value.containers[0].name - # } - - # Write-Verbose "Invoke task with" -Verbose - # Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - # Export-ContentToBlob @functionInput -Verbose - # azPSVersion: 'latest' - - # job_deploy_sig: - # runs-on: ubuntu-20.04 - # name: 'Deploy shared image gallery and definition' - # env: - # namespace: 'Microsoft.Compute\galleries' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_ag: - # runs-on: ubuntu-20.04 - # name: 'Deploy action groups' - # env: - # namespace: 'Microsoft.Insights\actionGroups' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_asg: - # runs-on: ubuntu-20.04 - # name: 'Deploy application security groups' - # env: - # namespace: 'Microsoft.Network\applicationSecurityGroups' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_udr: - # runs-on: ubuntu-20.04 - # name: 'Deploy route tables' - # env: - # namespace: 'Microsoft.Network\routeTables' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - # job_deploy_sqlmi_udr: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi route tables' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # env: - # namespace: 'Microsoft.Network\routeTables' - # needs: - # - job_deploy_rg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['sqlMi.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_nsg: - # runs-on: ubuntu-20.04 - # name: 'Deploy network security groups' - # env: - # namespace: 'Microsoft.Network\networkSecurityGroups' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # [ - # 'apgw.parameters.json', - # 'ase.parameters.json', - # 'bastion.parameters.json', - # 'parameters.json', - # ] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_sqlmi_nsg: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi network security group' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # env: - # namespace: 'Microsoft.Network\networkSecurityGroups' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['sqlmi.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_pip: - # runs-on: ubuntu-20.04 - # name: 'Deploy public IP addresses' - # env: - # namespace: 'Microsoft.Network\publicIPAddresses' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # ['apgw.parameters.json', 'bas.parameters.json', 'lb.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_appi: - # runs-on: ubuntu-20.04 - # name: 'Deploy application insight' - # env: - # namespace: 'Microsoft.Insights\components' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_appi: + runs-on: ubuntu-20.04 + name: 'Deploy application insight' + env: + namespace: 'Microsoft.Insights\components' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' - # job_deploy_aut: - # runs-on: ubuntu-20.04 - # name: 'Deploy automation account' - # env: - # namespace: 'Microsoft.Automation\automationAccounts' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_aut: + runs-on: ubuntu-20.04 + name: 'Deploy automation account' + env: + namespace: 'Microsoft.Automation\automationAccounts' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' - # job_deploy_avdhp: - # runs-on: ubuntu-20.04 - # name: 'Deploy AVD host pool' - # env: - # namespace: 'Microsoft.DesktopVirtualization\hostpools' - # needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_avdhp: + runs-on: ubuntu-20.04 + name: 'Deploy AVD host pool' + env: + namespace: 'Microsoft.DesktopVirtualization\hostpools' + needs: + - job_deploy_sa + - job_deploy_evh + - job_deploy_law + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' job_deploy_rsv: runs-on: ubuntu-20.04 @@ -582,9 +582,9 @@ jobs: env: namespace: 'Microsoft.RecoveryServices\vaults' needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law + - job_deploy_sa + - job_deploy_evh + - job_deploy_law - job_deploy_msi strategy: fail-fast: false @@ -613,9 +613,9 @@ jobs: env: namespace: 'Microsoft.KeyVault\vaults' needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law + - job_deploy_sa + - job_deploy_evh + - job_deploy_law - job_deploy_msi strategy: fail-fast: false @@ -638,87 +638,87 @@ jobs: removeDeployment: '${{ env.removeDeployment }}' customParameterFileTokens: '[{"Name":"msiPrincipalId","Value":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}]' - # job_deploy_kv_secrets: - # runs-on: ubuntu-20.04 - # name: 'Set key vault secrets keys and certificates' - # env: - # namespace: 'Microsoft.KeyVault\vaults' - # needs: - # - job_deploy_kv - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Setup agent' - # shell: pwsh - # run: | - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Define PS modules to install on the runner - # $Modules = @( - # @{ Name = 'Az.KeyVault' } - # ) - - # # Set agent up - # Set-EnvironmentOnAgent -PSModules $Modules - # - name: Azure Login - # uses: azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - # enable-AzPSSession: true - # - name: 'Set key vault secrets keys and certificates' - # uses: azure/powershell@v1 - # with: - # inlineScript: | - # # Get key vault name - # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'parameters.json' - # $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters - # $keyVaultName = $keyVaultParameters.name.value - - # # Generate values - # $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length - # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - # $passwordString = (New-Guid).Guid.SubString(0, 19) - # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - # $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) - # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - - # # Set secrets - # # ------- - # @( - # @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS - # @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS - # @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer - # @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer - # @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway - # @{ name = 'apimClientId'; secretValue = $username } # API management - # @{ name = 'apimClientSecret'; secretValue = $password } # API management - # ) | ForEach-Object { - # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue - # Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - - # # Set certificates - # # ----------- - # $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal - # @( - # @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway - # ) | ForEach-Object { - # $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy - # Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - - # # Set keys - # # ---- - # @( - # @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS - # ) | ForEach-Object { - # $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination - # Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - # azPSVersion: 'latest' + job_deploy_kv_secrets: + runs-on: ubuntu-20.04 + name: 'Set key vault secrets keys and certificates' + env: + namespace: 'Microsoft.KeyVault\vaults' + needs: + - job_deploy_kv + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Setup agent' + shell: pwsh + run: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.KeyVault' } + ) + + # Set agent up + Set-EnvironmentOnAgent -PSModules $Modules + - name: Azure Login + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + enable-AzPSSession: true + - name: 'Set key vault secrets keys and certificates' + uses: azure/powershell@v1 + with: + inlineScript: | + # Get key vault name + $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'parameters.json' + $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + $keyVaultName = $keyVaultParameters.name.value + + # Generate values + $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $passwordString = (New-Guid).Guid.SubString(0, 19) + $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) + $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + + # Set secrets + # ------- + @( + @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS + @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS + @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer + @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer + @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway + @{ name = 'apimClientId'; secretValue = $username } # API management + @{ name = 'apimClientSecret'; secretValue = $password } # API management + ) | ForEach-Object { + $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + + # Set certificates + # ----------- + $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal + @( + @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway + ) | ForEach-Object { + $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy + Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + + # Set keys + # ---- + @( + @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS + ) | ForEach-Object { + $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + azPSVersion: 'latest' job_deploy_sqlmi_kv: runs-on: ubuntu-20.04 @@ -727,9 +727,9 @@ jobs: env: namespace: 'Microsoft.KeyVault\vaults' needs: - # - job_deploy_sa - # - job_deploy_evh - # - job_deploy_law + - job_deploy_sa + - job_deploy_evh + - job_deploy_law - job_deploy_msi strategy: fail-fast: false @@ -752,98 +752,98 @@ jobs: removeDeployment: '${{ env.removeDeployment }}' customParameterFileTokens: '[{"Name":"msiPrincipalId","Value":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}]' - # job_deploy_sqlmi_kv_secrets: - # runs-on: ubuntu-20.04 - # name: 'Set sqlmi key vault secrets and keys' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # needs: - # - job_deploy_sqlmi_kv - # env: - # namespace: 'Microsoft.KeyVault\vaults' - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Setup agent' - # shell: pwsh - # run: | - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Define PS modules to install on the runner - # $Modules = @( - # @{ Name = 'Az.KeyVault' } - # ) - - # # Set agent up - # Set-EnvironmentOnAgent -PSModules $Modules - # - name: Azure Login - # uses: azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - # enable-AzPSSession: true - # - name: 'Set sqlmi key vault secrets and keys' - # uses: azure/powershell@v1 - # with: - # inlineScript: | - # # Get key vault name - # $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'sqlmi.parameters.json' - # $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters - # $keyVaultName = $keyVaultParameters.name.value - - # # Generate values - # $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length - # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - # $passwordString = (New-Guid).Guid.SubString(0, 19) - # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - - # # Set secrets - # # ------- - # @( - # @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances - # @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances - # ) | ForEach-Object { - # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue - # Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - - # # Set keys - # # ---- - # @( - # @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances - # ) | ForEach-Object { - # $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination - # Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - # azPSVersion: 'latest' + job_deploy_sqlmi_kv_secrets: + runs-on: ubuntu-20.04 + name: 'Set sqlmi key vault secrets and keys' + if: github.event.inputs.deploySqlMiDependencies == 'true' + needs: + - job_deploy_sqlmi_kv + env: + namespace: 'Microsoft.KeyVault\vaults' + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Setup agent' + shell: pwsh + run: | + # Load used functions + . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.KeyVault' } + ) + + # Set agent up + Set-EnvironmentOnAgent -PSModules $Modules + - name: Azure Login + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + enable-AzPSSession: true + - name: 'Set sqlmi key vault secrets and keys' + uses: azure/powershell@v1 + with: + inlineScript: | + # Get key vault name + $parameterFilePath = Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'dependencies' '${{ env.namespace }}' 'parameters' 'sqlmi.parameters.json' + $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + $keyVaultName = $keyVaultParameters.name.value + + # Generate values + $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $passwordString = (New-Guid).Guid.SubString(0, 19) + $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + + # Set secrets + # ------- + @( + @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances + @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances + ) | ForEach-Object { + $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + + # Set keys + # ---- + @( + @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances + ) | ForEach-Object { + $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + azPSVersion: 'latest' - # job_deploy_avdag: - # runs-on: ubuntu-20.04 - # name: 'Deploy AVD application group' - # env: - # namespace: 'Microsoft.DesktopVirtualization\applicationgroups' - # needs: - # - job_deploy_avdhp - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_avdag: + runs-on: ubuntu-20.04 + name: 'Deploy AVD application group' + env: + namespace: 'Microsoft.DesktopVirtualization\applicationgroups' + needs: + - job_deploy_avdhp + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' job_deploy_rolea: runs-on: ubuntu-20.04 @@ -873,173 +873,122 @@ jobs: removeDeployment: '${{ env.removeDeployment }}' customParameterFileTokens: '[{"Name":"msiPrincipalId","Value":"${{ needs.job_deploy_msi.outputs.msiPrincipalId }}"}]' - # job_deploy_rolea: - # runs-on: ubuntu-20.04 - # name: 'Deploy role assignments' - # env: - # namespace: 'Microsoft.Authorization\roleAssignments' - # needs: - # - job_deploy_msi - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Get msi principal ID and replace token in parameter file' - # shell: pwsh - # run: | - # # Load used functions - # . (Join-Path $env:GITHUB_WORKSPACE 'utilities' 'pipelines' 'tokensReplacement' 'Convert-TokensInParameterFile.ps1') - - # # Load Settings File - # $Settings = Get-Content -Path "settings.json" | ConvertFrom-Json - - # # Initialize Default Parameter File Tokens - # $OtherCustomParameterFileTokens = @( - # @{ Name = 'msiPrincipalId'; Value = '${{ needs.job_deploy_msi.outputs.msiPrincipalId }}' } - # ) - - # # Construct Token Function Input - # $ConvertTokensInputs = @{ - # ParameterFilePath = '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # OtherCustomParameterFileTokens = $OtherCustomParameterFileTokens - # TokenPrefix = $Settings.parameterFileTokens.tokenPrefix - # TokenSuffix = $Settings.parameterFileTokens.tokenSuffix - # } - - # # Invoke Token Replacement Functionality - # $null = Convert-TokensInParameterFile @ConvertTokensInputs -Verbose - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/.bicep/nested_rbac_sub.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' - - # job_deploy_vnet: - # runs-on: ubuntu-20.04 - # name: 'Deploy virtual networks' - # env: - # namespace: 'Microsoft.Network\virtualNetworks' - # needs: - # - job_deploy_nsg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: - # [ - # '1.bastion.parameters.json', - # '2.vnetpeer01.parameters.json', - # '3.vnetpeer02.parameters.json', - # '4.azfw.parameters.json', - # '5.aks.parameters.json', - # 'parameters.json', - # ] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_vnet: + runs-on: ubuntu-20.04 + name: 'Deploy virtual networks' + env: + namespace: 'Microsoft.Network\virtualNetworks' + needs: + - job_deploy_nsg + strategy: + fail-fast: false + matrix: + parameterFilePaths: + [ + '1.bastion.parameters.json', + '2.vnetpeer01.parameters.json', + '3.vnetpeer02.parameters.json', + '4.azfw.parameters.json', + '5.aks.parameters.json', + 'parameters.json', + ] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' - # job_deploy_sqlmi_vnet: - # runs-on: ubuntu-20.04 - # name: 'Deploy sqlmi virtual network' - # if: github.event.inputs.deploySqlMiDependencies == 'true' - # env: - # namespace: 'Microsoft.Network\virtualNetworks' - # needs: - # - job_deploy_sqlmi_udr - # - job_deploy_sqlmi_nsg - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['6.sqlmi.parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_sqlmi_vnet: + runs-on: ubuntu-20.04 + name: 'Deploy sqlmi virtual network' + if: github.event.inputs.deploySqlMiDependencies == 'true' + env: + namespace: 'Microsoft.Network\virtualNetworks' + needs: + - job_deploy_sqlmi_udr + - job_deploy_sqlmi_nsg + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['6.sqlmi.parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' - # job_deploy_dnszone: - # runs-on: ubuntu-20.04 - # name: 'Deploy private DNS zones' - # env: - # namespace: 'Microsoft.Network\privateDnsZones' - # needs: - # - job_deploy_vnet - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_dnszone: + runs-on: ubuntu-20.04 + name: 'Deploy private DNS zones' + env: + namespace: 'Microsoft.Network\privateDnsZones' + needs: + - job_deploy_vnet + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' - # job_deploy_vm: - # runs-on: ubuntu-20.04 - # name: 'Deploy virtual machines' - # env: - # namespace: 'Microsoft.Compute\virtualMachines' - # needs: - # - job_deploy_kv_secrets - # - job_deploy_vnet - # - job_deploy_rsv - # strategy: - # fail-fast: false - # matrix: - # parameterFilePaths: ['parameters.json'] - # steps: - # - name: 'Checkout' - # uses: actions/checkout@v2 - # with: - # fetch-depth: 0 - # - name: 'Deploy module' - # uses: ./.github/actions/templates/validateModuleDeployment - # with: - # templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' - # parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' - # location: '${{ env.defaultLocation }}' - # resourceGroupName: '${{ env.defaultResourceGroupName }}' - # subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' - # managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' - # removeDeployment: '${{ env.removeDeployment }}' + job_deploy_vm: + runs-on: ubuntu-20.04 + name: 'Deploy virtual machines' + env: + namespace: 'Microsoft.Compute\virtualMachines' + needs: + - job_deploy_kv_secrets + - job_deploy_vnet + - job_deploy_rsv + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: 'Checkout' + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: 'Deploy module' + uses: ./.github/actions/templates/validateModuleDeployment + with: + templateFilePath: 'arm/${{ env.namespace }}/deploy.bicep' + parameterFilePath: '${{ env.dependencyPath }}/${{ env.namespace }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.defaultResourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ env.removeDeployment }}' From 066b2b84feb8ebc0b832316dea0b61b4970abf1c Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 19:22:57 +0100 Subject: [PATCH 67/69] ado dep all back --- .../platform.dependencies.yml | 1075 ++++++++--------- 1 file changed, 537 insertions(+), 538 deletions(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index f8b27eb58d..0725205958 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -30,23 +30,23 @@ variables: value: 'validation-rg' stages: - # - stage: deploy_rg - # displayName: Deploy resource group - # variables: - # resourceType: 'Microsoft.Resources/resourceGroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Validation Resource Group + - stage: deploy_rg + displayName: Deploy resource group + variables: + resourceType: 'Microsoft.Resources/resourceGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/validation.parameters.json + templateFilePath: $(templateFilePath) + displayName: Validation Resource Group - stage: deploy_msi displayName: Deploy user assigned identity - # dependsOn: - # - deploy_rg + dependsOn: + - deploy_rg variables: resourceType: 'Microsoft.ManagedIdentity/userAssignedIdentities' templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep @@ -81,303 +81,303 @@ stages: Write-Verbose "msiPrincipalId: $msiPrincipalId" -Verbose Write-Output ('##vso[task.setvariable variable={0};isOutput=true]{1}' -f 'msiPrincipalId', $msiPrincipalId) - # - stage: deploy_pa - # displayName: Deploy policy assignment - # dependsOn: - # - deploy_rg - # variables: - # resourceType: 'Microsoft.Authorization/policyAssignments' - # templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Policy assignment - - # - stage: deploy_evh - # displayName: Deploy event hub - # dependsOn: - # - deploy_rg - # variables: - # resourceType: 'Microsoft.EventHub/namespaces' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: EventHub - - # - stage: deploy_law - # displayName: Deploy log analytics workspace - # dependsOn: - # - deploy_rg - # variables: - # resourceType: 'Microsoft.OperationalInsights/workspaces' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default LAW - # - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: AppInsights LAW - - # - stage: deploy_sa - # displayName: Deploy storage account - # dependsOn: - # - deploy_rg - # variables: - # resourceType: 'Microsoft.Storage/storageAccounts' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default storage account - # jobName: default_sa - # - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: LAW storage account - # - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: FunctionApp storage account - # - job: - # displayName: Upload files to storage account - # dependsOn: - # - default_sa - # pool: - # ${{ if eq(variables['vmImage'], '') }}: - # name: $(poolName) - # ${{ if eq(variables['poolName'], '') }}: - # vmImage: $(vmImage) - # steps: - # - task: PowerShell@2 - # displayName: 'Setup agent' - # inputs: - # targetType: inline - # pwsh: true - # script: | - # # Load used functions - # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Define PS modules to install on the runner - # $Modules = @( - # @{ Name = 'Az.Storage' } - # ) - - # # Set agent up - # Set-EnvironmentOnAgent -PSModules $Modules - # - task: AzurePowerShell@5 - # displayName: Upload files to storage account - # inputs: - # azureSubscription: $(serviceConnection) - # ScriptType: 'InlineScript' - # Inline: | - # # Load used functions - # . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') - - # # Get storage account name - # $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' - # $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters - - # # Upload files to storage account - # $functionInput = @{ - # ResourceGroupName = '$(defaultResourceGroupName)' - # StorageAccountName = $storageAccountParameters.name.value - # contentDirectories = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'uploads' - # targetContainer = $storageAccountParameters.blobServices.value.containers[0].name - # } - - # Write-Verbose "Invoke task with" -Verbose - # Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose - - # Export-ContentToBlob @functionInput -Verbose - # azurePowerShellVersion: 'LatestVersion' - # pwsh: true - - # - stage: deploy_sig - # displayName: Deploy shared image gallery and definition - # dependsOn: - # - deploy_rg - # variables: - # resourceType: 'Microsoft.Compute/galleries' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default SIG and SID - - # - stage: deploy_ag - # displayName: Deploy action groups - # dependsOn: - # - deploy_rg - # variables: - # resourceType: 'Microsoft.Insights/actionGroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Action Group - - # - stage: deploy_asg - # displayName: Deploy application security groups - # dependsOn: - # - deploy_rg - # variables: - # resourceType: 'Microsoft.Network/applicationSecurityGroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Application Security Groups - - # - stage: deploy_udr - # displayName: Deploy route tables - # dependsOn: - # - deploy_rg - # variables: - # resourceType: 'Microsoft.Network/routeTables' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default User Defined Routes - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQLMI User Defined Routes - - # - stage: deploy_nsg - # displayName: Deploy network security groups - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - # variables: - # resourceType: 'Microsoft.Network/networkSecurityGroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default NSG - # - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: App Gateway NSG - # - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: ASE NSG - # - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Bastion NSG - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQLMI NSG - - # - stage: deploy_pip - # displayName: Deploy public IP addresses - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - # variables: - # resourceType: 'Microsoft.Network\publicIPAddresses' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: App Gateway Public IP - # - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Bastion Public IP - # - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Load balancer Public IP - - # - stage: deploy_appi - # displayName: Deploy application insight - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - # variables: - # resourceType: 'Microsoft.Insights/components' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Application Insights - - # - stage: deploy_aut - # displayName: Deploy automation account - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - # variables: - # resourceType: 'Microsoft.Automation/automationAccounts' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Automation Account - - # - stage: deploy_avdhp - # displayName: Deploy AVD host pool - # dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law - # variables: - # resourceType: 'Microsoft.DesktopVirtualization/hostpools' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default AVD Host Pool + - stage: deploy_pa + displayName: Deploy policy assignment + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.Authorization/policyAssignments' + templateFilePath: $(modulesPath)/$(resourceType)/.bicep/nested_policyAssignments_sub.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Policy assignment + + - stage: deploy_evh + displayName: Deploy event hub + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.EventHub/namespaces' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: EventHub + + - stage: deploy_law + displayName: Deploy log analytics workspace + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.OperationalInsights/workspaces' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default LAW + - path: $(dependencyPath)/$(resourceType)/parameters/appi.parameters.json + templateFilePath: $(templateFilePath) + displayName: AppInsights LAW + + - stage: deploy_sa + displayName: Deploy storage account + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.Storage/storageAccounts' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default storage account + jobName: default_sa + - path: $(dependencyPath)/$(resourceType)/parameters/law.parameters.json + templateFilePath: $(templateFilePath) + displayName: LAW storage account + - path: $(dependencyPath)/$(resourceType)/parameters/fa.parameters.json + templateFilePath: $(templateFilePath) + displayName: FunctionApp storage account + - job: + displayName: Upload files to storage account + dependsOn: + - default_sa + pool: + ${{ if eq(variables['vmImage'], '') }}: + name: $(poolName) + ${{ if eq(variables['poolName'], '') }}: + vmImage: $(vmImage) + steps: + - task: PowerShell@2 + displayName: 'Setup agent' + inputs: + targetType: inline + pwsh: true + script: | + # Load used functions + . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.Storage' } + ) + + # Set agent up + Set-EnvironmentOnAgent -PSModules $Modules + - task: AzurePowerShell@5 + displayName: Upload files to storage account + inputs: + azureSubscription: $(serviceConnection) + ScriptType: 'InlineScript' + Inline: | + # Load used functions + . (Join-Path '$(Build.SourcesDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Export-ContentToBlob.ps1') + + # Get storage account name + $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' + $storageAccountParameters = (ConvertFrom-Json (Get-Content -path $parameterFilePath -Raw)).parameters + + # Upload files to storage account + $functionInput = @{ + ResourceGroupName = '$(defaultResourceGroupName)' + StorageAccountName = $storageAccountParameters.name.value + contentDirectories = Join-Path '$(Build.SourcesDirectory)' $(dependencyPath) '$(resourceType)' 'uploads' + targetContainer = $storageAccountParameters.blobServices.value.containers[0].name + } + + Write-Verbose "Invoke task with" -Verbose + Write-Verbose ($functionInput | ConvertTo-Json | Out-String) -Verbose + + Export-ContentToBlob @functionInput -Verbose + azurePowerShellVersion: 'LatestVersion' + pwsh: true + + - stage: deploy_sig + displayName: Deploy shared image gallery and definition + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.Compute/galleries' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default SIG and SID + + - stage: deploy_ag + displayName: Deploy action groups + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.Insights/actionGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Action Group + + - stage: deploy_asg + displayName: Deploy application security groups + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.Network/applicationSecurityGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Application Security Groups + + - stage: deploy_udr + displayName: Deploy route tables + dependsOn: + - deploy_rg + variables: + resourceType: 'Microsoft.Network/routeTables' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default User Defined Routes + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/sqlMi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI User Defined Routes + + - stage: deploy_nsg + displayName: Deploy network security groups + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + variables: + resourceType: 'Microsoft.Network/networkSecurityGroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default NSG + - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + templateFilePath: $(templateFilePath) + displayName: App Gateway NSG + - path: $(dependencyPath)/$(resourceType)/parameters/ase.parameters.json + templateFilePath: $(templateFilePath) + displayName: ASE NSG + - path: $(dependencyPath)/$(resourceType)/parameters/bastion.parameters.json + templateFilePath: $(templateFilePath) + displayName: Bastion NSG + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/sqlmi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQLMI NSG + + - stage: deploy_pip + displayName: Deploy public IP addresses + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + variables: + resourceType: 'Microsoft.Network\publicIPAddresses' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/apgw.parameters.json + templateFilePath: $(templateFilePath) + displayName: App Gateway Public IP + - path: $(dependencyPath)/$(resourceType)/parameters/bas.parameters.json + templateFilePath: $(templateFilePath) + displayName: Bastion Public IP + - path: $(dependencyPath)/$(resourceType)/parameters/lb.parameters.json + templateFilePath: $(templateFilePath) + displayName: Load balancer Public IP + + - stage: deploy_appi + displayName: Deploy application insight + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + variables: + resourceType: 'Microsoft.Insights/components' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Application Insights + + - stage: deploy_aut + displayName: Deploy automation account + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + variables: + resourceType: 'Microsoft.Automation/automationAccounts' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Automation Account + + - stage: deploy_avdhp + displayName: Deploy AVD host pool + dependsOn: + - deploy_sa + - deploy_evh + - deploy_law + variables: + resourceType: 'Microsoft.DesktopVirtualization/hostpools' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default AVD Host Pool - stage: deploy_rsv displayName: Deploy recovery services vault dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law + - deploy_sa + - deploy_evh + - deploy_law - deploy_msi variables: resourceType: 'Microsoft.RecoveryServices/vaults' @@ -395,9 +395,9 @@ stages: - stage: deploy_kv displayName: Deploy key vaults dependsOn: - # - deploy_sa - # - deploy_evh - # - deploy_law + - deploy_sa + - deploy_evh + - deploy_law - deploy_msi variables: resourceType: 'Microsoft.KeyVault/vaults' @@ -422,167 +422,167 @@ stages: displayName: SQLMI key vault jobName: sqlmi_kv customParameterFileTokens: '[{"Name":"msiPrincipalId","Value":"$(msiPrincipalId)"}]' - # - job: - # displayName: Set key vault secrets keys and certificates - # dependsOn: - # - default_kv - # pool: - # ${{ if eq(variables['vmImage'], '') }}: - # name: $(poolName) - # ${{ if eq(variables['poolName'], '') }}: - # vmImage: $(vmImage) - # steps: - # - task: PowerShell@2 - # displayName: 'Setup agent' - # inputs: - # targetType: inline - # pwsh: true - # script: | - # # Load used functions - # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Define PS modules to install on the runner - # $Modules = @( - # @{ Name = 'Az.KeyVault' } - # ) - - # # Set agent up - # Set-EnvironmentOnAgent -PSModules $Modules - # - task: AzurePowerShell@5 - # displayName: Set key vault secrets keys and certificates - # inputs: - # azureSubscription: $(serviceConnection) - # ScriptType: 'InlineScript' - # Inline: | - # # Get key vault name - # $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' - # $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters - # $keyVaultName = $keyVaultParameters.name.value - - # # Generate values - # $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length - # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - # $passwordString = (New-Guid).Guid.SubString(0, 19) - # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - # $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) - # $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force - - # # Set secrets - # # ------- - # @( - # @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS - # @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS - # @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer - # @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer - # @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway - # @{ name = 'apimClientId'; secretValue = $username } # API management - # @{ name = 'apimClientSecret'; secretValue = $password } # API management - # ) | ForEach-Object { - # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue - # Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - - # # Certificats - # # ----------- - # $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal - # @( - # @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway - # ) | ForEach-Object { - # $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy - # Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - - # # Set keys - # # ---- - # @( - # @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS - # ) | ForEach-Object { - # $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination - # Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - # azurePowerShellVersion: 'LatestVersion' - # pwsh: true - - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - job: - # displayName: Set sqlmi key vault secrets and keys - # condition: eq(${{ parameters.deploySqlMiDependencies }}, true) - # dependsOn: - # - sqlmi_kv - # pool: - # ${{ if eq(variables['vmImage'], '') }}: - # name: $(poolName) - # ${{ if eq(variables['poolName'], '') }}: - # vmImage: $(vmImage) - # steps: - # - task: PowerShell@2 - # displayName: 'Setup agent' - # inputs: - # targetType: inline - # pwsh: true - # script: | - # # Load used functions - # . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') - - # # Define PS modules to install on the runner - # $Modules = @( - # @{ Name = 'Az.KeyVault' } - # ) - - # # Set agent up - # Set-EnvironmentOnAgent -PSModules $Modules - # - task: AzurePowerShell@5 - # displayName: Set sqlmi key vault secrets and keys - # inputs: - # azureSubscription: $(serviceConnection) - # ScriptType: 'InlineScript' - # Inline: | - # # Get key vault name - # $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'sqlmi.parameters.json' - # $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters - # $keyVaultName = $keyVaultParameters.name.value - - # # Generate values - # $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length - # $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force - # $passwordString = (New-Guid).Guid.SubString(0, 19) - # $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force - - # # Set secrets - # # ------- - # @( - # @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances - # @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances - # ) | ForEach-Object { - # $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue - # Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - - # # Set keys - # # ---- - # @( - # @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances - # ) | ForEach-Object { - # $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination - # Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose - # } - # azurePowerShellVersion: 'LatestVersion' - # pwsh: true - - # - stage: deploy_avdag - # displayName: Deploy AVD application group - # dependsOn: - # - deploy_avdhp - # variables: - # resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Application Group + - job: + displayName: Set key vault secrets keys and certificates + dependsOn: + - default_kv + pool: + ${{ if eq(variables['vmImage'], '') }}: + name: $(poolName) + ${{ if eq(variables['poolName'], '') }}: + vmImage: $(vmImage) + steps: + - task: PowerShell@2 + displayName: 'Setup agent' + inputs: + targetType: inline + pwsh: true + script: | + # Load used functions + . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.KeyVault' } + ) + + # Set agent up + Set-EnvironmentOnAgent -PSModules $Modules + - task: AzurePowerShell@5 + displayName: Set key vault secrets keys and certificates + inputs: + azureSubscription: $(serviceConnection) + ScriptType: 'InlineScript' + Inline: | + # Get key vault name + $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'parameters.json' + $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + $keyVaultName = $keyVaultParameters.name.value + + # Generate values + $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $passwordString = (New-Guid).Guid.SubString(0, 19) + $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + $vpnSharedKeyString = (New-Guid).Guid.SubString(0, 32) + $vpnSharedKey = ConvertTo-SecureString -String $vpnSharedKeyString -AsPlainText -Force + + # Set secrets + # ------- + @( + @{ name = 'adminUsername'; secretValue = $username } # VirtualMachines and VMSS + @{ name = 'adminPassword'; secretValue = $password } # VirtualMachines and VMSS + @{ name = 'administratorLogin'; secretValue = $username } # Azure SQLServer + @{ name = 'administratorLoginPassword'; secretValue = $password } # Azure SQLServer + @{ name = 'vpnSharedKey'; secretValue = $vpnSharedKey } # VirtualNetworkGateway + @{ name = 'apimClientId'; secretValue = $username } # API management + @{ name = 'apimClientSecret'; secretValue = $password } # API management + ) | ForEach-Object { + $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + + # Certificats + # ----------- + $certPolicy = New-AzKeyVaultCertificatePolicy -SecretContentType 'application/x-pkcs12' -SubjectName 'CN=fabrikam.com' -IssuerName 'Self' -ValidityInMonths 12 -ReuseKeyOnRenewal + @( + @{ name = 'applicationGatewaySslCertificate'; CertificatePolicy = $certPolicy } # ApplicationGateway + ) | ForEach-Object { + $null = Add-AzKeyVaultCertificate -VaultName $keyVaultName -Name $_.name -CertificatePolicy $_.CertificatePolicy + Write-Verbose ('Added certificate [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + + # Set keys + # ---- + @( + @{ name = 'keyEncryptionKey'; Destination = 'Software' } # DiskEncryptionSet, VirtualMachines and VMSS + ) | ForEach-Object { + $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + azurePowerShellVersion: 'LatestVersion' + pwsh: true + + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - job: + displayName: Set sqlmi key vault secrets and keys + condition: eq(${{ parameters.deploySqlMiDependencies }}, true) + dependsOn: + - sqlmi_kv + pool: + ${{ if eq(variables['vmImage'], '') }}: + name: $(poolName) + ${{ if eq(variables['poolName'], '') }}: + vmImage: $(vmImage) + steps: + - task: PowerShell@2 + displayName: 'Setup agent' + inputs: + targetType: inline + pwsh: true + script: | + # Load used functions + . (Join-Path '$(System.DefaultWorkingDirectory)' 'utilities' 'pipelines' 'sharedScripts' 'Set-EnvironmentOnAgent.ps1') + + # Define PS modules to install on the runner + $Modules = @( + @{ Name = 'Az.KeyVault' } + ) + + # Set agent up + Set-EnvironmentOnAgent -PSModules $Modules + - task: AzurePowerShell@5 + displayName: Set sqlmi key vault secrets and keys + inputs: + azureSubscription: $(serviceConnection) + ScriptType: 'InlineScript' + Inline: | + # Get key vault name + $parameterFilePath = Join-Path '$(Build.SourcesDirectory)' '$(dependencyPath)' '$(resourceType)' 'parameters' 'sqlmi.parameters.json' + $keyVaultParameters = (ConvertFrom-Json (Get-Content -Path $parameterFilePath -Raw)).parameters + $keyVaultName = $keyVaultParameters.name.value + + # Generate values + $usernameString = ( -join ((65..90) + (97..122) | Get-Random -Count 9 -SetSeed 1 | ForEach-Object { [char]$_ + "$_" })).substring(0, 19) # max length + $userName = ConvertTo-SecureString -String $usernameString -AsPlainText -Force + $passwordString = (New-Guid).Guid.SubString(0, 19) + $password = ConvertTo-SecureString -String $passwordString -AsPlainText -Force + + # Set secrets + # ------- + @( + @{ name = 'administratorLogin'; secretValue = $username } # SQLManagedInstances + @{ name = 'administratorLoginPassword'; secretValue = $password } # SQLManagedInstances + ) | ForEach-Object { + $null = Set-AzKeyVaultSecret -VaultName $keyVaultName -Name $_.name -SecretValue $_.secretValue + Write-Verbose ('Added secret [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + + # Set keys + # ---- + @( + @{ name = 'keyEncryptionKeySqlMi'; Destination = 'Software' } # SQLManagedInstances + ) | ForEach-Object { + $null = Add-AzKeyVaultKey -VaultName $keyVaultName -Name $_.name -Destination $_.Destination + Write-Verbose ('Added key [{0}] to key vault [{1}]' -f $_.name, $keyVaultName) -Verbose + } + azurePowerShellVersion: 'LatestVersion' + pwsh: true + + - stage: deploy_avdag + displayName: Deploy AVD application group + dependsOn: + - deploy_avdhp + variables: + resourceType: 'Microsoft.DesktopVirtualization/applicationgroups' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Application Group - stage: deploy_rolea displayName: Deploy role assignments @@ -601,71 +601,70 @@ stages: displayName: Default MSI Role Assignment customParameterFileTokens: '[{"Name":"msiPrincipalId","Value":"$(msiPrincipalId)"}]' + - stage: deploy_vnet + displayName: Deploy virtual networks + dependsOn: + - deploy_nsg + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - deploy_udr + variables: + resourceType: 'Microsoft.Network/virtualNetworks' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json + templateFilePath: $(templateFilePath) + displayName: Bastion Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json + templateFilePath: $(templateFilePath) + displayName: VNET PEering 1 Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json + templateFilePath: $(templateFilePath) + displayName: VNET Peering 2 Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json + templateFilePath: $(templateFilePath) + displayName: Azure Firewall Virtual Network + - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json + templateFilePath: $(templateFilePath) + displayName: AKS Virtual Network + - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: + - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json + templateFilePath: $(templateFilePath) + displayName: SQL MI Virtual Network - # - stage: deploy_vnet - # displayName: Deploy virtual networks - # dependsOn: - # - deploy_nsg - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - deploy_udr - # variables: - # resourceType: 'Microsoft.Network/virtualNetworks' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/1.bastion.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Bastion Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/2.vnetpeer01.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: VNET PEering 1 Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/3.vnetpeer02.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: VNET Peering 2 Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/4.azfw.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Azure Firewall Virtual Network - # - path: $(dependencyPath)/$(resourceType)/parameters/5.aks.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: AKS Virtual Network - # - ${{ if eq( parameters.deploySqlMiDependencies, true) }}: - # - path: $(dependencyPath)/$(resourceType)/parameters/6.sqlmi.parameters.json - # templateFilePath: $(templateFilePath) - # displayName: SQL MI Virtual Network - - # - stage: deploy_dnszone - # displayName: Deploy private DNS zones - # dependsOn: - # - deploy_vnet - # variables: - # resourceType: 'Microsoft.Network/privateDnsZones' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Private DNS Zones - - # - stage: deploy_vm - # displayName: Deploy virtual machines - # dependsOn: - # - deploy_vnet - # - deploy_rsv - # - deploy_kv - # variables: - # resourceType: 'Microsoft.Compute/virtualMachines' - # templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep - # jobs: - # - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml - # parameters: - # deploymentBlocks: - # - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json - # templateFilePath: $(templateFilePath) - # displayName: Default Virtual Machine + - stage: deploy_dnszone + displayName: Deploy private DNS zones + dependsOn: + - deploy_vnet + variables: + resourceType: 'Microsoft.Network/privateDnsZones' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Private DNS Zones + + - stage: deploy_vm + displayName: Deploy virtual machines + dependsOn: + - deploy_vnet + - deploy_rsv + - deploy_kv + variables: + resourceType: 'Microsoft.Compute/virtualMachines' + templateFilePath: $(modulesPath)/$(resourceType)/deploy.bicep + jobs: + - template: /.azuredevops/pipelineTemplates/module.jobs.deploy.yml + parameters: + deploymentBlocks: + - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json + templateFilePath: $(templateFilePath) + displayName: Default Virtual Machine From 3bf2856fd5800aa2d0338fb19f7ffa8ad8d76989 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Mon, 17 Jan 2022 19:24:50 +0100 Subject: [PATCH 68/69] ado dep all back cleanup --- .azuredevops/platformPipelines/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.azuredevops/platformPipelines/platform.dependencies.yml b/.azuredevops/platformPipelines/platform.dependencies.yml index 0725205958..b53d38722b 100644 --- a/.azuredevops/platformPipelines/platform.dependencies.yml +++ b/.azuredevops/platformPipelines/platform.dependencies.yml @@ -598,7 +598,7 @@ stages: deploymentBlocks: - path: $(dependencyPath)/$(resourceType)/parameters/parameters.json templateFilePath: $(templateFilePath) - displayName: Default MSI Role Assignment + displayName: MSI Role Assignment customParameterFileTokens: '[{"Name":"msiPrincipalId","Value":"$(msiPrincipalId)"}]' - stage: deploy_vnet From 0670a90fe629c7e1d617dee6b43c468517cd72f9 Mon Sep 17 00:00:00 2001 From: Erika Gressi <56914614+eriqua@users.noreply.github.com> Date: Wed, 19 Jan 2022 17:20:30 +0100 Subject: [PATCH 69/69] Update .github/workflows/platform.dependencies.yml Co-authored-by: Alexander Sehr --- .github/workflows/platform.dependencies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/platform.dependencies.yml b/.github/workflows/platform.dependencies.yml index 8227012bfd..83c4d0778f 100644 --- a/.github/workflows/platform.dependencies.yml +++ b/.github/workflows/platform.dependencies.yml @@ -91,7 +91,7 @@ jobs: inlineScript: | $deploymentOutput = '${{ steps.deploy_msi.outputs.deploymentOutput }}' $msiPrincipalId = (ConvertFrom-Json $deploymentOutput).msiPrincipalId - Write-Output ('::set-output name=msiPrincipalId::{0}' -f $msiPrincipalId) + Write-Output ('::set-output name={0}::{1}' -f 'msiPrincipalId', $msiPrincipalId) azPSVersion: 'latest' job_deploy_pa: