Azure
/
ALZ-Bicep
зеркало из https://github.com/Azure/ALZ-Bicep.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Implement bicep bootstrap (#799) 

* Update configuration to support bootstrap

* Add networking type option

* Latest updates for bootstrap

* Fix RG name

* Add manual whatif overrides

* Fix MG id

* Revert and add new config

* Update for viable what if

* Add destroy script

* Fix script

* Idempotent script

* Add groups to config file

* Add test starter module

* Simplify destroy script

* Add folders to retain into config

* Latest updates for test module

* Fix resource group deletion code

* Filter down more

* Only remove deployments created by this module

* Add PREFIX env var

* Add prefix param to avoid confusion

* Fix linting

* Update accelerator docs

* Remove china policies

* Fix PowerShell Typo

* skip delete on no mg

* Add on demand folder support

* Update version json

* Docs typo

* Update wiki for clarity

* Add header

* Support regional availability zones

* Fix incorrect link and misspelling

---------

Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com>
Co-authored-by: Zach Trocinski <ztrocinski@outlook.com>
This commit is contained in:
Jared Holgate 2024-07-18 21:25:19 +01:00 коммит произвёл GitHub
Родитель b700ac453f
Коммит 8dd8d53eea
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
8 изменённых файлов: 1222 добавлений и 14 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
README.md
Просмотреть файл

@ -116,7 +116,7 @@ For support on the artifacts contained in this repository, please refer to [this
[wiki_resiliency]: https://github.com/Azure/ALZ-Bicep/wiki/Resiliency "Wiki - Resiliency"
[wiki_contributing]: https://github.com/Azure/ALZ-Bicep/wiki/Contributing "Wiki - Contributing"
[wiki_accelerator]: <https://github.com/Azure/ALZ-Bicep/wiki/Accelerator> "Wiki - Accelerator"
[wiki_amba]: <https://github.com/Azure/ALZ-Bicep/wiki/Accelerator> "Wiki - AMBA"
[wiki_amba]: <https://github.com/Azure/ALZ-Bicep/wiki/AzureMonitorBaselineAlerts> "Wiki - AMBA"
[wiki_faq]: <https://github.com/Azure/ALZ-Bicep/wiki/FAQ> "Wiki - FAQs"
[wiki_cuaid]: <https://github.com/Azure/ALZ-Bicep/wiki/CustomerUsage> "Wiki - Telemetry Usage ID"
[wiki_acrdeploy]: <https://github.com/Azure/ALZ-Bicep/wiki/ACRDeployment> "Wiki - Private Bicep Registry"

955
accelerator/.config/ALZ-Powershell-Auto.config.json Normal file
Просмотреть файл

@ -0,0 +1,955 @@
{
"starter_modules": {
"complete": {
"location": ".",
"short_name": "Complete",
"description": "Complete Azure Landing Zones Deployment",
"destroy_script_path": "accelerator/scripts/destroy-landing-zone.ps1",
"folders_or_files_to_retain": [
"accelerator",
"infra-as-code"
],
"subfolders_or_files_to_remove" : [
"media",
"samples",
"generateddocs",
".azuredevops/pipelines",
".github/workflows",
"pipeline-scripts",
"china",
"china/policy_definitions",
"china/policy_set_definitions",
"china/policy_assignments",
"parameters",
"README.md",
"ALZ-Powershell.config.json",
"test_modules/managementGroup"
],
"on_demand_folders" : [
{
"target": "infra-as-code",
"source": "infra-as-code"
}
],
"deployment_file_groups" : [
{
"name": "management_groups",
"displayName": "Management Groups",
"order": 1
},
{
"name": "logging_and_sentinel",
"displayName": "Logging and Sentinel",
"order": 2
},
{
"name": "policy_definitions",
"displayName": "Policy Definitions",
"order": 3
},
{
"name": "role_definitions",
"displayName": "Role Definitions",
"order": 4
},
{
"name": "policy_assignments",
"displayName": "Policy Assignments",
"order": 5
},
{
"name": "management_group_diagnostic_settings",
"displayName": "Management Group Diagnostic Settings",
"order": 6
},
{
"name": "subscription_placement",
"displayName": "Subscription Placement",
"order": 7
},
{
"name": "connectivity",
"displayName": "Connectivity",
"order": 8
}
],
"deployment_files": [
{
"name": "management_groups",
"displayName": "Management Groups Deployment",
"templateFilePath": "./infra-as-code/bicep/modules/managementGroups/managementGroupsScopeEscape.bicep",
"templateParametersFilePath": "./config/custom-parameters/managementGroups.parameters.all.json",
"templateParametersSourceFilePath": "./infra-as-code/bicep/modules/managementGroups/parameters/managementGroups.parameters.all.json",
"managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID",
"deploymentType": "managementGroup",
"firstRunWhatIf": true,
"order": 1,
"group": "management_groups"
},
{
"name": "logging_and_sentinel_resource_group",
"displayName": "Logging and Sentinel Resource Group Deployment",
"templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep",
"templateParametersFilePath": "./config/custom-parameters/resourceGroupLoggingAndSentinel.parameters.all.json",
"templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json",
"subscriptionId": "MANAGEMENT_SUBSCRIPTION_ID",
"deploymentType": "subscription",
"firstRunWhatIf": true,
"order": 2,
"group": "logging_and_sentinel"
},
{
"name": "logging_and_sentinel",
"displayName": "Logging and Sentinel Deployment",
"templateFilePath": "./infra-as-code/bicep/modules/logging/logging.bicep",
"templateParametersFilePath": "./config/custom-parameters/logging.parameters.all.json",
"templateParametersSourceFilePath": "./infra-as-code/bicep/modules/logging/parameters/logging.parameters.all.json",
"subscriptionId": "MANAGEMENT_SUBSCRIPTION_ID",
"resourceGroupName": "LOGGING_RESOURCE_GROUP",
"deploymentType": "resourceGroup",
"firstRunWhatIf": false,
"order": 3,
"group": "logging_and_sentinel"
},
{
"name": "custom_policy_definitions",
"displayName": "Custom Policy Definitions Deployment",
"templateFilePath": "./infra-as-code/bicep/modules/policy/definitions/customPolicyDefinitions.bicep",
"templateParametersFilePath": "./config/custom-parameters/customPolicyDefinitions.parameters.all.json",
"templateParametersSourceFilePath": "./infra-as-code/bicep/modules/policy/definitions/parameters/customPolicyDefinitions.parameters.all.json",
"managementGroupId": "MANAGEMENT_GROUP_ID",
"deploymentType": "managementGroup",
"firstRunWhatIf": false,
"order": 4,
"group": "policy_definitions"
},
{
"name": "custom_role_definitions",
"displayName": "Custom Role Definitions Deployment",
"templateFilePath": "./infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep",
"templateParametersFilePath": "./config/custom-parameters/customRoleDefinitions.parameters.all.json",
"templateParametersSourceFilePath": "./infra-as-code/bicep/modules/customRoleDefinitions/parameters/customRoleDefinitions.parameters.all.json",
"managementGroupId": "MANAGEMENT_GROUP_ID",
"deploymentType": "managementGroup",
"firstRunWhatIf": false,
"order": 5,
"group": "role_definitions"
},
{
"name": "management_group_diagnostic_settings",
"displayName": "Custom Management Group Diagnostic Settings",
"templateFilePath": "./infra-as-code/bicep/orchestration/mgDiagSettingsAll/mgDiagSettingsAll.bicep",
"templateParametersFilePath": "./config/custom-parameters/mgDiagSettingsAll.parameters.all.json",
"templateParametersSourceFilePath": "./infra-as-code/bicep/orchestration/mgDiagSettingsAll/parameters/mgDiagSettingsAll.parameters.all.json",
"managementGroupId": "MANAGEMENT_GROUP_ID",
"deploymentType": "managementGroup",
"firstRunWhatIf": false,
"order": 6,
"group": "management_group_diagnostic_settings"
},
{
"name": "policy_assignments",
"displayName": "Built-in and Custom Policy Assignments Deployment",
"templateFilePath": "./infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep",
"templateParametersFilePath": "./config/custom-parameters/alzDefaultPolicyAssignments.parameters.all.json",
"templateParametersSourceFilePath": "./infra-as-code/bicep/modules/policy/assignments/alzDefaults/parameters/alzDefaultPolicyAssignments.parameters.all.json",
"managementGroupId": "MANAGEMENT_GROUP_ID",
"deploymentType": "managementGroup",
"firstRunWhatIf": false,
"order": 7,
"group": "policy_assignments"
},
{
"name": "subscription_placement",
"displayName": "Deploy Subscription Placement",
"templateFilePath": "./infra-as-code/bicep/orchestration/subPlacementAll/subPlacementAll.bicep",
"templateParametersFilePath": "./config/custom-parameters/subPlacementAll.parameters.all.json",
"templateParametersSourceFilePath": "./infra-as-code/bicep/orchestration/subPlacementAll/parameters/subPlacementAll.parameters.all.json",
"managementGroupId": "MANAGEMENT_GROUP_ID",
"deploymentType": "managementGroup",
"firstRunWhatIf": false,
"order": 8,
"group": "subscription_placement"
},
{
"name": "connectivity_resource_group",
"displayName": "Connectivity Resource Group Deployment",
"templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep",
"templateParametersFilePath": "./config/custom-parameters/resourceGroupConnectivity.parameters.all.json",
"templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json",
"subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID",
"deploymentType": "subscription",
"firstRunWhatIf": true,
"order": 9,
"group": "connectivity"
},
{
"name": "hub_and_spoke",
"displayName": "Hub (Hub-and-Spoke) Deployment",
"templateFilePath": "./infra-as-code/bicep/modules/hubNetworking/hubNetworking.bicep",
"templateParametersFilePath": "./config/custom-parameters/hubNetworking.parameters.all.json",
"templateParametersSourceFilePath": "./infra-as-code/bicep/modules/hubNetworking/parameters/hubNetworking.parameters.az.all.json",
"subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID",
"resourceGroupName": "CONNECTIVITY_RESOURCE_GROUP",
"networkType": "hubNetworking",
"deploymentType": "resourceGroup",
"firstRunWhatIf": false,
"order": 10,
"group": "connectivity"
},
{
"name": "vwan",
"displayName": "Hub (VWAN) Deployment",
"templateFilePath": "./infra-as-code/bicep/modules/vwanConnectivity/vwanConnectivity.bicep",
"templateParametersFilePath": "./config/custom-parameters/vwanConnectivity.parameters.all.json",
"templateParametersSourceFilePath": "./infra-as-code/bicep/modules/vwanConnectivity/parameters/vwanConnectivity.parameters.az.all.json",
"subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID",
"resourceGroupName": "CONNECTIVITY_RESOURCE_GROUP",
"networkType": "vwanConnectivity",
"deploymentType": "resourceGroup",
"firstRunWhatIf": false,
"order": 10,
"group": "connectivity"
}
],
"inputs": {
"ReleaseVersion": {
"source": "powershell",
"type": "string",
"Targets": [
{
"Name": "RELEASE_VERSION",
"Destination": "Environment"
}
]
},
"Prefix": {
"source": "input",
"type": "string",
"description": "The prefix that will be added to all resources created by this deployment. (e.g. 'alz')",
"Targets": [
{
"Name": "parTopLevelManagementGroupPrefix.value",
"Destination": "Parameters"
},
{
"Name": "parCompanyPrefix.value",
"Destination": "Parameters"
},
{
"Name": "parTargetManagementGroupId.value",
"Destination": "Parameters"
},
{
"Name": "parAssignableScopeManagementGroupId.value",
"Destination": "Parameters"
},
{
"name": "MANAGEMENT_GROUP_ID",
"Destination": "Environment"
},
{
"name": "PREFIX",
"Destination": "Environment"
}
],
"default": "alz",
"validation": "azure_name"
},
"Location": {
"source": "input",
"type": "string",
"description": "Deployment location. (e.g. 'uksouth')",
"Targets": [
{
"Name": "parLocation.value",
"Destination": "Parameters"
},
{
"Name": "parAutomationAccountLocation.value",
"Destination": "Parameters"
},
{
"Name": "parPolicyAssignmentParameters.value.ascExportResourceGroupLocation.value",
"Destination": "Parameters"
},
{
"Name": "parVirtualWanHubs.value[0].parHubLocation",
"Destination": "Parameters"
},
{
"Name": "LOCATION",
"Destination": "Environment"
}
],
"validation": "azure_location"
},
"Environment": {
"source": "input",
"type": "string",
"description": "The Type of environment that will be created. (e.g. 'live', 'canary')",
"Targets": [
{
"Name": "parEnvironment.value",
"Destination": "Parameters"
},
{
"Name": "parTags.value.Environment",
"Destination": "Parameters"
}
],
"default": "live",
"validation": "azure_name_section"
},
"networkType": {
"source": "input",
"type": "string",
"description": "The type of networking to deploy. (e.g. 'hubNetworking', 'vwanConnectivity')",
"default": "hubNetworking",
"Targets": [
{
"Name": "NETWORK_TYPE",
"Destination": "Environment"
}
],
"validation": "network_type"
},
"IdentitySubscriptionId": {
"source": "input",
"type": "string",
"description": "The identifier of the Identity Subscription. (e.g '00000000-0000-0000-0000-000000000000')",
"validation": "azure_subscription_id",
"Targets": [
{
"Name": "IDENTITY_SUBSCRIPTION_ID",
"Destination": "Environment"
}
]
},
"ConnectivitySubscriptionId": {
"source": "input",
"type": "string",
"description": "The identifier of the Connectivity Subscription. (e.g '00000000-0000-0000-0000-000000000000')",
"validation": "azure_subscription_id",
"Targets": [
{
"Name": "CONNECTIVITY_SUBSCRIPTION_ID",
"Destination": "Environment"
}
]
},
"ManagementSubscriptionId": {
"source": "input",
"type": "string",
"description": "The identifier of the Management Subscription. (e.g 00000000-0000-0000-0000-000000000000)",
"validation": "azure_subscription_id",
"Targets": [
{
"Name": "MANAGEMENT_SUBSCRIPTION_ID",
"Destination": "Environment"
}
]
},
"SecurityContact": {
"source": "input",
"type": "string",
"description": "The email address of the contact for security issues. (e.g. security@contactme.com)",
"validation": "email",
"Targets": [
{
"Name": "parMsDefenderForCloudEmailSecurityContact.value",
"Destination": "Parameters"
}
]
},
"LogAnalyticsWorkspaceLocation": {
"source": "powershell",
"type": "string",
"Value": "{%Location%}",
"Process": "($args[0] -eq \"eastus\") ? \"eastus2\" : ($args[0] -eq \"eastus2\") ? \"eastus\" : $args[0]",
"Targets": [
{
"Name": "parLogAnalyticsWorkspaceLocation.value",
"Destination": "Parameters"
},
{
"Name": "parLogAnalyticsWorkSpaceAndAutomationAccountLocation.value",
"Destination": "Parameters"
}
]
},
"LogAnalyticsResourceId": {
"source": "powershell",
"type": "string",
"Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/microsoft.operationalinsights/workspaces/alz-log-analytics",
"Targets": [
{
"Name": "parLogAnalyticsWorkspaceResourceId.value",
"Destination": "Parameters"
}
]
},
"DataCollectionRuleVMInsightsResourceId": {
"source": "powershell",
"type": "string",
"Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr",
"Targets": [
{
"Name": "parDataCollectionRuleVMInsightsResourceId.value",
"Destination": "Parameters"
}
]
},
"DataCollectionRuleChangeTrackingResourceId": {
"source": "powershell",
"type": "string",
"Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-ct-dcr",
"Targets": [
{
"Name": "parDataCollectionRuleChangeTrackingResourceId.value",
"Destination": "Parameters"
}
]
},
"DataCollectionRuleMDFCSQLResourceId": {
"source": "powershell",
"type": "string",
"Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.Insights/dataCollectionRules/ama-mdfcsql-default-dcr",
"Targets": [
{
"Name": "parDataCollectionRuleMDFCSQLResourceId.value",
"Destination": "Parameters"
}
]
},
"UserAssignedManagedIdentityResourceId": {
"source": "powershell",
"type": "string",
"Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/alz-umi-identity",
"Targets": [
{
"Name": "parUserAssignedManagedIdentityResourceId.value",
"Destination": "Parameters"
}
]
},
"DdosPretectionPlanId": {
"source": "powershell",
"type": "string",
"Value": "/subscriptions/{%ConnectivitySubscriptionId%}/resourceGroups/rg-{%Prefix%}-connectivity/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan",
"Targets": [
{
"Name": "parDdosProtectionPlanId.value",
"Destination": "Parameters"
}
]
},
"PrivateDnsResourceGroupId": {
"source": "powershell",
"type": "string",
"Value": "/subscriptions/{%ConnectivitySubscriptionId%}/resourceGroups/rg-{%Prefix%}-connectivity",
"Targets": [
{
"Name": "parPrivateDnsResourceGroupId.value",
"Destination": "Parameters"
}
]
},
"ManagementSubscriptionGroup": {
"source": "powershell",
"type": "string",
"Value": [
"{%ManagementSubscriptionId%}"
],
"Targets": [
{
"Name": "parPlatformManagementMgSubs.value",
"Destination": "Parameters"
}
]
},
"ConnectivitySubscriptionGroup": {
"source": "powershell",
"type": "string",
"Value": [
"{%ConnectivitySubscriptionId%}"
],
"Targets": [
{
"Name": "parPlatformConnectivityMgSubs.value",
"Destination": "Parameters"
}
]
},
"IdentitySubscriptionGroup": {
"source": "powershell",
"type": "string",
"Value": [
"{%IdentitySubscriptionId%}"
],
"Targets": [
{
"Name": "parPlatformIdentityMgSubs.value",
"Destination": "Parameters"
}
]
},
"HubNetworkName": {
"source": "powershell",
"type": "string",
"Value": "alz-hub-{%Location%}",
"Targets": [
{
"Name": "parHubNetworkName.value",
"Destination": "Parameters"
}
]
},
"VirtualIdToLink": {
"source": "powershell",
"type": "string",
"Value": "",
"Targets": [
{
"Name": "parVirtualNetworkIdToLink.value",
"Destination": "Parameters"
}
]
},
"VirtualWanName": {
"source": "powershell",
"type": "string",
"Value": "alz-vwan-{%Location%}",
"Targets": [
{
"Name": "parVirtualWanName.value",
"Destination": "Parameters"
}
]
},
"AzFirewallName": {
"source": "powershell",
"type": "string",
"Value": "alz-azfw-{%Location%}",
"Targets": [
{
"Name": "parAzFirewallName.value",
"Destination": "Parameters"
}
]
},
"FirewallPoliciesName": {
"source": "powershell",
"type": "string",
"Value": "alz-azfwpolicy-{%Location%}",
"Targets": [
{
"Name": "parAzFirewallPoliciesName.value",
"Destination": "Parameters"
}
]
},
"AK8sPrivateLink": {
"source": "powershell",
"type": "string",
"Value": "privatelink.{%Location%}.azmk8s.io",
"Targets": [
{
"Name": "parPrivateDnsZones.value[0]",
"Destination": "Parameters"
}
]
},
"BatchPrivateLink": {
"source": "powershell",
"type": "string",
"Value": "privatelink.{%Location%}.batch.azure.com",
"Targets": [
{
"Name": "parPrivateDnsZones.value[1]",
"Destination": "Parameters"
}
]
},
"KustoPrivateLink": {
"source": "powershell",
"type": "string",
"Value": "privatelink.{%Location%}.kusto.windows.net",
"Targets": [
{
"Name": "parPrivateDnsZones.value[2]",
"Destination": "Parameters"
}
]
},
"BackupPrivateLink": {
"source": "powershell",
"type": "string",
"Value": "privatelink.{%Location%}.backup.windowsazure.com",
"Targets": [
{
"Name": "parPrivateDnsZones.value[3]",
"Destination": "Parameters"
}
]
},
"ConnectivityResourceGroupName": {
"source": "powershell",
"type": "string",
"Value": "rg-{%Prefix%}-connectivity",
"Targets": [
{
"Name": "CONNECTIVITY_RESOURCE_GROUP",
"Destination": "Environment"
},
{
"File": "resourceGroupConnectivity.parameters.all.json",
"Name": "parResourceGroupName.value",
"Destination": "Parameters"
}
]
},
"LoggingResourceGroupName": {
"source": "powershell",
"type": "string",
"Value": "rg-{%Prefix%}-logging",
"Targets": [
{
"Name": "LOGGING_RESOURCE_GROUP",
"Destination": "Environment"
},
{
"File": "resourceGroupLoggingAndSentinel.parameters.all.json",
"Name": "parResourceGroupName.value",
"Destination": "Parameters"
}
]
},
"RootParentManagementGroupId": {
"source": "powershell",
"type": "string",
"Value": "",
"Targets": [
{
"Name": "ROOT_PARENT_MANAGEMENT_GROUP_ID",
"Destination": "Environment"
},
{
"File": "managementGroups.parameters.all.json",
"Name": "parTopLevelManagementGroupParentId.value",
"Destination": "Parameters"
}
]
},
"AvailabilityZones": {
"source": "powershell",
"type": "list(string)",
"Value": "",
"Targets": [
{
"Name": "AVAILABILITY_ZONES",
"Destination": "Environment"
},
{
"File": "vwanConnectivity.parameters.all.json",
"Name": "parVirtualWanHubs.value[0].parAzFirewallAvailabilityZones",
"Destination": "Parameters"
},
{
"File": "hubNetworking.parameters.all.json",
"Name": "parAzErGatewayAvailabilityZones.value",
"Destination": "Parameters"
},
{
"File": "hubNetworking.parameters.all.json",
"Name": "parAzVpnGatewayAvailabilityZones.value",
"Destination": "Parameters"
},
{
"File": "hubNetworking.parameters.all.json",
"Name": "parAzFirewallAvailabilityZones.value",
"Destination": "Parameters"
}
]
}
}
},
"test": {
"location": ".",
"short_name": "Test",
"description": "Test Azure Landing Zones Deployment for e2e testing",
"destroy_script_path": "accelerator/scripts/destroy-landing-zone.ps1",
"folders_or_files_to_retain": [
"accelerator",
"infra-as-code/bicep/modules/resourceGroup",
"infra-as-code/bicep/CRML/customerUsageAttribution"
],
"subfolders_or_files_to_remove" : [
"media",
"samples",
"generateddocs",
".azuredevops/pipelines",
".github/workflows",
"pipeline-scripts",
"china",
"parameters",
"README.md",
"ALZ-Powershell.config.json"
],
"on_demand_folders" : [
{
"target": "infra-as-code",
"source": "infra-as-code"
}
],
"deployment_file_groups" : [
{
"name": "management_groups",
"displayName": "Management Groups",
"order": 1
},
{
"name": "resource_groups",
"displayName": "Resource Groups",
"order": 2
}
],
"deployment_files": [
{
"name": "management_groups",
"displayName": "Management Groups Deployment",
"templateFilePath": "./accelerator/test_modules/managementGroup/managementGroup.bicep",
"templateParametersFilePath": "./config/custom-parameters/managementGroup.parameters.all.json",
"templateParametersSourceFilePath": "./accelerator/test_modules/managementGroup/parameters/managementGroup.parameters.all.json",
"managementGroupId": "ROOT_PARENT_MANAGEMENT_GROUP_ID",
"deploymentType": "managementGroup",
"firstRunWhatIf": true,
"order": 1,
"group": "management_groups"
},
{
"name": "management_resource_group",
"displayName": "Management Resource Group Deployment",
"templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep",
"templateParametersFilePath": "./config/custom-parameters/resourceGroupManagement.parameters.all.json",
"templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json",
"subscriptionId": "MANAGEMENT_SUBSCRIPTION_ID",
"deploymentType": "subscription",
"firstRunWhatIf": true,
"order": 2,
"group": "resource_groups"
},
{
"name": "connectivity_resource_group",
"displayName": "Connectivity Resource Group Deployment",
"templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep",
"templateParametersFilePath": "./config/custom-parameters/resourceGroupConnectivity.parameters.all.json",
"templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json",
"subscriptionId": "CONNECTIVITY_SUBSCRIPTION_ID",
"deploymentType": "subscription",
"firstRunWhatIf": true,
"order": 3,
"group": "resource_groups"
},
{
"name": "identity_resource_group",
"displayName": "Identity Resource Group Deployment",
"templateFilePath": "./infra-as-code/bicep/modules/resourceGroup/resourceGroup.bicep",
"templateParametersFilePath": "./config/custom-parameters/resourceGroupIdentity.parameters.all.json",
"templateParametersSourceFilePath": "./infra-as-code/bicep/modules/resourceGroup/parameters/resourceGroup.parameters.all.json",
"subscriptionId": "IDENTITY_SUBSCRIPTION_ID",
"deploymentType": "subscription",
"firstRunWhatIf": true,
"order": 4,
"group": "resource_groups"
}
],
"inputs": {
"ReleaseVersion": {
"source": "powershell",
"type": "string",
"Targets": [
{
"Name": "RELEASE_VERSION",
"Destination": "Environment"
}
]
},
"Prefix": {
"source": "input",
"type": "string",
"description": "The prefix that will be added to all resources created by this deployment. (e.g. 'alz')",
"Targets": [
{
"Name": "parTopLevelManagementGroupPrefix.value",
"Destination": "Parameters"
},
{
"name": "MANAGEMENT_GROUP_ID",
"Destination": "Environment"
},
{
"Name": "PREFIX",
"Destination": "Environment"
}
],
"default": "alz",
"validation": "azure_name"
},
"Location": {
"source": "input",
"type": "string",
"description": "Deployment location. (e.g. 'uksouth')",
"Targets": [
{
"Name": "parLocation.value",
"Destination": "Parameters"
},
{
"Name": "LOCATION",
"Destination": "Environment"
}
],
"validation": "azure_location"
},
"Environment": {
"source": "input",
"type": "string",
"description": "The Type of environment that will be created. (e.g. 'live', 'canary')",
"Targets": [
{
"Name": "parTags.value.Environment",
"Destination": "Parameters"
}
],
"default": "live",
"validation": "azure_name_section"
},
"networkType": {
"source": "input",
"type": "string",
"description": "The type of networking to deploy. (e.g. 'hubNetworking', 'vwanConnectivity')",
"default": "hubNetworking",
"Targets": [
{
"Name": "NETWORK_TYPE",
"Destination": "Environment"
}
],
"validation": "network_type"
},
"IdentitySubscriptionId": {
"source": "input",
"type": "string",
"description": "The identifier of the Identity Subscription. (e.g '00000000-0000-0000-0000-000000000000')",
"validation": "azure_subscription_id",
"Targets": [
{
"Name": "IDENTITY_SUBSCRIPTION_ID",
"Destination": "Environment"
}
]
},
"ConnectivitySubscriptionId": {
"source": "input",
"type": "string",
"description": "The identifier of the Connectivity Subscription. (e.g '00000000-0000-0000-0000-000000000000')",
"validation": "azure_subscription_id",
"Targets": [
{
"Name": "CONNECTIVITY_SUBSCRIPTION_ID",
"Destination": "Environment"
}
]
},
"ManagementSubscriptionId": {
"source": "input",
"type": "string",
"description": "The identifier of the Management Subscription. (e.g 00000000-0000-0000-0000-000000000000)",
"validation": "azure_subscription_id",
"Targets": [
{
"Name": "MANAGEMENT_SUBSCRIPTION_ID",
"Destination": "Environment"
}
]
},
"RootParentManagementGroupId": {
"source": "powershell",
"type": "string",
"Value": "",
"Targets": [
{
"Name": "ROOT_PARENT_MANAGEMENT_GROUP_ID",
"Destination": "Environment"
},
{
"File": "managementGroup.parameters.all.json",
"Name": "parTopLevelManagementGroupParentId.value",
"Destination": "Parameters"
}
]
},
"ConnectivityResourceGroupName": {
"source": "powershell",
"type": "string",
"Value": "rg-{%Prefix%}-connectivity",
"Targets": [
{
"Name": "CONNECTIVITY_RESOURCE_GROUP",
"Destination": "Environment"
},
{
"File": "resourceGroupConnectivity.parameters.all.json",
"Name": "parResourceGroupName.value",
"Destination": "Parameters"
}
]
},
"ManagementResourceGroupName": {
"source": "powershell",
"type": "string",
"Value": "rg-{%Prefix%}-management",
"Targets": [
{
"Name": "MANAGEMENT_RESOURCE_GROUP",
"Destination": "Environment"
},
{
"File": "resourceGroupManagement.parameters.all.json",
"Name": "parResourceGroupName.value",
"Destination": "Parameters"
}
]
},
"IdentityResourceGroupName": {
"source": "powershell",
"type": "string",
"Value": "rg-{%Prefix%}-identity",
"Targets": [
{
"Name": "IDENTITY_RESOURCE_GROUP",
"Destination": "Environment"
},
{
"File": "resourceGroupIdentity.parameters.all.json",
"Name": "parResourceGroupName.value",
"Destination": "Parameters"
}
]
},
"AvailabilityZones": {
"source": "powershell",
"type": "list(string)",
"Value": "",
"Targets": [
{
"Name": "AVAILABILITY_ZONES",
"Destination": "Environment"
}
]
}
}
}
}
}

190
accelerator/scripts/destroy-landing-zone.ps1 Normal file
Просмотреть файл

@ -0,0 +1,190 @@
## This script is derived from the original by Jack Tracey, which you can find here: https://github.com/jtracey93/PublicScripts/blob/master/Azure/PowerShell/Enterprise-scale/Wipe-ESLZAzTenant.ps1
param (
[bool]$whatIfEnabled = $true,
[string]$prefix = $env:PREFIX,
[string]$intermediateRootGroupID = $env:MANAGEMENT_GROUP_ID,
[string]$tenantRootGroupID = $env:ROOT_PARENT_MANAGEMENT_GROUP_ID,
[string]$connectivitySubscriptionId = $env:CONNECTIVITY_SUBSCRIPTION_ID,
[string]$identitySubscriptionId = $env:IDENTITY_SUBSCRIPTION_ID,
[string]$managementSubscriptionId = $env:MANAGEMENT_SUBSCRIPTION_ID
)
if($whatIfEnabled) {
Write-Warning "The deploy stage of this run will delete all aspects of your landing zone. This includes all resources in your platform subscriptions. Please ensure you have a backup of any data you wish to keep."
Write-Warning "DANGER! DO NOT APPROVE THIS RUN UNLESS YOU ARE CERTAIN YOU WANT TO DELETE EVERYTHING."
exit 0
}
$managementGroups = Get-AzManagementGroup
$managementGroup = $managementGroups | Where-Object { $_.Name -eq $intermediateRootGroupID }
if($null -eq $managementGroup) {
Write-Warning "The $intermediateRootGroupID does not exist, so there is nothing to delete."
exit 0
}
if ($tenantRootGroupID -eq "") {
$tenantRootGroupID = (Get-AzContext).Tenant.TenantId
}
$resetMdfcTierOnSubs = $true
#Toggle to stop warnings with regards to DisplayName and DisplayId
Set-Item Env:\SuppressAzurePowerShellBreakingChangeWarnings "true"
# Start timer
$StopWatch = New-Object -TypeName System.Diagnostics.Stopwatch
$StopWatch.Start()
# Get all Subscriptions that are in the Intermediate Root Management Group's hierarchy tree
$intermediateRootGroupChildSubscriptions = Search-AzGraph -Query "resourcecontainers | where type =~ 'microsoft.resources/subscriptions' | mv-expand mgmtGroups=properties.managementGroupAncestorsChain | where mgmtGroups.name =~ '$intermediateRootGroupID' | project subName=name, subID=subscriptionId, subState=properties.state, aadTenantID=tenantId, mgID=mgmtGroups.name, mgDisplayName=mgmtGroups.displayName"
Write-Output "Moving all subscriptions under root management group"
# For each Subscription in Intermediate Root Management Group's hierarchy tree, move it to the Tenant Root Management Group
$intermediateRootGroupChildSubscriptions | ForEach-Object -Parallel {
# The name 'Tenant Root Group' doesn't work. Instead, use the GUID of your Tenant Root Group
if ($_.subState -ne "Disabled") {
Write-Output "Moving Subscription: '$($_.subName)' under Tenant Root Management Group: '$($using:tenantRootGroupID)'"
New-AzManagementGroupSubscription -GroupId $using:tenantRootGroupID -SubscriptionId $_.subID | Out-Null
}
}
# For each Subscription in the Intermediate Root Management Group's hierarchy tree, remove all Resources, Resource Groups and Deployments
Write-Output "Removing all Azure Resources, Resource Groups and Deployments from Subscriptions in scope"
$subscriptionsToClean = @()
ForEach ($subscription in $intermediateRootGroupChildSubscriptions) {
$subscriptionsToClean += @{
name = $subscription.subName
id = $subscription.subID
}
}
$subscriptionIds = $subscriptionsToClean | Select-Object -ExpandProperty id
if($subscriptionIds -notcontains $managementSubscriptionId) {
$subscriptionsToClean += @{
name = "Management"
id = $managementSubscriptionId
}
$subscriptionIds += $managementSubscriptionId
}
if($subscriptionIds -notcontains $identitySubscriptionId) {
$subscriptionsToClean += @{
name = "Identity"
id = $identitySubscriptionId
}
$subscriptionIds += $identitySubscriptionId
}
if($subscriptionIds -notcontains $connectivitySubscriptionId) {
$subscriptionsToClean += @{
name = "Connectivity"
id = $connectivitySubscriptionId
}
$subscriptionIds += $connectivitySubscriptionId
}
ForEach ($subscription in $subscriptionsToClean) {
Write-Output "Set context to Subscription: '$($subscription.name)'"
Set-AzContext -Subscription $subscription.id | Out-Null
# Get all Resource Groups in Subscription
$resourceGroups = Get-AzResourceGroup
$resourceGroupsToRemove = @()
ForEach ($resourceGroup in $resourceGroups) {
if ($resourceGroup.ResourceGroupName -like "rg-$prefix*") {
$resourceGroupsToRemove += $resourceGroup.ResourceGroupName
}
}
$resourceGroupsToRemove | ForEach-Object -Parallel {
Write-Output "Deleting $_..."
Remove-AzResourceGroup -Name $_ -Force | Out-Null
}
# Get Deployments for Subscription
$subDeployments = Get-AzSubscriptionDeployment
Write-Output "Removing All Successful Subscription Deployments for: $($subscription.name)"
$deploymentsToRemove = @()
ForEach ($deployment in $subDeployments) {
if ($deployment.DeploymentName -like "$prefix*" -and $deployment.ProvisioningState -eq "Succeeded") {
$deploymentsToRemove += $deployment
}
}
# For each Subscription level deployment, remove it
$deploymentsToRemove | ForEach-Object -Parallel {
Write-Output "Removing $($_.DeploymentName) ..."
Remove-AzSubscriptionDeployment -Id $_.Id | Out-Null
}
# Set MDFC tier to Free for each Subscription
if ($resetMdfcTierOnSubs) {
Write-Output "Resetting MDFC tier to Free for Subscription: $($subscription.name)"
$currentMdfcForSubUnfiltered = Get-AzSecurityPricing
$currentMdfcForSub = $currentMdfcForSubUnfiltered | Where-Object { $_.PricingTier -ne "Free" }
ForEach ($mdfcPricingTier in $currentMdfcForSub) {
Write-Output "Resetting $($mdfcPricingTier.Name) to Free MDFC Pricing Tier for Subscription: $($subscription.name)"
Set-AzSecurityPricing -Name $mdfcPricingTier.Name -PricingTier 'Free' | Out-Null
}
}
}
# This function only deletes Management Groups in the Intermediate Root Management Group's hierarchy tree and will NOT delete other Intermediate Root level Management Groups and their children e.g. in the case of "canary"
function Remove-Recursively {
[CmdletBinding(SupportsShouldProcess = $true)]
param (
[string]$name
)
if($PSCmdlet.ShouldProcess($name, "Remove-AzManagementGroup")) {
# Enters the parent Level
Write-Output "Entering the scope with $name"
$parent = Get-AzManagementGroup -GroupId $name -Expand -Recurse
# Checks if there is any parent level
if ($null -ne $parent.Children) {
Write-Output "Found the following Children :"
Write-Output ($parent.Children | Select-Object Name).Name
foreach ($children in $parent.Children) {
# Tries to recur to each child item
Remove-Recursively($children.Name)
}
}
# If no children are found at each scope
Write-Output "No children found in scope $name"
Write-Output "Removing the scope $name"
Remove-AzManagementGroup -InputObject $parent | Out-Null
}
}
# Check if Management Group exists for idempotency
$managementGroups = Get-AzManagementGroup
$managementGroup = $managementGroups | Where-Object { $_.Name -eq $intermediateRootGroupID }
if($null -eq $managementGroup) {
Write-Output "Management Group with ID: '$intermediateRootGroupID' does not exist."
} else {
Write-Output "Management Group with ID: '$intermediateRootGroupID' exists. Proceeding with deletion."
# Remove all the Management Groups in Intermediate Root Management Group's hierarchy tree, including itself
Remove-Recursively($intermediateRootGroupID)
}
# Stop timer
$StopWatch.Stop()
# Display timer output as table
Write-Output "Time taken to complete task:"
$StopWatch.Elapsed | Format-Table

36
accelerator/test_modules/managementGroup/managementGroup.bicep Normal file
Просмотреть файл

@ -0,0 +1,36 @@
targetScope = 'managementGroup'
metadata name = 'ALZ Bicep - Management Groups Module with Scope Escape'
metadata description = 'ALZ Bicep Module to set up Management Group structure, using Scope Escaping feature of ARM to allow deployment not requiring tenant root scope access.'
@sys.description('Prefix used for the management group hierarchy. This management group will be created as part of the deployment.')
@minLength(2)
@maxLength(10)
param parTopLevelManagementGroupPrefix string = 'alz'
@sys.description('Optional suffix for the management group hierarchy. This suffix will be appended to management group names/IDs. Include a preceding dash if required. Example: -suffix')
@maxLength(10)
param parTopLevelManagementGroupSuffix string = ''
@sys.description('Display name for top level management group. This name will be applied to the management group prefix defined in parTopLevelManagementGroupPrefix parameter.')
@minLength(2)
param parTopLevelManagementGroupDisplayName string = 'Azure Landing Zones'
@sys.description('Optional parent for Management Group hierarchy, used as intermediate root Management Group parent, if specified. If empty, default, will deploy beneath Tenant Root Management Group.')
param parTopLevelManagementGroupParentId string = ''
resource resTopLevelMg 'Microsoft.Management/managementGroups@2023-04-01' = {
scope: tenant()
name: '${parTopLevelManagementGroupPrefix}${parTopLevelManagementGroupSuffix}'
properties: {
displayName: parTopLevelManagementGroupDisplayName
details: {
parent: {
id: empty(parTopLevelManagementGroupParentId) ? '/providers/Microsoft.Management/managementGroups/${tenant().tenantId}' : contains(toLower(parTopLevelManagementGroupParentId), toLower('/providers/Microsoft.Management/managementGroups/')) ? parTopLevelManagementGroupParentId : '/providers/Microsoft.Management/managementGroups/${parTopLevelManagementGroupParentId}'
}
}
}
}
// Output Management Group IDs
output outTopLevelManagementGroupId string = resTopLevelMg.id

18
accelerator/test_modules/managementGroup/parameters/managementGroup.parameters.all.json Normal file
Просмотреть файл

@ -0,0 +1,18 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"parTopLevelManagementGroupPrefix": {
"value": "alz"
},
"parTopLevelManagementGroupSuffix": {
"value": ""
},
"parTopLevelManagementGroupDisplayName": {
"value": "Azure Landing Zones"
},
"parTopLevelManagementGroupParentId": {
"value": ""
}
}
}

26
docs/wiki/Accelerator.md
Просмотреть файл

@ -1,10 +1,20 @@
<!-- markdownlint-disable -->
## ALZ Bicep Accelerator
## ALZ Bicep Accelerator (Classic)
<!-- markdownlint-restore -->
This document provides prescriptive guidance around implementing, automating, and maintaining your ALZ Bicep module with the ALZ Bicep Accelerator.
> [!IMPORTANT]
> The ALZ Bicep Accelerator has been updated to automate the bootstrapping of your Version Control System and Azure resources. The ALZ Bicep Accelerator's documentation has been moved to [aka.ms/alz/accelerator/docs](https://aka.ms/alz/accelerator/docs). Head over there now to get started!
> Use the instructions below only if you need to use the classic version of the ALZ Bicep Accelerator.
### What is the ALZ Bicep Accelerator?
### Deprecation Notice
> [!WARNING]
> The classic version of the ALZ Bicep Accelerator will be maintained for a limited time. We recommend migrating to the new version as soon as possible.
### What is the ALZ Bicep Accelerator (Classic)?
> [!NOTE]
> These instructions now include the `-bicepLegacyMode $true` parameter, which needs be set explicily to use the classic version.
The ALZ Bicep Accelerator framework was developed to provide end-users with the following abilities:
@ -67,7 +77,7 @@ In order to setup the Accelerator framework with the production GitHub Action Wo
1. Create your ALZ Bicep Accelerator framework with the following ALZ PowerShell Module cmdlet:
```powershell
Deploy-Accelerator -o <output_directory> -i "bicep" -b "alz_github
Deploy-Accelerator -o <output_directory> -i "bicep" -b "alz_github" -bicepLegacyMode $true
```
> **Note:**
@ -137,7 +147,7 @@ In order to setup the Accelerator framework with the production ready Azure DevO
1. Create your ALZ Bicep Accelerator framework with the following ALZ PowerShell Module cmdlet:
```powershell
Deploy-Accelerator -o <output_directory> -i "bicep" -b "alz_azuredevops"
Deploy-Accelerator -o <output_directory> -i "bicep" -b "alz_azuredevops" -bicepLegacyMode $true
```
> **Note:**
@ -217,20 +227,20 @@ The ALZ-Bicep repository regularly releases new [versions](https://github.com/Az
With the ALZ Accelerator framework, we have designed the pipelines and directory structure to make it easy to upgrade to the latest ALZ Bicep version. The following steps will guide you through the upgrade process.
1. Prior to upgrading, read the release note:s for the version you are upgrading to. The release note:s will provide you with information on any breaking changes that may impact your deployment. This is especially important if you have created any custom modules or have [modified any of the ALZ Bicep modules](#incorporating-modified-alz-modules) that may have dependencies on the modules that are being upgraded.
1. Prior to upgrading, read the release notes for the version you are upgrading to. The release notes will provide you with information on any breaking changes that may impact your deployment. This is especially important if you have created any custom modules or have [modified any of the ALZ Bicep modules](#incorporating-modified-alz-modules) that may have dependencies on the modules that are being upgraded.
1. Using the ALZ PowerShell Module, you can update to the latest or a specified version. You must specifiy the same IaC, Bootstrap and Output directory that you used when you initially deployed the ALZ Bicep Accelerator.
Here is an example of using the cmdlet to upgrade to the latest version:
```powershell
Deploy-Accelerator -i "bicep" -b "alz_github" -o "C:\Repos\ALZ\accelerator"
Deploy-Accelerator -i "bicep" -b "alz_github" -o "C:\Repos\ALZ\accelerator" -bicepLegacyMode $true
```
Here is an example of using the to upgrade to version v0.17.2:
```powershell
Deploy-Accelerator -i "bicep" -b "alz_github" -v "v0.17.2" -o "C:\Repos\ALZ\accelerator"
Deploy-Accelerator -i "bicep" -b "alz_github" -v "v0.17.2" -o "C:\Repos\ALZ\accelerator" -bicepLegacyMode $true
```
You will be prompted for inputs again and the upgrade will be run for you.

1
infra-as-code/bicep/modules/README.md
Просмотреть файл

@ -12,7 +12,6 @@ To get started with ALZ Bicep, please refer to the [Deployment Flow wiki page][w
2. High-level deployment flow.
3. Links to more detailed instructions on individual modules.
[//]: # (************************)
[//]: # (INSERT LINK LABELS BELOW)
[//]: # (************************)

8
version.json
Просмотреть файл

@ -1,6 +1,6 @@
{
"version": "0.18.0",
"gitTag": "v0.18.0",
"releaseNotes": "https://github.com/Azure/ALZ-Bicep/releases/tag/v0.18.0",
"releaseDateTimeUTC": "20240709T0222079056Z"
"version": "0.19.0",
"gitTag": "v0.19.0",
"releaseNotes": "https://github.com/Azure/ALZ-Bicep/releases/tag/v0.19.0",
"releaseDateTimeUTC": "20240713T1000000000Z"
}