зеркало из https://github.com/Azure/AVDBlueprint.git
formatting updates
This commit is contained in:
Dennis Payne
Родитель
479f57fae5
Коммит
7810dd0c35
113
README.md
113
README.md
|
|
@ -10,66 +10,68 @@ Azure Blueprints utilize ["artifacts"](https://docs.microsoft.com/en-us/azure/go
|
|||
* Resource Groups
|
||||
|
||||
The WVD Blueprints are meant to deploy an entire environment, including Azure Active Directory Domain Services (AAD DS), a management virtual machine (VM), networking, WVD infrastructure, and related resources, in a turn-key fashion. The following is a guide to help accomplish customizing to your environment.
|
||||
|
||||
## Recommended Reading
|
||||
1) [Azure Blueprints] (https://docs.microsoft.com/en-us/azure/governance/blueprints/overview)
|
||||
2) [Windows Virtual Desktop] (https://docs.microsoft.com/en-us/azure/virtual-desktop/)
|
||||
|
||||
1) [Azure Blueprints] (<https://docs.microsoft.com/en-us/azure/governance/blueprints/overview>)
|
||||
2) [Windows Virtual Desktop] (<https://docs.microsoft.com/en-us/azure/virtual-desktop/>)
|
||||
|
||||
## Prerequisites
|
||||
1. Two “identities” are required to successfully assign (deploy) the Azure WVD Blueprints:
|
||||
- An [Azure Global Administrator](https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference).
|
||||
## Prerequisites
|
||||
|
||||
1. Two “identities” are required to successfully assign (deploy) the Azure WVD Blueprints:
|
||||
* An [Azure Global Administrator](https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference).
|
||||
> The Azure Global Administrator is a person that has complete permission to an Azure subscription. This is required because modifications will be made at the directory and subscription levels.
|
||||
|
||||
- An [Azure Managed Identity](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview)
|
||||
* An [Azure Managed Identity](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview)
|
||||
> The Azure Managed Identity exists within Azure and can securely store and retrieve credentials from Azure Key Vault during the deployment.
|
||||
|
||||
2. An [Azure subscription](https://azure.microsoft.com/en-us/free/) with sufficient credits to deploy the environment, and keep it running at the desired levels.
|
||||
2. An [Azure subscription](https://azure.microsoft.com/en-us/free/) with sufficient credits to deploy the environment, and keep it running at the desired levels.
|
||||
|
||||
3. A development environment can be used to help work with the Blueprint code, as well as [“import”](https://docs.microsoft.com/en-us/azure/governance/blueprints/how-to/import-export-ps) and [“assign”](https://docs.microsoft.com/en-us/azure/governance/blueprints/how-to/manage-assignments-ps) the Blueprints.
|
||||
3. A development environment can be used to help work with the Blueprint code, as well as [“import”](https://docs.microsoft.com/en-us/azure/governance/blueprints/how-to/import-export-ps) and [“assign”](https://docs.microsoft.com/en-us/azure/governance/blueprints/how-to/manage-assignments-ps) the Blueprints.
|
||||
PowerShell can be utilized with the [Az.Blueprint module](https://docs.microsoft.com/en-us/azure/governance/blueprints/how-to/manage-assignments-ps#add-the-azblueprint-module) for PowerShell.
|
||||
|
||||
If you've not used Azure Blueprints before, register the resource provider through Azure PowerShell with this PowerShell command:
|
||||
|
||||
`Register-AzResourceProvider -ProviderNamespace Microsoft.Blueprint`
|
||||
|
||||
4. Open an instance of PowerShell, connect to your Azure account, then register the Azure AD provider to your account (if not already registered):
|
||||
4. Open an instance of PowerShell, connect to your Azure account, then register the Azure AD provider to your account (if not already registered):
|
||||
|
||||
- `Connect-AzAccount`
|
||||
- `Register-AzResourceProvider -ProviderNamespace Microsoft.AAD`
|
||||
* `Connect-AzAccount`
|
||||
* `Register-AzResourceProvider -ProviderNamespace Microsoft.AAD`
|
||||
|
||||
5. Create the Domain Controller Services service principal (if it does not already exist), with this PowerShell command
|
||||
5. Create the Domain Controller Services service principal (if it does not already exist), with this PowerShell command
|
||||
|
||||
`New-AzureADServicePrincipal -AppId "2565bd9d-da50-47d4-8b85-4c97f669dc36"`
|
||||
|
||||
(more info on this topic) https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
|
||||
(more info on this topic) <https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal>
|
||||
|
||||
6. Create a user-assigned managed identity within Azure, which will later be used to execute the blueprint. Note that in the case of “greenfield” deployments, the level of assignment will need to be the Azure subscription. The Blueprint creates objects at the subscription level during the blueprint deployment.
|
||||
6. Create a user-assigned managed identity within Azure, which will later be used to execute the blueprint. Note that in the case of “greenfield” deployments, the level of assignment will need to be the Azure subscription. The Blueprint creates objects at the subscription level during the blueprint deployment.
|
||||
|
||||
- Create an Azure security group (example: ‘Blueprint Operators’)
|
||||
- Add the managed identity to the Azure security group created in the previous step
|
||||
- Assign permissions to the group, to allow members to create objects at the subscription level
|
||||
- At the subscription level, assign roles to the group previously created, by going to the following location in the Azure Portal
|
||||
* Create an Azure security group (example: ‘Blueprint Operators’)
|
||||
* Add the managed identity to the Azure security group created in the previous step
|
||||
* Assign permissions to the group, to allow members to create objects at the subscription level
|
||||
* At the subscription level, assign roles to the group previously created, by going to the following location in the Azure Portal
|
||||
> **Azure Portal** -> **Home** -> **Subscriptions** -> (***your subscription***) -> **Access Control (IAM)**
|
||||
|
||||
7. Click **Add Role Assignments**, then add the following role assignments to the group you created earlier (step 6):
|
||||
7. Click **Add Role Assignments**, then add the following role assignments to the group you created earlier (step 6):
|
||||
|
||||
- [Blueprint Contributor](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#blueprint-contributor)
|
||||
- [Blueprint Operator](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#blueprint-operator)
|
||||
- [Managed Identity Operator](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#managed-identity-operator)
|
||||
|
||||
8. The managed identity must be assigned the **Owner** role at the subscription level. The reason is that the managed identity needs full access during the deployment, for example to initiate the creation of an instance of Azure AD DS.
|
||||
* [Blueprint Contributor](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#blueprint-contributor)
|
||||
* [Blueprint Operator](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#blueprint-operator)
|
||||
* [Managed Identity Operator](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#managed-identity-operator)
|
||||
|
||||
8. The managed identity must be assigned the **Owner** role at the subscription level. The reason is that the managed identity needs full access during the deployment, for example to initiate the creation of an instance of Azure AD DS.
|
||||
|
||||
**MORE INFO:** https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/add-change-subscription-administrator
|
||||
|
||||
9. Add the managed identity to the Global Administrators group in Azure AD. The managed identity is going to be initiating the creation of users and virtual machines during the blueprint process.
|
||||
9. Add the managed identity to the Global Administrators group in Azure AD. The managed identity is going to be initiating the creation of users and virtual machines during the blueprint process.
|
||||
|
||||
**MORE INFO:** https://docs.microsoft.com/en-us/azure/governance/blueprints/how-to/configure-for-blueprint-operator
|
||||
|
||||
10. The Blueprint main file, and related artifact objects. These objects are publically available on Github.com. Once the Blueprint objects have been acquired, they need to be customized to each respective environment. The necessary customizations can be applied in a few different ways.
|
||||
10. The Blueprint main file, and related artifact objects. These objects are publically available on Github.com. Once the Blueprint objects have been acquired, they need to be customized to each respective environment. The necessary customizations can be applied in a few different ways.
|
||||
|
||||
- An "assignment" file can be customized with your Azure subscription, and related details. A sample assignment file (assign_default.json) is included with this Blueprint.
|
||||
- Code can be created to stand up an interface, that could be used to receive the specific information, and then pass that information to the Blueprint, as well as initiate the Blueprint assigment. The following table contains the environment specific information needed to assign (deploy) the Blueprint to each respective environment.
|
||||
- Copy the assignment file to the 'Deploy/' folder, which has an entry in the .Gitignore file. Files you customize in the 'Deploy' folder will not be included with subsequent pull requests.
|
||||
* An "assignment" file can be customized with your Azure subscription, and related details. A sample assignment file (assign_default.json) is included with this Blueprint.
|
||||
* Code can be created to stand up an interface, that could be used to receive the specific information, and then pass that information to the Blueprint, as well as initiate the Blueprint assigment. The following table contains the environment specific information needed to assign (deploy) the Blueprint to each respective environment.
|
||||
* Copy the assignment file to the 'Deploy/' folder, which has an entry in the .Gitignore file. Files you customize in the 'Deploy' folder will not be included with subsequent pull requests.
|
||||
|
||||
| Type | Object | Purpose |
|
||||
|-|-|-|
|
||||
|
|
@ -95,25 +97,33 @@ With the basic objects in place, a few updates will prepare the Blueprint for As
|
|||
* (optional) Blueprint.json
|
||||
|
||||
### Editing 'assign_default.json' file
|
||||
|
||||
The **'assign_default.json'** file is used to pass certain values to the Blueprint at assignment time, such as Azure subscription ID, managed identity name, and more. This file is in Javascript Notation (JSON) format, so is easily editable in a variety of methods.
|
||||
Some values will require a concatentation of values. The following are values that require a "path" value in Azure:
|
||||
|
||||
```<language>
|
||||
```json
|
||||
userAssignedIdentities
|
||||
```
|
||||
> "/subscriptions/[**YOUR AZURE SUBSCRIPTION ID**]/resourceGroups/[**YOUR AZURE RESOURCE GROUP**]/providers/Microsoft.ManagedIdentity/userAssignedIdentities/[**YOUR MANAGED IDENTITY NAME]**"
|
||||
```<language>
|
||||
|
||||
> "/subscriptions/[**YOUR AZURE SUBSCRIPTION ID**]/resourceGroups/[**YOUR AZURE RESOURCE GROUP**]/providers/Microsoft.ManagedIdentity/userAssignedIdentities/[**YOUR MANAGED IDENTITY NAME]**"
|
||||
|
||||
```json
|
||||
blueprintID
|
||||
```
|
||||
> "/subscriptions/[**YOUR AZURE SUBSCRIPTION ID**]/providers/Microsoft.Blueprint/blueprints/[**YOUR BLUEPRINT NAME**]"
|
||||
```<language>
|
||||
|
||||
> "/subscriptions/[**YOUR AZURE SUBSCRIPTION ID**]/providers/Microsoft.Blueprint/blueprints/[**YOUR BLUEPRINT NAME**]"
|
||||
|
||||
```json
|
||||
scope
|
||||
```
|
||||
> "/subscriptions/[**YOUR AZURE SUBSCRIPTION ID**]"
|
||||
```<language>
|
||||
|
||||
> "/subscriptions/[**YOUR AZURE SUBSCRIPTION ID**]"
|
||||
|
||||
```json
|
||||
script_executionUserResourceID
|
||||
```
|
||||
> "/subscriptions/[**YOUR AZURE SUBSCRIPTION ID**]/resourceGroups/[**YOUR AZURE RESOURCE GROUP**]/providers/Microsoft.ManagedIdentity/userAssignedIdentities/[**YOUR MANAGED IDENTITY NAME]"
|
||||
|
||||
> "/subscriptions/[**YOUR AZURE SUBSCRIPTION ID**]/resourceGroups/[**YOUR AZURE RESOURCE GROUP**]/providers/Microsoft.ManagedIdentity/userAssignedIdentities/[**YOUR MANAGED IDENTITY NAME]"
|
||||
|
||||
The following values are needed to customize the **'assign_default.json'** file to respective environments:
|
||||
|
||||
|
|
@ -132,6 +142,7 @@ The following values are needed to customize the **'assign_default.json'** file
|
|||
|**Location**|ex. '**eastus**'|The geographic region that Azure Resoource Group will be created in|
|
||||
|
||||
### Editing 'run.config.json'
|
||||
|
||||
The file 'run.config.json' in the 'Scripts' folder, contains several values that are passed in to the Blueprint. The values must be edited to the specific values for your environment.
|
||||
|
||||
| Parameter | Value | Purpose |
|
||||
|
|
@ -142,9 +153,10 @@ The file 'run.config.json' in the 'Scripts' folder, contains several values that
|
|||
|**assignmentFile**|ex. **C:\\Code\\WVDBP\\AZBluePrints-WVD\\Assignments\\assign_default.json"**|The local folder on the device where the Blueprint objects are stored' value|
|
||||
|
||||
## Import, Publish and Assign the Blueprint
|
||||
1. Import the Blueprint - https://docs.microsoft.com/en-us/azure/governance/blueprints/how-to/import-export-ps\
|
||||
2. Publish the Blueprint - https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-portal
|
||||
3. Assign the Blueprint - https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-portal
|
||||
|
||||
1. Import the Blueprint - <https://docs.microsoft.com/en-us/azure/governance/blueprints/how-to/import-export-ps>\
|
||||
2. Publish the Blueprint - <https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-portal>
|
||||
3. Assign the Blueprint - <https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-portal>
|
||||
|
||||
## Teardown
|
||||
|
||||
|
|
@ -157,12 +169,12 @@ The script finds and removes the following items that were previously deployed v
|
|||
* 'WVD Users' group itself
|
||||
* 'AAD DC Admins' group
|
||||
|
||||
>[!NOTE]
|
||||
Use of `-verbose`, `-whatif` or `-comfirm` ARE supported. Also, the script will create one Powershell Job for each Resource Group being removed. Teardowns typically take quite some time, so this will allow you to return to prompt and keep working while the job runs in the background.
|
||||
|
||||
**Example:**
|
||||
|
||||
```powershell
|
||||
|
||||
#Exports logs of a WVD Blueprint deployment that used the prefix "ABC" followed by a removal:
|
||||
.\Remove-AzWvdBpDeployment.ps1 -Verbose -Prefix "ABC" -LogPath "C:\projects"
|
||||
|
||||
|
|
@ -172,24 +184,25 @@ help .\Remove-AzWvdBpDeployment.ps1
|
|||
|
||||
## Tips
|
||||
|
||||
- [Visual Studio Code](https://code.visualstudio.com/) is a Microsoft provided suite available for editing, importing, and assigning the Blueprints. If using VS Code, the following extensions will greatly assist the efforts:|
|
||||
|
||||
- Azure Resource Manager Tools
|
||||
- XML Formatter
|
||||
- PowerShell extension (so that all work can be performed within one tool)
|
||||
* [Visual Studio Code](https://code.visualstudio.com/) is a Microsoft provided suite available for editing, importing, and assigning the Blueprints. If using VS Code, the following extensions will greatly assist the efforts:|
|
||||
|
||||
* Azure Resource Manager Tools
|
||||
* XML Formatter
|
||||
* PowerShell extension (so that all work can be performed within one tool)
|
||||
|
||||
There may be other extensions available that perform the same functionality
|
||||
|
||||
- To store scripts and any other objects needed during Blueprint assignment on Internet connected assigments, a publically web location can be used to store scripts and other objects needed during Blueprint assigment.
|
||||
* To store scripts and any other objects needed during Blueprint assignment on Internet connected assigments, a publically web location can be used to store scripts and other objects needed during Blueprint assigment.
|
||||
[Azure Storage Blob](https://azure.microsoft.com/en-us/services/storage/blobs/) is one possible method to make the scripts and other objects available.
|
||||
Whatever method chosed, the access method should be "public" and "anonymous" read-only access.
|
||||
|
||||
- If you need to delete a deployment with the intent of starting over with a new deployment, you will need to change the "Deployment Prefix" value in the "assign_default.json" file.
|
||||
* If you need to delete a deployment with the intent of starting over with a new deployment, you will need to change the "Deployment Prefix" value in the "assign_default.json" file.
|
||||
This file is used to prefix most of the Azure resources created during the deployment, including an [Key Vault](https://azure.microsoft.com/en-us/services/key-vault/) object.
|
||||
Azure Key Vault is used to store and retrieve cryptogrphic keys used by cloud apps and services, and as such is treated with great care in Azure.
|
||||
Azure Key Vault is used to store and retrieve cryptogrphic keys used by cloud apps and services, and as such is treated with great care in Azure.
|
||||
When an Azure Key Vault is deleted, it transitions to a "soft delete" state for a period of time, before actually being deleted.
|
||||
While an Azure Key Vault is in soft delete state, another key vault cannot be created with the same name. Therefore, if you do not change your
|
||||
Resource Prefix value for subsequent deployments, the subsequent deployments will fail with an error referencing Key Vault name.
|
||||
|
||||
## Trademarks
|
||||
Trademarks This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow [Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general) . Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.
|
||||
|
||||
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow [Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general) . Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.
|
||||
|
|
|
|||
18
SECURITY.md
18
SECURITY.md
|
|
@ -1,6 +1,6 @@
|
|||
<!-- BEGIN MICROSOFT SECURITY.MD V0.0.4 BLOCK -->
|
||||
|
||||
## Security
|
||||
# Security
|
||||
|
||||
Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
|
||||
|
||||
|
|
@ -14,17 +14,17 @@ Instead, please report them to the Microsoft Security Response Center (MSRC) at
|
|||
|
||||
If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://www.microsoft.com/en-us/msrc/pgp-key-msrc).
|
||||
|
||||
You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc).
|
||||
You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc).
|
||||
|
||||
Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
|
||||
|
||||
* Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
|
||||
* Full paths of source file(s) related to the manifestation of the issue
|
||||
* The location of the affected source code (tag/branch/commit or direct URL)
|
||||
* Any special configuration required to reproduce the issue
|
||||
* Step-by-step instructions to reproduce the issue
|
||||
* Proof-of-concept or exploit code (if possible)
|
||||
* Impact of the issue, including how an attacker might exploit the issue
|
||||
* Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
|
||||
* Full paths of source file(s) related to the manifestation of the issue
|
||||
* The location of the affected source code (tag/branch/commit or direct URL)
|
||||
* Any special configuration required to reproduce the issue
|
||||
* Step-by-step instructions to reproduce the issue
|
||||
* Proof-of-concept or exploit code (if possible)
|
||||
* Impact of the issue, including how an attacker might exploit the issue
|
||||
|
||||
This information will help us triage your report more quickly.
|
||||
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче