Powershell deployment script for archetypes (#273)

Support for deploying subscriptions

config/variables/CanadaESLZ-main.yml

@@ -21,6 +21,7 @@
 #         currently executing pipeline.
 
 variables:
+  deploymentRegion: canadacentral
 
   # Management Groups
   var-managementgroup-hierarchy: >

scripts/deployments/E2E.ps1

@@ -1,5 +1,20 @@
+<#
+----------------------------------------------------------------------------------
+Copyright (c) Microsoft Corporation.
+Licensed under the MIT license.
+
+THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+----------------------------------------------------------------------------------
+#>
+
 #Requires -Modules Az, powershell-yaml
 
+# In order to use this End to End script, you must configure ARM template configurations for Logging, Networking and Subscriptions.
+# Please follow the instructions on https://github.com/Azure/CanadaPubSecALZ/blob/main/docs/onboarding/azure-devops-pipelines.md
+# to setup the configuration files.  Once the configuration files are setup, you can choose to run this script or use Azure DevOps.
+
 . ".\Functions\EnvironmentContext.ps1"
 . ".\Functions\ManagementGroups.ps1"
 . ".\Functions\Roles.ps1"
@@ -9,13 +24,16 @@
 . ".\Functions\HubNetworkWithAzureFirewall.ps1"
 . ".\Functions\Subscriptions.ps1"
 
+# Set the environment name which is used to locate configuration files stored within the /config directory 
 $EnvironmentName = "CanadaESLZ-main"
-$WorkingDirectory = Resolve-Path "../.."
 
 # Replace the Tenant ID with the GUID for your Azure Active Directory instance.
 # It can be found through https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
 $AzureADTenantId = "343ddfdb-bef5-46d9-99cf-ed67d5948783"
 
+# Set the working directory.  It should point the root of this project.
+$WorkingDirectory = Resolve-Path "../.."
+
 $Features = @{
   # Prompt to login to Azure AD and set the context for Azure deployments
   PromptForLogin = $false
@@ -37,6 +55,9 @@ $Features = @{
 
   # Hub Networking - With Azure Firewall
   DeployHubNetworkWithAzureFirewall = $false
+
+  # Subscriptions
+  DeploySubscriptions = $false
 }
 
 Write-Output "Features configured for deployment:"
@@ -125,13 +146,13 @@ if ($Features.DeployHubNetworkWithNVA) {
     -ConfigurationFilePath "$($Context.LoggingDirectory)/$($Context.Variables['var-logging-configurationFileName'])" `
     -SubscriptionId $Context.Variables['var-logging-subscriptionId']
 
-    Set-HubNetwork-With-NVA `
-      -Context $Context `
-      -Region $Context.Variables['var-hubnetwork-region'] `
-      -ManagementGroupId $Context.Variables['var-hubnetwork-managementGroupId'] `
-      -SubscriptionId $Context.Variables['var-hubnetwork-subscriptionId'] `
-      -ConfigurationFilePath "$($Context.NetworkingDirectory)/$($Context.Variables['var-hubnetwork-nva-configurationFileName'])" `
-      -LogAnalyticsWorkspaceResourceId $LoggingConfiguration.LogAnalyticsWorkspaceResourceId
+  Set-HubNetwork-With-NVA `
+    -Context $Context `
+    -Region $Context.Variables['var-hubnetwork-region'] `
+    -ManagementGroupId $Context.Variables['var-hubnetwork-managementGroupId'] `
+    -SubscriptionId $Context.Variables['var-hubnetwork-subscriptionId'] `
+    -ConfigurationFilePath "$($Context.NetworkingDirectory)/$($Context.Variables['var-hubnetwork-nva-configurationFileName'])" `
+    -LogAnalyticsWorkspaceResourceId $LoggingConfiguration.LogAnalyticsWorkspaceResourceId
 }
 
 # Hub Networking with Azure Firewall
@@ -163,12 +184,18 @@ if ($Features.DeployHubNetworkWithAzureFirewall) {
     -LogAnalyticsWorkspaceResourceId $LoggingConfiguration.LogAnalyticsWorkspaceResourceId
 }
 
-<#
+# Deploy Subscription archetypes
+if ($Features.DeploySubscriptions) {
+  # Get Logging information using logging config file
+  $LoggingConfiguration = Get-LoggingConfiguration `
+    -ConfigurationFilePath "$($Context.LoggingDirectory)/$($Context.Variables['var-logging-configurationFileName'])" `
+    -SubscriptionId $Context.Variables['var-logging-subscriptionId']
 
-# Subscriptions
-Set-Subscriptions `
-  -Region "canadacentral" `
-  -SubscriptionIds $("4f9", "ec6") `
-  -LogAnalyticsWorkspaceResourceId $LoggingConfiguration.LogAnalyticsWorkspaceResourceId
-
-#>
+  # Deploy archetypes
+  # Replace subscription id example below with your subscription ids
+  Set-Subscriptions `
+    -Context $Context `
+    -Region "canadacentral" `
+    -SubscriptionIds $("4f9f8765-911a-4a6d-af60-4bc0473268c0") `
+    -LogAnalyticsWorkspaceResourceId $LoggingConfiguration.LogAnalyticsWorkspaceResourceId
+}

scripts/deployments/Functions/EnvironmentContext.ps1

@@ -1,3 +1,14 @@
+<#
+----------------------------------------------------------------------------------
+Copyright (c) Microsoft Corporation.
+Licensed under the MIT license.
+
+THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+----------------------------------------------------------------------------------
+#>
+
 #Requires -Modules powershell-yaml
  
 Import-Module powershell-yaml
@@ -35,6 +46,7 @@ function New-EnvironmentContext {
       
     LoggingDirectory = "$WorkingDirectory/config/logging/$Environment"
     NetworkingDirectory = "$WorkingDirectory/config/networking/$Environment"
+    SubscriptionsDirectory = "$WorkingDirectory/config/subscriptions/$Environment"
   
     Variables = $Variables
     ManagementGroupHierarchy = $ManagementGroupHierarchy
@@ -42,7 +54,7 @@ function New-EnvironmentContext {
     # Identify the top level management group (the first child underneath Tenant Root Group)
     TopLevelManagementGroupId = $ManagementGroupHierarchy.children[0].id
 
-    # TODO:  Retrieve from common.yml
-    DeploymentRegion = "canadacentral"
+    # Retreive default deployment region
+    DeploymentRegion = $Variables['deploymentRegion']
   }
 }

scripts/deployments/Functions/HubNetworkWithAzureFirewall.ps1

@@ -1,3 +1,14 @@
+<#
+----------------------------------------------------------------------------------
+Copyright (c) Microsoft Corporation.
+Licensed under the MIT license.
+
+THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+----------------------------------------------------------------------------------
+#>
+
 function Get-AzureFirewallPolicy {
   param (
     [Parameter(Mandatory = $true)]

scripts/deployments/Functions/HubNetworkWithNVA.ps1

@@ -1,3 +1,13 @@
+<#
+----------------------------------------------------------------------------------
+Copyright (c) Microsoft Corporation.
+Licensed under the MIT license.
+
+THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+----------------------------------------------------------------------------------
+#>
 function Set-HubNetwork-With-NVA {
   param (
     [Parameter(Mandatory = $true)]

scripts/deployments/Functions/Logging.ps1

@@ -1,3 +1,14 @@
+<#
+----------------------------------------------------------------------------------
+Copyright (c) Microsoft Corporation.
+Licensed under the MIT license.
+
+THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+----------------------------------------------------------------------------------
+#>
+
 function Get-LoggingConfiguration {
   param (
     [Parameter(Mandatory = $true)]

scripts/deployments/Functions/ManagementGroups.ps1

@@ -1,3 +1,14 @@
+<#
+----------------------------------------------------------------------------------
+Copyright (c) Microsoft Corporation.
+Licensed under the MIT license.
+
+THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+----------------------------------------------------------------------------------
+#>
+
 function Set-ManagementGroups {
   param (
     [Parameter(Mandatory = $true)]

scripts/deployments/Functions/Policy.ps1

@@ -1,3 +1,14 @@
+<#
+----------------------------------------------------------------------------------
+Copyright (c) Microsoft Corporation.
+Licensed under the MIT license.
+
+THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+----------------------------------------------------------------------------------
+#>
+
 function Set-Policy-Definitions {
   param(
     [Parameter(Mandatory = $true)]

scripts/deployments/Functions/Roles.ps1

@@ -1,3 +1,14 @@
+<#
+----------------------------------------------------------------------------------
+Copyright (c) Microsoft Corporation.
+Licensed under the MIT license.
+
+THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+----------------------------------------------------------------------------------
+#>
+
 function Set-Roles {
   param (
     [Parameter(Mandatory = $true)]

scripts/deployments/Functions/Subscriptions.ps1

@@ -1,5 +1,19 @@
+<#
+----------------------------------------------------------------------------------
+Copyright (c) Microsoft Corporation.
+Licensed under the MIT license.
+
+THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+----------------------------------------------------------------------------------
+#>
+
 function Set-Subscriptions {
   param (
+    [Parameter(Mandatory=$true)]
+    $Context,
+
     [Parameter(Mandatory = $true)]
     [String] $Region,
     
@@ -10,17 +24,79 @@ function Set-Subscriptions {
     [String] $LogAnalyticsWorkspaceResourceId
   )
 
-  foreach ($subscriptionId in $SubscriptionIds) {
-    Write-Output "Deploying Subscription: $subscriptionId"
+  foreach ($subscriptionId in $SubscriptionIds) {   
+    # Find the ARM JSON parameters, ensure there's only 1 parameters file for each subscription
+    $SubscriptonConfigurations = Get-ChildItem -Path $Context.SubscriptionsDirectory -Filter "*$subscriptionId*.json" -Recurse
 
-    # TODO: Find the ARM JSON parameters
+    if ($SubscriptonConfigurations.Count -eq 0) {
+      Write-Output "No Subscription JSON paramters files found in $($Context.SubscriptionsDirectory) for $subscriptionId"
+      continue
+    } elseif ($SubscriptonConfigurations.Count -gt 1) {
+      Write-Output "Multiple Subscription JSON paramters files found in $($Context.SubscriptionsDirectory) for $subscriptionId.  There must only be one."
+      continue
+    }
 
-    # TODO: Ensure there's only 1 parameters file for each subscription
+    $DirectoryName = $SubscriptonConfigurations[0].DirectoryName
+    $FilePath = $SubscriptonConfigurations[0].FullName
+    $FileName = $SubscriptonConfigurations[0].Name
 
-    # TODO: Parse the file name to determine archetype, region and subscription id
+    # Parse the file name to get subscription id, archetype and region (optional).
+    # If region is not available in the file name, the use the default region provided
+    $FileNameParts = ([System.IO.Path]::GetFileNameWithoutExtension($FilePath)) -Split "_"
+    $SubscriptionId = $FileNameParts[0]
+    $ArchetypeName = $FileNameParts[1]
+    $DeploymentRegion = $FileNameParts.Count -eq 3 ? $FileNameParts[2] : $Region
 
-    # TODO: Load subscription configuration and check if Log Analytics Workspace Id is provided.  Otherwise set it.
+    # Compute the management group id from the folder structure
+    $FilePathWithoutBaseDirectory = $DirectoryName -Replace $($Context.SubscriptionsDirectory), ""
+    $ManagementGroupId = $FilePathWithoutBaseDirectory -Replace [IO.Path]::DirectorySeparatorChar, ""
 
-    # TODO: Add Azure PS deployment command
+    Write-Output "Deploying Subscription: $SubscriptionId"
+    Write-Output "  - Management Group: $ManagementGroupId"
+    Write-Output "  - Archetype: $ArchetypeName"
+    Write-Output "  - Region: $DeploymentRegion"
+
+    $Configuration = Get-Content $FilePath | ConvertFrom-Json -Depth 100
+
+    #region Check if Log Analytics Workspace Id is provided.  Otherwise set it.
+    $LogAnalyticsWorkspaceResourceIdInFile = $Configuration.parameters | Get-Member -Name logAnalyticsWorkspaceResourceId
+  
+    if ($null -eq $LogAnalyticsWorkspaceResourceIdInFile -or $Configuration.parameters.logAnalyticsWorkspaceResourceId.value -eq "") {
+      $LogAnalyticsWorkspaceIdElement = @{
+        logAnalyticsWorkspaceResourceId = @{
+          value = $LogAnalyticsWorkspaceResourceId
+        }
+      }
+
+      $Configuration.parameters | Add-Member $LogAnalyticsWorkspaceIdElement -Force
+    }
+    #endregion
+
+    $PopulatedParametersFilePath = $DirectoryName + [IO.Path]::DirectorySeparatorChar + "populated-" + $FileName
+
+    Write-Output "Creating new file with runtime populated parameters: $PopulatedParametersFilePath"
+    $Configuration | ConvertTo-Json -Depth 100 | Set-Content $PopulatedParametersFilePath
+
+    Write-Output "Moving Subscription ($SubscriptionId) to Management Group ($ManagementGroupId)"
+    New-AzManagementGroupDeployment `
+      -ManagementGroupId $ManagementGroupId `
+      -Location $Context.DeploymentRegion `
+      -TemplateFile "$($Context.WorkingDirectory)/landingzones/utils/mg-move/move-subscription.bicep" `
+      -TemplateParameterObject @{
+        managementGroupId = $ManagementGroupId
+        subscriptionId = $SubscriptionId
+      }
+
+      Write-Output "Deploying $PopulatedParametersFilePath to $SubscriptionId in $Region"
+
+      Set-AzContext -Subscription $SubscriptionId
+      New-AzSubscriptionDeployment `
+        -Name "main-$DeploymentRegion" `
+        -Location $DeploymentRegion `
+        -TemplateFile "$($Context.WorkingDirectory)/landingzones/lz-$ArchetypeName/main.bicep" `
+        -TemplateParameterFile $PopulatedParametersFilePath `
+        -Verbose
+
+    Remove-Item $PopulatedParametersFilePath
   }
 }

scripts/deployments/Install-Prerequisites.ps1

@@ -1 +1,14 @@
+<#
+----------------------------------------------------------------------------------
+Copyright (c) Microsoft Corporation.
+Licensed under the MIT license.
+
+THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 
+EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES 
+OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
+----------------------------------------------------------------------------------
+#>
+
+Install-Module Az -Repository PSGallery -Force 
 Install-Module powershell-yaml -Force
+