From 0f41688922c3c477529f6aecd550d0201edc2658 Mon Sep 17 00:00:00 2001 From: Matthew Ross Date: Wed, 26 Oct 2022 07:26:22 -0500 Subject: [PATCH] Corrected Image, Re-wrote example in BASH --- .../enclave-scca-hub3spoke-aks/readme.md | 99 +++++++++++++------ 1 file changed, 68 insertions(+), 31 deletions(-) diff --git a/src/bicep/enclaves/enclave-scca-hub3spoke-aks/readme.md b/src/bicep/enclaves/enclave-scca-hub3spoke-aks/readme.md index c6df6d2..9fe0c07 100644 --- a/src/bicep/enclaves/enclave-scca-hub3spoke-aks/readme.md +++ b/src/bicep/enclaves/enclave-scca-hub3spoke-aks/readme.md @@ -10,25 +10,25 @@ Read on to understand what this enclave does, and when you're ready, collect all ## Architecture - ![Enclave Hub/Spoke landing zone with a Azure Kubernetes Service Architecture](../enclave-scca-hubspoke-aks/media/hub-1spoke-aks-network-topology-architecture.jpg) + ![Enclave Hub/Spoke landing zone with a Azure Kubernetes Service Architecture](../enclave-scca-hub3spoke-aks/media/hub-1spoke-aks-network-topology-architecture.jpg) ## About Hub 3 Spoke Landing Zone with Azure Kubernetes Service - Private Cluster Workload -The docs on Hub/Spoke Landing Zone: . +Documentation on Hub/Spoke Landing Zone: . -The docs on Azure Kubernetes Service: . +Documentation on Azure Kubernetes Service: . -This Enclave uses the [Azure Kubernetes Service - Cluster workload](../../../bicep/workloads/wl-aks-spoke/readme.md) to deploy resources into [Platform Hub 3 Spoke Network](../../../bicep/platforms/lz-platform-scca-hub-3spoke/readme.md). +This enclave uses the [Azure Kubernetes Service - Cluster workload](../../../bicep/workloads/wl-aks-spoke/readme.md) to deploy resources into a [Platform Hub 3 Spoke Network](../../../bicep/platforms/lz-platform-scca-hub-3spoke/readme.md). -## Pre-requisites +## Pre-Requisites ### Subscriptions -Most customers will deploy each tier to a separate Azure subscription, but multiple subscriptions are not required. A single subscription deployment is good for a testing and evaluation, or possibly a small IT Admin team. +Most customers will deploy each tier to a separate Azure subscription; however, multiple subscriptions are not required. A single subscription deployment can be used for a testing and evaluation, or possibly a small I.T. administration team. ### Operational Network Artifacts -If needed, The Operational Network Artifacts are used when operations wants to seperate all key, secrets and operations storage from the hub/spoke model. +If needed, The Operational Network Artifacts are used when operations wants to seperate all keys, secrets and operations storage from the hub/spoke model. ### Management Groups @@ -37,7 +37,8 @@ The Enclave Management Groups ovlerlay module deploys a management group hierarc Azure NoOps Accelerator recommends the following Management Group structure. This structure can be customized based on your organization's requirements. * Workloads will be split by 2 groups of archtypes (INTERNAL, PARTNERS). -* Sandbox management group is used for any new subscriptions that will be created. This will remove the subscription sprawl from the Root Tenant Group and will pull all subscriptions into the security compliance. + +* The Sandbox management group is used for any new subscriptions that will be created. This will remove the subscription sprawl from the Root Tenant Group and will pull all subscriptions into the security compliance. The hierarchy created by the deployment ([Azure Parameters template located in "management-groups/parameters" folder](../../overlays/management-groups/parameters/deploy.parameters.json)) is: @@ -52,32 +53,67 @@ The hierarchy created by the deployment ([Azure Parameters template located in " via Bash ```bash -# For Azure Commerical regions +# **************************************** +# For AZURE COMMERCIAL +# **************************************** -#sign into AZ CLI, this will redirect you to a web browser for authentication, if required +# Set the active cloud +az cloud set --name 'AzureCloud' + +# Set a subscription to be the current active subscription +subscriptionId="[your platform management subscription ID]" +az account set --subscription $subscriptionId + +# Log in to Azure. +# By default, this command logs in with a user account. CLI will try to launch a web browser to log in interactively. If a web browser is not available, CLI will fall back to device code login. To login with a service principal, specify --service-principal. az login -cd src/bicep/overlays -cd management-groups -az deployment mg create \ - --template-file overlays/management-groups/deploy.bicep \ - --parameters @overlays/management-groups/deploy.parameters.json \ - --location 'eastus' + +# Capture your Tenant ID +tenantId=$(az account show --query 'tenantId' --output tsv) + +# Navigate to the Management Groups structure +cd src/bicep/overlays/management-groups + +# Deploy Management Groups +az deployment mg create +--name 'deploy-enclave-mg' +--template-file 'deploy.bicep' +--parameters '@parameters/deploy.parameters.json' +--management-group-id $tenantId +--location 'eastus' +--only-show-errors ``` ```bash -# For Azure Government regions +# **************************************** +# For AZURE GOVERNMENT +# **************************************** -# change Azure Clouds -az cloud set --name AzureUSGovernment +# Set the active cloud +az cloud set --name 'AzureUSGovernment' -#sign into AZ CLI, this will redirect you to a web browser for authentication, if required +# Set a subscription to be the current active subscription +subscriptionId="[your platform management subscription ID]" +az account set --subscription $subscriptionId + +# Log in to Azure. +# By default, this command logs in with a user account. CLI will try to launch a web browser to log in interactively. If a web browser is not available, CLI will fall back to device code login. To login with a service principal, specify --service-principal. az login -cd src/bicep/overlays -cd management-groups -az deployment mg create \ - --template-file overlays/management-groups/deploy.bicep \ - --parameters @overlays/management-groups/deploy.parameters.json \ - --location 'usgovvirginia' + +# Capture your Tenant ID +tenantId=$(az account show --query 'tenantId' --output tsv) + +# Navigate to the Management Groups structure +cd src/bicep/overlays/management-groups + +# Deploy Management Groups +az deployment mg create +--name 'deploy-enclave-mg' +--template-file 'deploy.bicep' +--parameters '@parameters/deploy.parameters.json' +--management-group-id $tenantId +--location 'usgovvirginia' +--only-show-errors ``` @@ -88,7 +124,12 @@ az deployment mg create \ via Powershell ```powershell -# For Azure Commerical regions +# **************************************** +# For AZURE COMMERCIAL +# **************************************** + +# Set the active cloud +az cloud set --name 'AzureCloud' #sign in to Azure from Powershell, this will redirect you to a web browser for authentication, if required Connect-AzAccount @@ -424,10 +465,6 @@ New-AzSubscriptionDeployment ` -Location 'usgovvirginia' ``` -## Extending the Overlay - -By default, this overlay has the minium parmeters needed to deploy the service. If you like to add addtional parmeters to the service, please refer to the module description located in AzResources here: [`App Service Plans `[Microsoft.Web/serverfarms]`](D:\source\repos\NoOpsAccelerator\src\bicep\azresources\Modules\Microsoft.Web\serverfarms\readme.md) - ## Air-Gapped Clouds For air-gapped clouds it may be convenient to transfer and deploy the compiled ARM template instead of the Bicep template if the Bicep CLI tools are not available or if it is desirable to transfer only one file into the air gap.