Azure
/
NoOpsAccelerator
зеркало из https://github.com/Azure/NoOpsAccelerator.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Update docs folder

This commit is contained in:
John Spinella 2023-01-05 16:21:01 -05:00
Родитель 6e4ec25265
Коммит 6469add7a9
46 изменённых файлов: 5642 добавлений и 3631 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

15
docs/wiki/NoOpsAccelerator-Contribution.md → docs/Contribution.md
Просмотреть файл

@ -1,7 +1,6 @@
# Contribution Guide
## Contribution scope for NoOps Accelerator
## Contribution scope for Azure NoOps Accelerator
The following is the scope of contributions to this repository:
@ -14,11 +13,11 @@ Primarily, the code contribution would be centered on Azure Policy definitions a
> This guidance supports the [Architecture](https://github.com/Azure/NoOpsAccelerator/docs/NoOpsAccelerator-Architecture.md) guidance, it is not a replacement.
The `NoOps Accelerator` repository (this repository) has been created to help guide DOD/Public Sector customers on building self-service infrastucture in their Azure environment. The reference implementation is a flexible foundation that enables users to develop/maintain an opinionated self-service infrastructure into an Azure AD Tenant utilizing [Bicep](https://aka.ms/bicep) as the Infrastructure-as-Code (IaC) tooling and language.
The `Azure NoOps Accelerator` repository (this repository) has been created to help guide DOD/Public Sector customers on building self-service infrastucture in their Azure environment. The reference implementation is a flexible foundation that enables users to develop/maintain an opinionated self-service infrastructure into an Azure AD Tenant utilizing [Bicep](https://aka.ms/bicep) as the Infrastructure-as-Code (IaC) tooling and language.
## Ways to Consume NoOps Accelerator
## Ways to Consume Azure NoOps Accelerator
There are various ways to consume the Bicep modules included in `NoOps Accelerator`.
There are various ways to consume the Bicep modules included in `Azure NoOps Accelerator`.
The options are:
@ -38,7 +37,7 @@ The options are:
## Recommended Learning
Before you start contributing to the NoOps Accelerator Bicep code, it is **highly recommended** that you complete the following Microsoft Learn paths, modules & courses:
Before you start contributing to the Azure NoOps Accelerator Bicep code, it is **highly recommended** that you complete the following Microsoft Learn paths, modules & courses:
### Bicep
@ -166,13 +165,13 @@ param parExampleResourceGroupNamePrefix string = 'TEST'
var varExampleResourceGroupName = 'rsg-${parExampleResourceGroupNamePrefix}' // Create name for the example resource group
// RESOURCE DEPLOYMENTS
// RESOURCE DEPLOYMENTS
resource resExampleResourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
name: varExampleResourceGroupName
location: 'uksouth' // Hardcoded as an example of commenting inside a resource
}
/*
/*
No modules being deployed in this example
*/

5
docs/wiki/Deploying-NoOps-Accelerator-CustomerUsage.md → docs/CustomerUsage.md
Просмотреть файл

@ -36,6 +36,5 @@ The following are the unique ID's (also known as PIDs) used in each of the modul
| managementGroups | 55a992b5-9ab1-4b3c-8c14-a9a3e5c1e0c2 |
| policy | 3b7f335c-5580-4035-bc75-c835c15402da |
| roleAssignments | 5dd6ad4b-bc45-4346-9189-7bc46477182a |
| hubSpoke - Orchestration | 50ad3b1a-f72c-4de4-8293-8a6399991beb |
| hubPeeredSpoke - Orchestration | 8ea6f19a-d698-4c00-9afb-5c92d4766fd2 |
| SubPlacementAll - Orchestration | bb800623-86ff-4ab4-8901-93c2b70967ae |
| hub1Spoke - Orchestration | 50ad3b1a-f72c-4de4-8293-8a6399991beb |
| hub3Spoke - Orchestration | 50ad3b1a-f72c-4de4-8293-8a6399991beb |

14
docs/wiki/FAQ.md → docs/FAQ.md
Просмотреть файл

@ -1,8 +1,8 @@
# NoOps Accelerator FAQ
# Azure NoOps Accelerator FAQ
This article answers frequently asked questions relating to NoOps Accelerator.
This article answers frequently asked questions relating to Azure NoOps Accelerator.
## How long does NoOps Accelerator reference implementation take to deploy?
## How long does Azure NoOps Accelerator reference implementation take to deploy?
Deployment time depends on the options you select during the reference implementation deployment. It varies from around five minutes to 40 minutes, depending on the options selected.
@ -11,9 +11,9 @@ For example:
- Reference implementation without any networking or connectivity options can take around five minutes to deploy.
- Reference implementation with the hub and spoke networking options, including Defender, Sentinel and Bastion, can take around 40 minutes to deploy.
## Why are there custom policy definitions as part of NoOps Accelerator reference implementation?
## Why are there custom policy definitions as part of Azure NoOps Accelerator Mission Enclave reference implementation?
## Why does the NoOps Accelerator reference implementation require permission at tenant root '/' scope?
## Why does the Azure NoOps Accelerator Mission Enclave reference implementation require permission at tenant root '/' scope?
Management group creation, subscription creation, and placing subscriptions into management groups are APIs that operate at the tenant root "`/`" scope.
@ -21,9 +21,9 @@ To establish the management group hierarchy and create subscriptions and place t
For more information about tenant-level deployments in Azure, see [Deploy resources to tenant](https://docs.microsoft.com/azure/azure-resource-manager/templates/deploy-to-tenant).
## If we already deployed Mission Landing Zone, do we have to delete everything and start again to use NoOps Accelerator?
## If we already deployed Mission Landing Zone, do we have to delete everything and start again to use Azure NoOps Accelerator?
If you used the Mission Landing Zone to deploy into your Azure tenant, see the guidance for the NoOps Accelerator infrastructure-as-code tooling you want to use.
If you used the Mission Landing Zone to deploy into your Azure tenant, see the guidance for the Azure NoOps Accelerator infrastructure-as-code tooling you want to use.
### Bicep

2
docs/wiki/NoOpsAccelerator-Known-Issues.md → docs/Known-Issues.md
Просмотреть файл

@ -1,4 +1,4 @@
# Reference Implementation - Known Issues
# Azure NoOps Accelerator - Known Issues
The list below summarizes the known issues currently being worked on by the NoOps Accelerator team.

14
docs/wiki/Deploying-NoOps-Accelerator-Pre-requisites.md → docs/Pre-requisites.md
Просмотреть файл

@ -1,6 +1,6 @@
# NoOps Accelerator Prerequisites
# Azure NoOps Accelerator Prerequisites
NoOps Accelerator can bootstrap an entire Azure tenant without any infrastructure dependencies, and the user must first have Owner permission on the tenant *root* before deploying.
Azure NoOps Accelerator can bootstrap an entire Azure tenant without any infrastructure dependencies, and the user must first have Owner permission on the tenant *root* before deploying.
*Note: Once you have completed the deployment, you can remove the Owner permission from the tenant root, as it will no longer be needed for any subsequent operations.*
@ -53,4 +53,12 @@ $user = Get-AzADUser -UserPrincipalName (Get-AzContext).Account
New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id
```
> Please note: sometimes it can take up to 15 minutes for permission to propagate at tenant root scope. It is highly recommended that you log out and log back in to refresh the token before you proceed with the deployment.*
> Please note: sometimes it can take up to 15 minutes for permission to propagate at tenant root scope. It is highly recommended that you log out and log back in to refresh the token before you proceed with the deployment.*
## Terraform
Terraform stores state information about the resources it creates locally. This state information is easily readable and contains secrets / passwords in clear text. A more secure way of handling this is to get Terraform to use an encrypted Azure Storage account to store the state information. This also means that the state persists, for example, if you get a new laptop.
For the Terraform state information, you therefore need to have pre-created an Azure Storage Account (blob) before running any of the Terraform scripts. The account will need to have the "Storage Blob Data Owner" role assigned to the account you are signed in with via the Azure CLI.
The backend.hcl file should contain details of the resource group, storage account, container and blob where your state information will be stored.

0
docs/wiki/Secure-Cloud-Computing-Architecture.md → docs/Secure-Cloud-Computing-Architecture.md
Просмотреть файл

0
docs/wiki/What-is-NoOps.md → docs/What-is-NoOps.md
Просмотреть файл

0
docs/wiki/media/devops-noops.png → docs/media/devops-noops.png
Просмотреть файл

Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 23 KiB

После

Ширина:  |  Высота:  |  Размер: 23 KiB

74
docs/onboarding/github/github-setup.md Normal file
Просмотреть файл

@ -0,0 +1,74 @@
# GitHub Onboarding Setup Guide
## Introduction
This document provides steps required to onboard an Mission Enclaves to Azure using GitHub Actions.
All steps will need to be repeated per Azure AD tenant.
## Deployment Flow
This deployment diagram is a high-level overview of the deployment flow. The diagram is not intended to be a step-by-step guide.
### High Level Flow
![High Level Flow](./images/high-level-flow.png)
## Instructions
* Step 1 - Create Service Principal Account & Assign RBAC Roles
* Step 2 - Configure GitHub
* Step 3 - Configure Management Groups
### 1. Create Service Principal Account & Assign RBAC Roles
#### 1.1. Create a Service Principal
Create a Service Principal in Azure Active Directory (AAD) for the GitHub Actions workflow to use. This Service Principal will be used to authenticate to Azure and deploy the resources. The Service Principal will need the following permissions:
- `Contributor` on the subscription
- `User Access Administrator` on the subscription
#### 1.1. Create a Service Principal
1. Login to the Azure Portal
1. Navigate to the Azure Active Directory blade
1. Select `App Registrations` from the left-hand menu
1. Click `New Registration`
1. Enter a name for the Service Principal
1. Select `Accounts in this organizational directory only` for the supported account types
1. Click `Register`
#### 1.2. Assign the Service Principal the `Contributor` role
1. Navigate to the `Subscriptions` blade
1. Select the subscription you want to deploy to
1. Click `Access control (IAM)`
1. Click `Add`
1. Select `Add role assignment`
1. Select `Contributor` for the role
1. Select the Service Principal you created in the previous step for the assignee
#### 1.3. Assign the Service Principal the `User Access Administrator` role
1. Navigate to the `Subscriptions` blade
1. Select the subscription you want to deploy to
1. Click `Access control (IAM)`
1. Click `Add`
1. Select `Add role assignment`
1. Select `User Access Administrator` for the role
1. Select the Service Principal you created in the previous step for the assignee
#### 1.4. Create a Secret for the Service Principal
1. Navigate to the `App Registrations` blade
1. Select the Service Principal you created in the previous step
1. Click `Certificates & secrets`
1. Click `New client secret`
1. Enter a description for the secret
1. Select `Never` for the expiration
1. Click `Add`
1. Copy the secret value and save it for later

294
docs/training/bicep/Demonstration 1 - Incrementally Deploy Enclave.md Normal file
Просмотреть файл

@ -0,0 +1,294 @@
<!-- markdownlint-configure-file { "MD004": { "style": "consistent" } } -->
<!-- markdownlint-disable MD033 -->
<style>
body { font-family: Segoe UI Light; }
h1 { font-size: 20pt; }
h2 { font-size: 18pt; }
h3 { color: #002060; font-size: 16pt; font-weight: bold; }
h4 { color: #002060; font-size: 14pt; font-weight: bold; margin-top: 15px; margin-bottom: 15px; }
h5 { color: #002060; font-size: 12pt; font-weight: bold; }
h6 { color: #002060; font-size: 12pt; font-weight: normal; }
.title {color: #002060; font-size: 12pt; font-weight: bold; text-align: right; margin-bottom: 40px;}
hr {border: 0; height: 1px; background: #333; background-image: -webkit-linear-gradient(left, #ccc, #333, #ccc); background-image: -moz-linear-gradient(left, #ccc, #333, #ccc); background-image: -ms-linear-gradient(left, #ccc, #333, #ccc); background-image: -o-linear-gradient(left, #ccc, #333, #ccc);}
.note { color: #ff6347; font-size: 12pt; font-weight: bold; }
pre {font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-weight: normal; white-space: pre-wrap; overflow-x: auto;}
</style>
<!-- markdownlint-enable MD033 -->
# Demonstration: Incrementally Deploy a Mission Enclave with Azure Kubernetes Services using Azure NoOps Accelerator and Bicep
<div class="title">A step-by-step deployment using the NoOps Accelerator to deploy an infrastructure with a private Kubernetes cluster.
</div>
### Setup & Prerequisite Software
1. You must have installed the latest [Git client](https://git-scm.com) for working with source control
1. You must have the latest version of [Visual Studio Code](https://code.visualstudio.com/) for authoring bicep files
1. Installed the [bicep extension](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#vs-code-and-bicep-extension) in Visual Studio Code
1. You must have installed either the the latest version of **AZ CLI**, see [How to install the Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli), or **Azure PowerShell**, see [Install the Azure Az PowerShell module](https://learn.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-9.0.1) for deploying bicep files
**PowerShell Quick Installation for Azure CLI**
``` PowerShell
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
```
**PowerShell Quick Installation for Azure PowerShell**
``` PowerShell
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
```
1. You must have installed the latest version of [Azure Bicep](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#azure-powershell)
1. Either clone, fork, or download the [NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator) to your local system. This demonstration uses **c:\anoa** as the root directory containing the downloaded, cloned, or forked project from GitHub
### Before we Begin
You will be making modifications to several .json files for the deployment which require knowing several sensitive pieces of information. You will also create a group in Azure Active Directory, and you will need that group's object id. Finally, you will be creating an application registration in Azure Active Directory and will need the client id and secret.
You can record those values here or, preferred, using your terminal save the values as variables. Additionally, you can record and save these values in Azure Key Vault if using the Azure NoOps Accelerator on a pipeline or through a automation platform.
#### OPTIONAL
If you choose to save and record your values use the table below. This is sensitive information and care should be taken.
| Name | Value(s) | How Used |
| --- | --- | --- |
| Tenant ID | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying management groups or policies. |
| Subscription ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div></br><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying workloads, overlays, enclaves, or platforms. You can use multiple subscriptions for your tiers. |
| Principal ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When using either built-in roles or custom deployed ANOA roles for securing resources. |
| Object ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying resources that need to use an Active Directory Group for access control. |
| Client ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying your Kubernetes cluster for the application registration. |
| Location | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying workloads, overlays, enclaves, or platforms (eastus, usgovvirgina, etc..). |
#### OPTIONAL
Saving data as variables for use while executing this demonstration or lab. This will make executing the commands through PowerShell simpler.
``` PowerShell
az cloudset --name [AzureCloud | AzureGovernment]
az login
$context = Get-AzContext
$location = [your region]
```
### Part 1: Create Management Groups
---
> NOTE: For this demonstration we will be using AZ CLI with PowerShell
1. Open PowerShell and change to your directory containing the NoOps Accelerator, this demonstration uses **c\anoa**
1. Issue the command **az login** and log into your tenant
1. Issue **$context = Get-AzContext** and record the following values:
- Tenant ID: **$context.Tenant.Id**
- Subscription ID: **$context.Subscription.Id**
> **NOTE**: If more than one value is returned, choose the subscription you are targeting to create the management group structure and choose the tenant id for that subscription. You can also use **Set-AzContext** to set your current subscription for this session.
1. Open Visual Studio Code in your directory containing the NoOps Accelerator
1. Change to the **/src/bicep/overlays/management-groups/** directory
1. Open the **/parameters/deploy.parameters.json** file and make the following changes:
- parentMGName: **$context.Tenant.Id**
- subscriptionId: **$context.Subscription.Id**
- parTenantId: **$context.Tenant.Id**
1. In your PowerShell session issue **Set-Location -Path 'c:\anoa\src\bicep\overlays\management-groups'**
1. Issue the command updating the location parameter to the region you wish to deploy to:
**Azure CLI**
``` PowerShell
az deployment mg create --name 'deploy-enclave-mg' --template-file 'deploy.bicep' --parameters '@parameters/deploy.parameters.json' --management-group-id $context.Tenant.Id --location $location --only-show-errors
```
> **NOTE**: This operation will move your subscription to the **management** management group in the structure
> **WARNING**: If you plan to delete the structure remember to **MOVE** your subscription from the **management** management group to your tenant root
### Part 2: Create Roles
---
1. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\overlays\roles'**
1. Open the **/parameters/deploy.parameters.all.json** file and make the following changes:
- parAssignableScopeManagementGroupId: **ANOA** (if you are not using the default, change to the name of your intermediate management group)
1. Issue the command updating the **--management-group-id** paramter to your intermediate management group name or **ANOA** as the default
**Azure CLI**
``` PowerShell
az deployment mg create --name 'deploy-enclave-roles' --template-file 'deploy.bicep' --parameters '@parameters/deploy.parameters.all.json' --management-group-id 'ANOA' --location $location --only-show-errors
```
### Part 3: Delpoy NIST 800.53 R5 Policy
---
1. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\overlays\policy\builtin\assignments'**
1. Open the **deploy-nist80054r5.parameters.json** file and make the following changes:
- parPolicyAssignmentManagementGroupId: **ANOA** (if you are not using the default, change to the name of your intermediate management group)
1. Issue the command updating the **--management-group-id** parameter to your intermediate management group name, or use the default value of **ANOA**, and your **--location**
**Azure CLI**
``` PowerShell
az deployment mg create --name 'deploy-policy-nistr5' --template-file 'policy-nist80053r5.bicep' --parameters 'policy-nist80053r5.parameters.json' --management-group-id 'ANOA' --location $location --only-show-errors
```
### Part 4: Deploy 3-Spoke Platform
---
1. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\platforms\lz-platform-scca-hub-3spoke'**
1. Open the **/parameters/deploy.parameters.json** file and make the following changes:
- parRequired.orgPrefix: **ANOA** (if you are not using the default, change to the name of your intermediate management group)
- parTags.organization: **ANOA** (if you are not using the default, change to the name of your intermediate management group)
- parHub.subscriptionId: **$context.Subscription.Id**
- parIdentitySpoke.subscriptionId: **$context.Subscription.Id**
- parOperationsSpoke.subscriptionId: **$context.Subscription.Id**
- parSharedServicesSpoke.subscriptionId: **$context.Subscription.Id**
1. Issue the command updating the **--location** parameter to your location
**Azure CLI**
``` PowerShell
az deployment sub create --name 'deploy-hub3spoke-network' --subscription $context.Subscription.Id --template-file 'deploy.bicep' --location $location --parameters '@parameters/deploy.parameters.json' --only-show-errors
```
### Part 5: Deploy Kubernetes Workload
---
##### Create an Azure Active Directory Group
1. Return to your Azure Portal
1. Navigate to your Azure Active Directory
1. Click on **Groups** in the left navigation
1. Click on **New Group** in the top breadcrumb navigation
1. Provide the following information:
- Group Type: **security**
- Group Name: **K8S Cluster Administrators**
- Group Description: **Administrators of Kubernetes Clusters**
- Owners: **<\< your login \>>**
- Members: **<\< your login \>>**
- Click the **Create** button
1. Record the Object Id for the group, this will be used in the workload deployment for Kubernetes
##### Create an App Registration in Azure Active Directory
1. Return to your Azure Portal
1. Navigate to your Azure Active Directory
1. Click on **App Registrations** in the left navigation menu
1. Click on **+New Registration** in the top breadcrumb navigation
1. Provide the following information:
- Name: **ar-eastus-k8s-anoa-01** or a name of your liking
- Supported Account Types: **Accounts in this organizational directory only (... - Single Tenant)**
- Redirect URI (Optional): **do not configure, leave as default**
- Click the **Register** button
1. Click on **Overview** in the left navigation and record the following information:
- Application (client) ID: **<\< client id \>>**
1. Click on **Certificates & Secrets** in the left navigation
1. Click on **+New Client Secret** and provide the following information:
- Description: Kubernetes App Registration for ANOA
- Expires: 3 months or choose an appropriate time for your organization
- Click the **Add** button
1. Copy and record the Secret ID. You will use this in your Kubernetes workload deployment.
##### Deploy Kubernetes Workload
1. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\workloads\wl-aks-spoke'**
1. Open the **/parameters/deploy.parameters.json** file and make the following changes:
- parRequired.orgPrefix: **ANOA** or your Intermediate management group name
- parTags.organization: **ANOA** or your Intermediate management group name
- parWorkloadSpoke.subscriptionId: **$context.Subscription.Id**
- parHubSubscriptionId: **$context.Subscription.Id**
- parHubVirtualNetworkResourceId: **$context.Subscription.Id**
- parLogAnalyticsWorkspaceResourceId: **$context.Subscription.Id**
- parKubernetesCluster.aksClusterKubernetesVersion: **1.24.6**
> NOTE: Issue the command **az aks get-versions --location eastus --query orchestrators[-1].orchestratorVersion --output tsv** to retrieve your regions highest version
- parKubernetesCluster.aadProfile.aadProfileTenantId: **$context.Tenant.Id**
- parKubernetesCluster.aadProfile.aadProfileAdminGroupObjectIds: **the Object ID from the K8S Cluster Administrators group**
- parKubernetesCluster.addonProfiles.config.logAnalyticsWorkspaceResourceId: **$context.Subscription.Id**
- parKubernetesCluster.servicePrincipalProfile.clientId: **<<your app registration application (client) ID >>**
- parKubernetesCluster.servicePrincipalProfile.secret: **<<your app registration application (client) IDs secret>>**
1. Issue the command updating the **--subscription** parameter with your subscription id and the **--location** parameter to your location
**Azure CLI**
``` PowerShell
az deployment sub create --name 'deploy-aks-network' --template-file 'deploy.bicep' --parameters '@parameters/deploy.parameters.json' --location $location --subscription $context.Subscription.Id --only-show-errors
```
##### References
---
[Deploying Management Groups with the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/management-groups)
[Deploying Roles with the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/roles)
[Deploying Policy for Guardrails with the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/Policy)
[Deploying SCCA Compliant Hub and 1-Spoke using the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/platforms/lz-platform-scca-hub-1spoke)
[Deploying a Kubernetes Private Cluster Workload using the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/workloads/wl-aks-spoke)

21
docs/training/bicep/Demonstration 10 - PolicyAsCode.md Normal file
Просмотреть файл

@ -0,0 +1,21 @@
<!-- markdownlint-configure-file { "MD004": { "style": "consistent" } } -->
<!-- markdownlint-disable MD033 -->
<style>
body { font-family: Segoe UI Light; }
h1 { font-size: 20pt; }
h2 { font-size: 18pt; }
h3 { color: #002060; font-size: 16pt; font-weight: bold; }
h4 { color: #002060; font-size: 14pt; font-weight: bold; margin-top: 15px; margin-bottom: 15px; }
h5 { color: #002060; font-size: 12pt; font-weight: bold; }
h6 { color: #002060; font-size: 12pt; font-weight: normal; }
.title {color: #002060; font-size: 12pt; font-weight: bold; text-align: right; margin-bottom: 40px;}
hr {border: 0; height: 1px; background: #333; background-image: -webkit-linear-gradient(left, #ccc, #333, #ccc); background-image: -moz-linear-gradient(left, #ccc, #333, #ccc); background-image: -ms-linear-gradient(left, #ccc, #333, #ccc); background-image: -o-linear-gradient(left, #ccc, #333, #ccc);}
.note { color: #ff6347; font-size: 12pt; font-weight: bold; }
pre {font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-weight: normal; white-space: pre-wrap; overflow-x: auto;}
</style>
<!-- markdownlint-enable MD033 -->
# Demonstration: Create and Deploy Policy for Mission Enclave using Azure NoOps Accelerator
<div class="title">A step-by-step creation and deployment of Policy for an Mission Enclave using the Azure NoOps Accelerator.
</div>

202
docs/training/bicep/Demonstration 2 - Deploy Enclave.md Normal file
Просмотреть файл

@ -0,0 +1,202 @@
<!-- markdownlint-configure-file { "MD004": { "style": "consistent" } } -->
<!-- markdownlint-disable MD033 -->
<style>
body { font-family: Segoe UI Light; }
h1 { font-size: 20pt; }
h2 { font-size: 18pt; }
h3 { color: #002060; font-size: 16pt; font-weight: bold; }
h4 { color: #002060; font-size: 14pt; font-weight: bold; margin-top: 15px; margin-bottom: 15px; }
h5 { color: #002060; font-size: 12pt; font-weight: bold; }
h6 { color: #002060; font-size: 12pt; font-weight: normal; }
.title {color: #002060; font-size: 12pt; font-weight: bold; text-align: right; margin-bottom: 40px;}
hr {border: 0; height: 1px; background: #333; background-image: -webkit-linear-gradient(left, #ccc, #333, #ccc); background-image: -moz-linear-gradient(left, #ccc, #333, #ccc); background-image: -ms-linear-gradient(left, #ccc, #333, #ccc); background-image: -o-linear-gradient(left, #ccc, #333, #ccc);}
.note { color: #ff6347; font-size: 12pt; font-weight: bold; }
pre {font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-weight: normal; white-space: pre-wrap; overflow-x: auto;}
</style>
<!-- markdownlint-enable MD033 -->
# Demonstration: Deploy Kubernetes Enclave using Azure CLI and PowerShell
<div class="title">An mission enclave deployment using the Azure NoOps Accelerator for a Azure Kubernetes Service private cluster and Hub/3 Spoke Platform.
</div>
### Setup & Prerequisite Software
1. You must have installed the latest [Git client](https://git-scm.com) for working with source control
1. You must have the latest version of [Visual Studio Code](https://code.visualstudio.com/) for authoring bicep files
1. Installed the [bicep extension](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#vs-code-and-bicep-extension) in Visual Studio Code
1. You must have installed either the the latest version of **AZ CLI**, see [How to install the Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli), or **Azure PowerShell**, see [Install the Azure Az PowerShell module](https://learn.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-9.0.1) for deploying bicep files
**PowerShell Quick Installation for Azure CLI**
``` PowerShell
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
```
**PowerShell Quick Installation for Azure PowerShell**
``` PowerShell
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
```
1. You must have installed the latest version of [Azure Bicep](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#azure-powershell)
1. Either clone, fork, or download the [NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator) to your local system. This demonstration uses **c:\anoa** as the root directory containing the downloaded, cloned, or forked project from GitHub
### Before we Begin
You will be making modifications to several .json files for the deployment which require knowing several sensitive pieces of information. You will also create a group in Azure Active Directory, and you will need that group's object id. Finally, you will be creating an application registration in Azure Active Directory and will need the client id and secret.
You can record those values here or, preferred, using your terminal save the values as variables. Additionally, you can record and save these values in Azure Key Vault if using the Azure NoOps Accelerator on a pipeline or through a automation platform.
#### OPTIONAL
If you choose to save and record your values use the table below. This is sensitive information and care should be taken.
| Name | Value(s) | How Used |
| --- | --- | --- |
| Tenant ID | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying management groups or policies. |
| Subscription ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div></br><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying workloads, overlays, enclaves, or platforms. You can use multiple subscriptions for your tiers. |
| Principal ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When using either built-in roles or custom deployed ANOA roles for securing resources. |
| Object ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying resources that need to use an Active Directory Group for access control. |
| Client ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying your Kubernetes cluster for the application registration. |
| Location | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying workloads, overlays, enclaves, or platforms (eastus, usgovvirgina, etc..). |
#### OPTIONAL
Saving data as variables for use while executing this demonstration or lab. This will make executing the commands through PowerShell simpler.
``` PowerShell
az cloudset --name [AzureCloud | AzureGovernment]
az login
$context = Get-AzContext
$location = [your region]
```
### Part 1: Deploy Kubernetes Workload using an Enclave
> NOTE: If you have already created the Azure Active Diretory group and App Registration you can simply record those values and re-use them in this demonstration.
---
##### Create an Azure Active Directory Group
1. Return to your Azure Portal
1. Navigate to your Azure Active Directory
1. Click on **Groups** in the left navigation
1. Click on **New Group** in the top breadcrumb navigation
1. Provide the following information:
- Group Type: **security**
- Group Name: **K8S Cluster Administrators**
- Group Description: **Administrators of Kubernetes Clusters**
- Owners: **<\< your login \>>**
- Members: **<\< your login \>>**
- Click the **Create** button
1. Record the Object Id for the group, this will be used in the workload deployment for Kubernetes
##### Create an App Registration in Azure Active Directory
1. Return to your Azure Portal
1. Navigate to your Azure Active Directory
1. Click on **App Registrations** in the left navigation menu
1. Click on **+New Registration** in the top breadcrumb navigation
1. Provide the following information:
- Name: **ar-eastus-k8s-anoa-01** or a name of your liking
- Supported Account Types: **Accounts in this organizational directory only (... - Single Tenant)**
- Redirect URI (Optional): **do not configure, leave as default**
- Click the **Register** button
1. Click on **Overview** in the left navigation and record the following information:
- Application (client) ID: **<\< client id \>>**
1. Click on **Certificates & Secrets** in the left navigation
1. Click on **+New Client Secret** and provide the following information:
- Description: Kubernetes App Registration for ANOA
- Expires: 3 months or choose an appropriate time for your organization
- Click the **Add** button
1. Copy and record the Secret ID. You will use this in your Kubernetes workload deployment.
##### Preparing for Deployment
1. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\enclaves\enclave-scca-hub3spoke-aks'**
1.
##### Deploy Kubernetes Workload
1. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\enclaves\enclave-scca-hub3spoke-aks'**
1. Open the **/parameters/deploy.parameters.json** file and make the following changes:
- parRequired.orgPrefix: **<<your organization or ANOA (default)>>**
- parTags.organization: **<<your organization or ANOA (default)>>**
- parTags.region: **<<your Azure region (eastus, usgovvirginia, etc..)>>**
- parHub.subscriptionId: **<<subscriptionId>>**
- parIdentitySpoke.subscriptionId: **<<subscriptionId>>**
- parOperationsSpoke.subscriptionId: **<<subscriptionId>>**
- parSharedServicesSpoke.subscriptionId: **<<subscriptionId>>**
- parAksWorkload.subscriptionId: **<<subscriptionId>>**
- parKubernetesCluster.aksClusterKubernetesVersion: **1.24.6**
> NOTE: Issue the command **az aks get-versions --location eastus --query orchestrators[-1].orchestratorVersion --output tsv** to retrieve your regions highest version
- parKubernetesCluster.aadProfile.aadProfile.TenantId: **<<tenantId>>**
- parKubernetesCluster.aadProfile.aadProfileAdminGroupObjectIds: **<<objectId of AAD Group>>**
- parKubernetesCluster.addonProfiles.config.logAnalyticsWorkspaceResourceId: **<<subscriptionId>>**
- parKubernetesCluster.servicePrincipalProfile.clientId: **<<clientId of AAD App Registration>>**
- parKubernetesCluster.servicePrincipalProfile.secret: **<<secret of AAD App Registration>>**
1. Issue the command updating the **--subscription** parameter with your subscription id and the **--location** parameter to your location
**Azure CLI**
``` PowerShell
az deployment sub create --name 'deploy-scca-enclave-with-aks' --template-file deployCompressed.json' --parameters '@parameters/deploy.parameters.json' --location $location –subscription $context.Subscription.Id --only-show-errors
```
> NOTE: Be sure to review the section **Preparing for Deployment**
##### References
---
[Deploying Management Groups with the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/management-groups)
[Deploying Roles with the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/roles)
[Deploying Policy for Guardrails with the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/Policy)
[Deploying SCCA Compliant Hub and 1-Spoke using the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/platforms/lz-platform-scca-hub-1spoke)
[Deploying a Kubernetes Private Cluster Workload using the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/workloads/wl-aks-spoke)

621
docs/training/bicep/Demonstration 3 - DevOps to NoOps.md Normal file
Просмотреть файл

@ -0,0 +1,621 @@
<!-- markdownlint-configure-file { "MD004": { "style": "consistent" } } -->
<!-- markdownlint-disable MD033 -->
<style>
body { font-family: Segoe UI Light; }
h1 { font-size: 20pt; }
h2 { font-size: 18pt; }
h3 { color: #002060; font-size: 16pt; font-weight: bold; }
h4 { color: #002060; font-size: 14pt; font-weight: bold; margin-top: 15px; margin-bottom: 15px; }
h5 { color: #002060; font-size: 12pt; font-weight: bold; }
h6 { color: #002060; font-size: 12pt; font-weight: normal; }
.title {color: #002060; font-size: 12pt; font-weight: bold; text-align: right; margin-bottom: 40px;}
hr {border: 0; height: 1px; background: #333; background-image: -webkit-linear-gradient(left, #ccc, #333, #ccc); background-image: -moz-linear-gradient(left, #ccc, #333, #ccc); background-image: -ms-linear-gradient(left, #ccc, #333, #ccc); background-image: -o-linear-gradient(left, #ccc, #333, #ccc);}
.note { color: #ff6347; font-size: 12pt; font-weight: bold; }
pre {font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-weight: normal; white-space: pre-wrap; overflow-x: auto;}
</style>
<!-- markdownlint-enable MD033 -->
# Demonstration: Deploy Kubernetes Enclave using Azure DevOps Services
<div class="title">Using Azure DevOps Services for an enclave deployment using the NoOps Accelerator for a Azure Kubernetes Service private cluster and mission landing zone.
</div>
### Setup & Prerequisite Software
1. You must have installed the latest [Git client](https://git-scm.com) for working with source control
1. You must have the latest version of [Visual Studio Code](https://code.visualstudio.com/) for authoring bicep files
1. Installed the [bicep extension](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#vs-code-and-bicep-extension) in Visual Studio Code
1. You must have installed either the the latest version of **AZ CLI**, see [How to install the Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli), or **Azure PowerShell**, see [Install the Azure Az PowerShell module](https://learn.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-9.0.1) for deploying bicep files
**PowerShell Quick Installation for Azure CLI**
``` PowerShell
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
```
**PowerShell Quick Installation for Azure PowerShell**
``` PowerShell
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
```
1. You must have installed the latest version of [Azure Bicep](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#azure-powershell)
1. Either clone, fork, or download the [NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator) to your local system. This demonstration uses **c:\anoa** as the root directory containing the downloaded, cloned, or forked project from GitHub
### Before we Begin
You will be making modifications to several .json files for the deployment which require knowing several sensitive pieces of information. You will also create a group in Azure Active Directory, and you will need that group's object id. Finally, you will be creating an application registration in Azure Active Directory and will need the client id and secret.
You can record those values here or, preferred, using your terminal save the values as variables. Additionally, you can record and save these values in Azure Key Vault if using the Azure NoOps Accelerator on a pipeline or through a automation platform.
Saving data as variables for use while executing this demonstration or lab will help. This code below will make executing the commands through PowerShell simpler and recalling these values.
``` PowerShell
az cloudset --name [AzureCloud | AzureGovernment]
az login
$context = Get-AzContext
$location = [your region]
```
### Part 1: Setup Azure DevOps Services
> <span class="note">NOTE</span>: If you are on an Azure government cloud, Azure DevOps Services is not available. You can access the service, but you will not be able to choose an Azure government region to host your Azure DevOps Services. In this situation, either deploy Azure DevOps Server as a VM or a physical server in your environment.
> <span class="note">NOTE</span>: If you are using a VM or on-premise Azure DevOps Server, replace **dev.azure.com** with your deployment URL for this demonstration.
---
#### Create an Account or Sign-In to Azure DevOps Services
1. Navigate to [https://dev.azure.com](https://dev.azure.com) and create an account or log in
#### Create a new Project
1. Create a new project with the following settings:
- Name: **anoa**
- Description: **Azure NoOps Accelerator**
- Visibility: **Enterprise** *or* **Private**
- Advanced:
- Version Control: **Git**
- Work item process: **Agile**
#### Download the Azure NoOps Accelerator and Create a Repository
1. Download the latest Azure NoOps Acelerator version from [https://github.com/Azure/NoOpsAccelerator/releases](https://github.com/Azure/NoOpsAccelerator/releases) and unzip to a directory on your computer. This demonstration uses **c:\anoa** as the root directory.
1. Open PowerShell or your terminal of choice and change to the directory where you unzipped the Azure NoOps Accelerator
``` PowerShell
Set-Location -Path 'c:\anoa'
```
1. Issue Git commands to create a repository
``` PowerShell
git init .
git add *
git commit -m "Initialized ANOA"
```
1. Connect your local repository to Azure DevOps Services and push your changes
``` PowerShell
git remote add origin https://<your login name>@dev.azure.com/<your organization name>/<your project name>/_git/anoa
git push -u origin --all
```
#### OPTIONAL: Setup Areas and Iterations for Incremental Development
> <span class="note">NOTE</span>: This step demonstrates setting up a hierarical backlog using a three week sprint for controlling and releasing changes on a predictable schedule.
1. In Azure DevOps Services, click on **Project Settings** found at the bottom left of the page
1. In the **Boards** section, click on **Project Configuration**
##### OPTIONAL: Setup Areas
> <span class="note">NOTE</span>: Areas are used here to create a hierarchy to show progress and effort roll-up for enterprise reporting. This is just an example below. You could also use your archetypes or management groups in Azure as a basis for establishing this structure.
1. Create a new child under **anoa** named **Modern Portfolio**
1. Create a new child under **Modern Portfolio** named **Mission Owner Alpha**
1. Create a new child under **Mission Owner Alpha** named **NoOps Team**
1. Create a new child under **Mission Owner Alpha** named **Application Development Team**
1. Create a new child under **Modern Portfolio** named **Mission Owner Bravo**
##### OPTIONAL: Setup Iterations
1. Click on Iterations found at the top breadcrumb navigation element
1. Delete the pre-configured **Iteration 1**, **Iteration 2**, and **Iteration 3** elements
> <span class="note">NOTE</span>: Adjust the years/dates to represent your current dates
1. Create a new child under **anoa** named **Fiscal Year 2023**
- Start Date: 7/1/2022
- End Date: 6/30/2023
1. Create a new child under **Fiscal Year 2022** named **Program Increment 1**
- Start Date: 7/1/2022
- End Date: 9/23/2022
Use this PowerShell snippet to calculate the Program Increment period:
$d = ([DateTime]'7/1/2022').AddDays(84); while ($d.DayOfWeek -eq "Saturday" -or $d.DayOfWeek -eq "Sunday") { $d = $d.AddDays(1) }; $d
The $d = ([DateTime]'7/1/2022') part of the PowerShell is the start of the Program Increment. If you need to make a second Program Increment change the $d = ([DateTime]'7/1/2022') statement to the start of the second Program Increment, for example: $d = ([DateTime]'9/23/2022')
1. Create a new child under **Program Increment 1** named **Sprint 1**
- Start Date: 7/1/2022
- End Date: 7/21/2022 **Note:** This is a three week sprint
1. Create the remaning two sprints in **Program Increment 1**:
- Name: **Sprint 2**
- Start Date: 7/22/2022
- End Date: 8/11/2022
- Name: **Sprint 3**
- Start Date: 8/12/2022
- End Date: 9/1/2022
1. Create the **Innovation & Planning Sprint**:
- Name: IP Sprint
- Start Date: 9/2/2022
- End Date: 9/23/2022
##### OPTIONAL: Configure the 'anoa Team' for Iterations and Areas
> <span class="note">NOTE</span>: You would use this process for any other teams created in this project to establish enterprise alingment and autonomy.
1. Click on **Team Configuration** found under the **Boards** heading while in the **Project Configuration**
1. Verify that you have **anoa Team** chosen with the Team Selector on the top-most breadcrump navigation element.
1. Uncheck the box for **Features**
> <span class="note">NOTE</span>: Typically, when establishing enterprise autonomy and alignment, you will not have an Azure Board expose more than one type of backlog item. A different team would be responsible for creating Features. Creating Features would happen on the Program Increment Planning sessions.
1. Choose **Bugs are managed with requirements** in the **Working with bugs** section. This will allow bugs to visually appear on your Azure Board.
1. Click on **Iterations**, then click on **+ Select Iteration(s)** and assign the **anoa Team** only the sprints including the IP sprint
1. Click on **Areas** in the breadcrumb navigation element
1. Click on **change** and navigate the hierarchy and choose **anoa Team**
1. In the area listed below, hover over the area, click the ellipses, then choose **include sub-areas**
1. You have completed configuration a Team for use with a hierarchy of time and areas.
### OPTIONAL: Part 2: Using Kanban for Change Visibility
This is the entry point for Developers, Cyber, and Operations to shift-left and work together for changes. A new team will be created called **anoa Team**. This is an Azure AD backed team. Add the Developers, Cyber, and Operations persons to this team which will grant access to the repository for changes.
---
#### OPTIONAL: Configure Azure Boards
1. Click on **Boards** found under the **Boards** heading in the left navigation
1. Click on the gear icon located at the top-right of the Azure Board
1. On the **Fields** page, make the following changes:
- Click on **+ Field** and add **Iteration Path**
- Check the box to **Show empty fields**
- Make the same two changes to the **Bug** page (this will be a tab named Bug)
> <span class="note">NOTE</span>: Bug will only display as a tab here if you have enabled it in one of these areas:
>
> 1. Choose **Bugs are managed with requirements** in the **Working with bugs** section while configuring a team, or
>
> 1. In the **General** section, the **Working with bugs**, you choose **Bugs are managed with requirements**
1. Click on **Columns** under the **Boards** section and configure:
- Rename **New** to **Backlog**
- Rename **Active** to **In-Progress** and split to **doing and done**
- Delete **Resolved**
1. Click on **Swimlanes** under the **Boards** section and configure:
- Click on **+ Swimlane** and add a new swimlane named **Architectural**
- Rename the default swimlane to **Business**
- Click on **Save and Close** button to return to your configured Azure Board
### Part 3: Deploy Kubernetes Workload using an Enclave
> <span class="note">NOTE</span>: If you have already created the Azure Active Directory group and App Registration you can simply record those values and re-use them in this demonstration.
---
#### Create an Azure Active Directory Group
1. Return to your Azure Portal
1. Navigate to your Azure Active Directory
1. Click on **Groups** in the left navigation
1. Click on **New Group** in the top breadcrumb navigation
1. Provide the following information:
- Group Type: **security**
- Group Name: **K8S Cluster Administrators**
- Group Description: **Administrators of Kubernetes Clusters**
- Owners: **<\< your login \>>**
- Members: **<\< your login \>>**
- Click the **Create** button
1. Record the Object Id for the group, this will be used in the workload deployment for Kubernetes
#### Create an App Registration in Azure Active Directory for Kubernetes
1. Return to your Azure Portal
1. Navigate to your Azure Active Directory
1. Click on **App Registrations** in the left navigation menu
1. Click on **+New Registration** in the top breadcrumb navigation
1. Provide the following information:
- Name: **ar-k8s-dev-eastus-001** or a name of your liking
- Supported Account Types: **Accounts in this organizational directory only (... - Single Tenant)**
- Redirect URI (Optional): **do not configure, leave as default**
- Click the **Register** button
1. Click on **Overview** in the left navigation and record the following information:
- Application (client) ID: **<\< client id \>>**
1. Click on **Certificates & Secrets** in the left navigation
1. Click on **+New Client Secret** and provide the following information:
- Description: Kubernetes App Registration for ANOA
- Expires: 3 months or choose an appropriate time for your organization
- Click the **Add** button
1. Copy and record the Secret ID. You will use this in your Kubernetes workload deployment.
> <span class="note">NOTE</span>: You can also use Azure Key Vault to store these credentials and pull them out in a pipeline.
#### Create an App Registration in Azure Active Directory for Azure DevOps Services
1. Return to your Azure Portal
1. Navigate to your Azure Active Directory
1. Click on **App Registrations** in the left navigation menu
1. Click on **+New Registration** in the top breadcrumb navigation
1. Provide the following information:
- Name: **ar-adopipeline-dev-eastus-001** or a name of your liking
- Supported Account Types: **Accounts in this organizational directory only (... - Single Tenant)**
- Redirect URI (Optional): **do not configure, leave as default**
- Click the **Register** button
1. Click on **Overview** in the left navigation and record the following information:
- Application (client) ID: **<\< client id \>>**
1. Click on **Certificates & Secrets** in the left navigation
1. Click on **+New Client Secret** and provide the following information:
- Description: **cs-adopipeline-dev-eastus-001**
- Expires: **3 months or choose an appropriate time for your organization**
- Click the **Add** button
1. Copy and record the Secret ID. You will use this in your Azure DevOps Services Pipeline when you create the Service Connection.
> <span class="note">NOTE</span>: You can also use Azure Key Vault to store these credentials and pull them out in a pipeline.
#### OPTIONAL: Implement Kanban for Change Tracking
1. Create a new User Story work item on the Azure Board:
- Name: **Deploy AKS Enclave**
- Assigned: **Assign to you**
- Area: **anoa\Modern Portfolio\Mission Owner Alpha\NoOps Team**
- Iteration: **anoa\Fiscal Year 2023\Program Increment 1\Sprint 1**
- Description: **Review, modify, update /src/bicep/enclaves/enclave-scca-hub3spoke-aks/parameters/deploy.parameters.json to support deployment of Azure Kubernetes Service private cluster for workload.**
- Acceptance Criteria:
- Azure Key Vault implemented to store credentials and secrets
- Bastion is accessed using Azure Key Vault
- Kubernetes Private Cluster is accessible through Bastion
- Planning:
- Story Points: **13** (scale is 1,2,3,5,8,13,21 where 1 is easiest and 21 is hardest)
- Priority: **1** (scale is 1,2,3,4 where 1 is highest and 4 is lowest)
- Risk: **2 - Medium**
- Classification
- Value area: **Architectural**
1. Click **Save and close** to return to the Azure Board
1. Drag the User Story to the **In-Progress - Doing** column in the **Architectural** swimlane
#### OPTIONAL: Decompose the User Story to Supporting Tasks
1. From the Azure Board, hover over the **Deploy AKS Enclave** workitem, then click on the ellipses, and finally click on **Add Task** and add the following tasks:
- CYBER: Review Azure Key Vault Implementation
- CYBER: Review VNET Peering to Hub and Firewall
- OPS: Review Monitor Solution Deployments
- OPS: Modify Solution Parameter Names
- DEV: Modify Subscription ID and Tenant ID Values
- DEV: Modify Object ID and Role ID Values
> <span class="note">NOTE</span>: You can assign different people to these tasks and operate them on the Task board. The Task Board is where you run your sprints and manage your sprint backlog.
#### OPTIONAL: Create a Remote Branch to Track Changes
1. From the Azure Boards, choose the **anoa Team** to show the **anoa Team Azure Board**.
1. Open the **Deploy AKS Enclave** work item and click **Create Branch** in the **Development** section
1. Name the branch **topics/tb-\<id of work item\>**
1. Return to your PowerShell, or open a PowerShell session, or other terminal with access to use Git and checkout the remote branch:
``` PowerShell
git fetch
git checkout topics/tb-\<id of work item\>
```
> <span class="note">NOTE</span>: It is good Continuous Integration practice to commit your changes often
> <span class="note">NOTE</span>: Team members can also branch the Tasks, if used, and make changes to the same file. If they make changes to the same file in the same location, Git will force a merge confict, otherwise Git's merge process will make every attempt to resolve the merge process.
1. Return to PowerShell and issue **code .** to launch Visual Studio Code in the **c:\anoa** directory
#### Update the deploy.parameters.json File
1. In Visual Studio Code, expand the folders to **/src/bicep/enclaves/enclave-scca-hub3spoke-aks/** and open the **deploy.parameters.json** file
> <span class="note">NOTE</span>: The **deploy.parameters.json** file is in JSON syntax. In this document the parameters to change will be referenced in dotted notation. For example, given this JSON:
>
> "parTags": {
> "value": {
> "organization": "anoa",
> "region": "<<region>>",
> "templateVersion": "v1.0",
> "deployEnvironment": "dev",
> "deploymentType": "NoOpsBicep"
> }
>
> A change to the organiation would be communicated: **parTags.organization**, or a change to the region: **parTags.region**
> <span class="note">NOTE</span>: You can use the same subscription for the HUB, IDENTITY, OPERATIONS, and SHARED SERVICES
> <span class="note">NOTE</span>: If you use AZ CLI and login through your Powershell session you can capture most of the values necessary for the changes. Use the following script to capture the changes:
1. Make the following changes to the **deploy.parameters.json** file:
- parRequired.orgPrefix = **\<your org prefix or the default 'anoa'\>**
- parTags.organization = **\<your org prefix or the default ANOA\>**
- parTags.region = **\<your Azure region (eastus, usgovvirginia, etc...)\>**
- parHub.subscriptionId = **\<subscription Id to host the HUB spoke\>**
- parIdentitySpoke.subscriptionId = **\<subscription Id to host the IDENTITY spoke\>**
- parOperationsSpoke.subscriptionId = **\<subscription Id to host the OPERATIONS spoke\>**
- parSharedServicesSpoke.subscriptionId = **\<subscription Id to host the SHARED SERVICES spoke\>**
- parAksWorkload.subscriptionId = **\<subscription Id to host the AKS Private Cluster\>**
- parKubernetesCluster.aksClusterKubernetesVersion: **1.25.2**
> <span class="note">NOTE</span>: Issue the command **az aks get-versions --location eastus --query orchestrators[-1].orchestratorVersion --output tsv** to retrieve your regions highest version
- parKubernetesCluster.aadProfile.aadProfile.TenantId: **<\<tenant Id for this enclave deployment>>**
- parKubernetesCluster.aadProfile.aadProfileAdminGroupObjectIds: **<\<objectId of AAD Group for Kubernetes Administrators>>**
> <span class="note">NOTE</span>: See **Part 3: Deploy Kubernetes Workload using an Enclave**, **Create an Azure Active Directory Group** about creating an AAD group for the *parKubernetesCluster.aadProfile.aadProfileAdminGroupObjectIds* configuration element.
- parKubernetesCluster.addonProfiles.config.logAnalyticsWorkspaceResourceId: **<\<subscriptionId>>**
- parKubernetesCluster.servicePrincipalProfile.clientId: **<<clientId of AAD App Registration>>**
- parKubernetesCluster.servicePrincipalProfile.secret: **<\<secret of AAD App Registration>>**
> <span class="note">NOTE</span>: See **Part 3: Deploy Kubernetes Workload using an Enclave**, **Create an App Registration in Azure Active Directory** about creating an app registration and retrieving the clientId and secret for the *parKubernetesCluster.servicePrincipalProfile.clientId* and the *parKubernetesCluster.servicePrincipalProfile.secret* configuration elements.
>
> <span class="note">NOTE</span>: If using **AZ AD SP LIST** for your service principals the **<\<clientId\>>** is the **appId** of the JSON returned from the AZ AD SP LIST command.
- parNetworkArtifacts.enable = **true**
- parNetworkArtifacts.keyVaultPolicies = **<\<an array of principles from your Azure AD who will have permissions for keys and secrets>\>**
> <span class="note">NOTE</span>: Setting *parNetworkArtifacts.enable* to true will create an Azure Key Vault and place the Bastion credentials in this Azure Key Vault. *parNetworkArtifacts.keyVaultPolicies* is an array of people who will be granted access to the keys and secrets. Copy the following JSON to grant multiple people access (**make sure there is a comma , after the last brace }**):
>
> ``` json
> {
> "objectId": "3c42836c-2712-418f-963b-7a1293d36d63",
> "permissions": {
> "keys": ["get", "list", "update"],
> "secrets": ["get", "list", "set"]
> },
> "tenantId": "0ff59ae6-406c-4aba-a174-fddb35d8dd6f"
> },
> ```
>
#### OPTIONAL: Commit the Branch and Merge into Main
1. Return to your PowerShell session or terminal
1. Issue the following commands to commit and push on your branch:
``` PowerShell
git add *
git commit -m "Updated deploy.parameters.json for AKS Enclave Deployment"
git push
```
> <span class="note">NOTE</span>: If your following the decomposition process of the **Deploy AKS Enclave** user story your actions have mapped to the tasks in this way:
>
> **CYBER: Review Azure Key Vault Implementation**
> When you enabled Network Artifacts and assigned one or more people permissions to keys/secrets you completed this task.
>
> **CYBER: Review VNET Peering to Hub and Firewall**
> When you updated the subscription Id for the HUB spoke and reviewed the Azure Firewall configuration and VNET peerings with the configuration element: *peerToSpokeVirtualNetwork: true* you completed this task.
>
> **OPS: Review Monitor Solution Deployments**
> When you updated the subscription Id for the OPERATIONS spoke and reviewed the network configuration allowing traffic from spokes you completed this task.
>
> **OPS: Modify Diagnostics Logs**
> When you reviewed the available diagnostics logs in the *parOperationsSpoke* configuration element you completed this task.
>
> **DEV: Modify Subscription ID and Tenant ID Values**
> When you updated deploy.parameters.json with the correct subscription Id's and tenant Id's you completed this task.
>
> **DEV: Modify Object ID and Role ID Values**
> When you created the app registration, and Azure AD group for Kubernetes then updated deploy.parameters.json with those values you completed this task.
1. Return Azure DevOps Services or your Azure DevOps Server
1. In the left navigation under the **Repos** heading, click on **Pull Requests**
1. Your branch will be listed, click on the **Create a pull request** button located to the far right
1. You will be able to review your changes on the **Files** tab. Return to the **Overview** tab and click the **Create** button to create a pull request
> <span class="note">NOTE</span>: If you have governance or process around your PR processes engage them here. For this execise we will be simply approving and completing the PR.
1. Click on the **Approve** button
1. Click on the **Complete** button
1. Click on the **Complete merge** button
> <span class="note">NOTE</span>: Feel free to use the merge type for your team. The checkbox to **Delete topics/tb-### after merging** refers ONLY to the remote branch that is on Azure DevOps Services and not any branches on your local computer. Those must be removed manually after the PR process.
### Part 4: Setup the Azure DevOps Services Pipeline
1. Return to Azure DevOps Services
1. Click on **Project Settings** in the lower left
1. Click on **Service Connections** in the **Pipelines** section on the left
1. Click the **New Service Connection** button in the top right and create a new Service Connection with the following information:
- Service Connection Type: **Azure Resource Manager**
> <span class="note">NOTE</span>: Scroll down and click the **Next** button to see the Authentication Method selection.
- Authentication Method: **Service Principal (manual)**
- Environment: **Azure Cloud**
- Scope Level: **Subscription**
- Subscription ID: **subscriptionId of the subscription this service connection will access**
- Service Principal ID: **The *client id* of App Registration** you created in the **Part 3: Deploy Kubernetes Workload using an Enclave, Create an App Registration in Azure Active Directory for Azure DevOps Services** section.
- Service Principal Key (if using): **The *value* of App Registration's Client Secret** you created in the **Part 3: Deploy Kubernetes Workload using an Enclave, Create an App Registration in Azure Active Directory for Azure DevOps Services** section.
- Tenant ID: **Tenant ID you are using for your deployment**
- Service Connection Name: **sc-\<subscription name\>-subscription**
- Description: **optional if you want a description**
- Check the Checkbox: **Grant access permissions to all pipelines** (otherwise you will need to authorize this for each pipeline. Defer to your organization's security and governance for this setting)
- Click on **Verify and Save**
> <span class="note">NOTE</span>: If you have any issues, resolve them before proceeding. The App Registration that is used in this Service Connection must be added to the **OWNERS** role of the subscription.
1. Return to Pipelines, and **Create a New Pipeline**
1. Copy and Paste the .yaml for the pipeline:
''' yaml
'''
#### References
---
[Deploying Management Groups with the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/management-groups)
[Deploying Roles with the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/roles)
[Deploying Policy for Guardrails with the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/Policy)
[Deploying SCCA Compliant Hub and 1-Spoke using the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/platforms/lz-platform-scca-hub-1spoke)
[Deploying a Kubernetes Private Cluster Workload using the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/workloads/wl-aks-spoke)

481
docs/training/bicep/Demonstration 5 - Overlay.md Normal file
Просмотреть файл

@ -0,0 +1,481 @@
<!-- markdownlint-configure-file { "MD004": { "style": "consistent" } } -->
<!-- markdownlint-disable MD033 -->
<style>
body { font-family: Segoe UI Light; }
h1 { font-size: 20pt; }
h2 { font-size: 18pt; }
h3 { color: #002060; font-size: 16pt; font-weight: bold; }
h4 { color: #002060; font-size: 14pt; font-weight: bold; margin-top: 15px; margin-bottom: 15px; }
h5 { color: #002060; font-size: 12pt; font-weight: bold; }
h6 { color: #002060; font-size: 12pt; font-weight: normal; }
.title {color: #002060; font-size: 12pt; font-weight: bold; text-align: right; margin-bottom: 40px;}
hr {border: 0; height: 1px; background: #333; background-image: -webkit-linear-gradient(left, #ccc, #333, #ccc); background-image: -moz-linear-gradient(left, #ccc, #333, #ccc); background-image: -ms-linear-gradient(left, #ccc, #333, #ccc); background-image: -o-linear-gradient(left, #ccc, #333, #ccc);}
.note { color: #ff6347; font-size: 12pt; font-weight: bold; }
pre {font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-weight: normal; white-space: pre-wrap; overflow-x: auto;}
</style>
<!-- markdownlint-enable MD033 -->
# Demonstration: Create an Overlay for SQL Server using Azure NoOps Accelerator
<div class="title">A step-by-step creation and deployment of a Sql Server Overlay using the Azure NoOps Accelerator.
</div>
### Setup & Prerequisite Software
> If already done this in previous labs, then you can skip to Part 1
1. You must have installed the latest [Git client](https://git-scm.com) for working with source control
1. You must have the latest version of [Visual Studio Code](https://code.visualstudio.com/) for authoring bicep files
1. Installed the [bicep extension](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#vs-code-and-bicep-extension) in Visual Studio Code
1. You must have installed either the the latest version of **AZ CLI**, see [How to install the Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli), or **Azure PowerShell**, see [Install the Azure Az PowerShell module](https://learn.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-9.0.1) for deploying bicep files
**PowerShell Quick Installation for Azure CLI**
``` PowerShell
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
```
**PowerShell Quick Installation for Azure PowerShell**
``` PowerShell
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
```
1. You must have installed the latest version of [Azure Bicep](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#azure-powershell)
1. Either clone, fork, or download the [Azure NoOps Accelerator](https://aka.ms/azurenoops) to your local system. This demonstration uses **c:\anoa** as the root directory containing the downloaded, cloned, or forked project from GitHub
### Before we Begin
You will be making modifications to several .json files for the deployment which require knowing several sensitive pieces of information.
You can record those values here or, preferred, using your terminal save the values as variables. Additionally, you can record and save these values in Azure Key Vault if using the Azure NoOps Accelerator on a pipeline or through a automation platform.
Saving data as variables for use while executing this demonstration or lab will help. This code below will make executing the commands through PowerShell simpler and recalling these values.
``` PowerShell
az cloudset --name [AzureCloud | AzureGovernment]
az login
$context = Get-AzContext
$location = [your region]
```
#### OPTIONAL
If you choose to save and record your values use the table below. This is sensitive information and care should be taken.
| Name | Value(s) | How Used |
| ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- |
| Subscription ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div></br><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying workloads, overlays, enclaves, or platforms. You can use multiple subscriptions for your tiers. |
| Location | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying workloads, overlays, enclaves, or platforms (eastus, usgovvirgina, etc..). |
### Part 1: Create an Overlay Folder
> <span class="note">NOTE</span>: For this demonstration we will be using AZ CLI with PowerShell. You can use AZ CLI with Bash or Azure PowerShell. The commands are the same. The only difference is the syntax.
---
#### Create Sql Server Overlay folder
1. Change to your directory containing the Azure NoOps Accelerator, this demonstration uses **c:\anoa**
1. Open Visual Studio Code in your directory containing the Azure NoOps Accelerator
1. Open folder directory **/src/bicep/overlays/management-services/**
1. Create a folder called **sqlServer** in the **/src/bicep/overlays/management-services/** by right-click the folder and selecting **new folder**
1. In the same folder create a folder called **parameters** by right-click the **sqlServer** folder and selecting **new folder**
2. Add files to the **sqlServer** folder by right-click the **sqlServer** folder, selecting **new file** and naming the file:
- **deploy.bicep**
- **readme.md**
2. Add files to the **sqlServer/parameters** folder by right-click the **sqlServer/parameters** folder and selecting **new file**:
- **deploy.parameters.json**
### Part 2: Build the Bicep for the SQL Server Overlay
---
1. Open the **/deploy.bicep** file in the **sqlServer** folder and make the following changes:
**Azure Bicep**
``` PowerShell
/*
SUMMARY: Overlay Module Example to deploy an Sql Server.
DESCRIPTION: The following components will be options in this deployment
* Sql Server
AUTHOR/S: <<your name>>
*/
targetScope = 'subscription' //Deploying at Subscription scope to allow resource groups to be created and resources in one deployment
// REQUIRED PARAMETERS
// Example (JSON)
// These are the required parameters for the deployment
// -----------------------------
// "parRequired": {
// "value": {
// "orgPrefix": "anoa",
// "templateVersion": "v1.0",
// "deployEnvironment": "dev"
// }
// }
@description('Required values used with all resources.')
param parRequired object
// REQUIRED TAGS
// Example (JSON)
// These are the required tags for the deployment
// -----------------------------
// "parTags": {
// "value": {
// "organization": "anoa",
// "region": "eastus",
// "templateVersion": "v1.0",
// "deployEnvironment": "dev",
// "deploymentType": "NoOpsBicep"
// }
// }
@description('Required tags values used with all resources.')
param parTags object
@description('The region to deploy resources into. It defaults to the deployment location.')
param parLocation string = deployment().location
```
> <span class="note">IMPORTANT</span>: Since this overlay will be used in workloads, we need to add the **subscription** to the **targetScope** property and add the required parameters. The **targetScope** property is used to define where the Bicep file will be deployed. The **targetScope** property can be set to **resourceGroup** or **subscription**.
2. Next, we will be adding the SQL Server object parameter for the deployment. The SQL Server object parameter is the object that will have all the parameters that defines a Sql Server for Azure. Add the following parameters to the **/deploy.bicep** file:
**Azure Bicep**
``` PowerShell
// SQL SERVER PARAMETERS
@description('Defines the Sql Server Object.')
param parSqlServer object
```
> <span class="note">NOTE</span>: The **parSqlServer** parameter will be used to create the Sql Server resource and will contain the following properties:
| Name | Type | Description |
| --- | --- | --- |
| name | string | The name of the Sql Server. |
| location | string | The location of the Sql Server. |
| tags | object | The tags of the Sql Server. |
| sku | string | The sku of the Sql Server. |
| version | string | The version of the Sql Server.|
| administratorLogin | string | The administrator login of the Sql Server. |
| administratorLoginPassword | string | The administrator login password of the Sql Server. |
| publicNetworkAccess | string | The public network access of the Sql Server. |
| minimalTlsVersion | string | The minimal TLS version of the Sql Server. |
| databases | int | The databases for the Sql Server. |
| firewallRules | array | The firewall rules of the Sql Server. |
| minimalTlsVersion | string | Minimal TLS version allowed. [1.0, 1.1, 1.2]|
| publicNetworkAccess | bool | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set. |
| enableLocks | bool | Enable resource lock |
We will be adding the **parSqlServer** parameters to the **/parameters/deploy.parameters.json** file in Part 3.
3. Next, We will be adding the targets for this overlay. **Targets** are used to specify the subscription and resource group where the Sql Server will be deployed. Add the following to the **/deploy.bicep** file:
**Azure Bicep**
``` PowerShell
// TARGETS
// SUBSCRIPTIONS PARAMETERS
// Target Virtual Network Name
// (JSON Parameter)
// ---------------------------
// "parTargetSubscriptionId": {
// "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxx"
// }
@description('The subscription ID for the Target Network and resources. It defaults to the deployment subscription.')
param parTargetSubscriptionId string = subscription().subscriptionId
// Target Resource Group Name
// (JSON Parameter)
// ---------------------------
// "parTargetResourceGroup": {
// "value": "anoa-eastus-platforms-hub-rg"
// }
@description('The name of the resource group in which the Sql Server will be deployed. If unchanged or not specified, the Azure NoOps Accelerator will create an resource group to be used.')
param parTargetResourceGroup string = ''
```
> <span class="note">IMPORTANT</span>: The **parTargetSubscriptionId** parameter is used to specify the subscription where the Sql Server will be deployed. The **parTargetResourceGroup** parameter is used to specify the resource group where the Sql Server will be deployed. If the **parTargetResourceGroup** parameter is not specified, the Azure NoOps Accelerator will create a resource group for the Sql Server.
3. Next, We will be adding the resource naming parameters for this overlay. The **resource naming** parameters is used in name parameter in each of the modules. Add the following to the **/deploy.bicep** file:
**Azure Bicep**
``` PowerShell
// RESOURCE NAMING PARAMETERS
@description('A suffix to use for naming deployments uniquely. It defaults to the Bicep resolution of the "utcNow()" function.')
param parDeploymentNameSuffix string = utcNow()
@description('The current date - do not override the default value')
param dateUtcNow string = utcNow('yyyy-MM-dd HH:mm:ss')
```
> <span class="note">NOTE</span>: The **parDeploymentNameSuffix** parameter is used to create a unique name for the deployment. The **dateUtcNow** parameter is used to create a unique name for the deployment.
3. Next, We will be adding the resource naming variables for this overlay. The **resource naming** variables is used in naming of the modules. This provides a consistent naming convention for all resources. Add the following to the **/deploy.bicep** file:
**Azure Bicep**
``` PowerShell
/*
NAMING CONVENTION
Here we define a naming conventions for resources.
First, we take `parDeployEnvironment` and `parDeployEnvironment` by params.
Then, using string interpolation "${}", we insert those values into a naming convention.
*/
var varResourceToken = 'resource_token'
var varNameToken = 'name_token'
var varNamingConvention = '${toLower(parRequired.orgPrefix)}-${toLower(parLocation)}-${toLower(parRequired.deployEnvironment)}-${varNameToken}-${toLower(varResourceToken)}'
// RESOURCE NAME CONVENTIONS WITH ABBREVIATIONS
var varResourceGroupNamingConvention = replace(varNamingConvention, varResourceToken, 'rg')
var varSqlServerNamingConvention = replace(varNamingConvention, varResourceToken, 'sql')
// SQL SERVER NAMES
var varSqlServerName = parSqlServer.sqlServerName
var varSqlServerResourceGroupName = replace(varResourceGroupNamingConvention, varNameToken, varSqlServerName)
var varServerName = replace(varSqlServerNamingConvention, varNameToken, varSqlServerName)
```
> <span class="note">NOTE</span>: The **varNamingConvention** variable is used to create the naming convention for the resources. The **varResourceGroupNamingConvention** variable is used to create the naming convention for the resource groups. The **varSqlServerName** variable is used to create the naming convention for the Sql Server. The **varSqlServerResourceGroupName** variable is used to create the naming convention for the Sql Server resource group.
1. Now let's add the sqlServer module from Az Resources to this overlay. Add the following to the **/deploy.bicep** file:
**Azure Bicep**
``` PowerShell
//=== TAGS ===
var referential = {
region: parLocation
deploymentDate: dateUtcNow
}
@description('Resource group tags')
module modTags '../../../azresources/Modules/Microsoft.Resources/tags/az.resources.tags.bicep' = {
name: 'deploy-sqlSvr-tags-${parLocation}-${parDeploymentNameSuffix}'
scope: subscription(parTargetSubscriptionId)
params: {
tags: union(parTags, referential)
}
}
// Sql Server
// Create Sql Server resource group
resource rgSqlServerRg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
name: (!empty(parTargetResourceGroup)) ? parTargetResourceGroup : varSqlServerResourceGroupName
location: parLocation
}
// Create Sql Server
module modSqlServer '../../../azresources/Modules/Microsoft.Sql/servers/az.data.sqlserver.bicep' = {
name: 'deploy-sqlSvr-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(parTargetSubscriptionId, rgSqlServerRg.name)
params: {
location: parLocation
name: varServerName
tags: parTags
administratorLogin: parSqlServer.administratorLogin
administratorLoginPassword: parSqlServer.administratorLoginPassword
minimalTlsVersion: parSqlServer.minimalTlsVersion
publicNetworkAccess: parSqlServer.publicNetworkAccess
databases: parSqlServer.databases
firewallRules: parSqlServer.firewallRules
}
}
```
> <span class="note">IMPORTANT</span>: The **modTags** module is used to create the tags for the Sql Server. The **rgSqlServerRg** resource is used to create the resource group for the Sql Server. The **modSqlServer** module is used to create the Sql Server.
### Part 3: Build the Parameters for the Overlay
1. Now let's build the parameters for the overlay. Add the following to the **/parameters.json** file:
**JSON**
``` PowerShell
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"parRequired": {
"value": {
"orgPrefix": "anoa",
"templateVersion": "v1.0",
"deployEnvironment": "dev"
}
},
"parTags": {
"value": {
"organization": "anoa",
"templateVersion": "v1.0",
"deployEnvironment": "dev",
"deploymentType": "NoOpsBicep"
}
},
"parTargetSubscriptionId": {
"value": "<<YOUR SUBSCRIPTION ID>>"
},
"parTargetResourceGroup": {
"value": ""
},
"parSqlServer": {
"value": {
"sqlServerName": "sqlsrv-001",
"administratorLogin": "azureuser",
"administratorLoginPassword": "Rem0te@2020246",
"minimalTlsVersion": "1.2",
"publicNetworkAccess": "Enabled",
"enableLocks": true,
"databases": [
{
"name": "anoa",
"collation": "SQL_Latin1_General_CP1_CI_AS",
"licenseType": "LicenseIncluded",
"maxSizeBytes": 34359738368,
"skuCapacity": 12,
"skuFamily": "Gen5",
"skuName": "BC_Gen5",
"skuTier": "BusinessCritical"
}
],
"firewallRules": [
{
"endIpAddress": "0.0.0.0",
"name": "AllowAllWindowsAzureIps",
"startIpAddress": "0.0.0.0"
}
]
}
}
}
}
```
---
1. Make the following changes to the **deploy.parameters.json** file or leave default values:
- parRequired.orgPrefix = **\<your org prefix or the default 'anoa'\>**
- parTags.organization = **\<your org prefix or the default ANOA\>**
- parTags.region = **\<your Azure region (eastus, usgovvirginia, etc...)\>**
- parTargetSubscriptionId = **\<subscription Id to host the sql server\>**
- parTargetResourceGroup = **\<leave blank\>**
- parSqlServer.sqlServerName = **\<your sql server name\>**
- parSqlServer.administratorLogin = **\<your sql server administrator login\>**
- parSqlServer.administratorLoginPassword = **\<your sql server administrator login password\>**
- parSqlServer.databases.name = **\<your sql server database name\>**
> <span class="note">NOTE</span>: The **parTargetResourceGroup** parameter is left blank. This will allow the overlay to create the resource group for the Sql Server.
### Part 4: Deploy Sql Server Overlay
> <span class="note">IMPORTANT</span>: Overlays are not meant to be deployed seperatly but they can be. In this case we are deploying the overlay seperatly to show how it works. In a real world scenario the overlay would be deployed as part of a larger platform or workload deployment.
---
##### Validate the deployment with WhatIf
> <span class="note">NOTE</span>: The **WhatIf** parameter is used to validate the deployment without actually deploying the resources. This is a great way to validate the deployment before actually deploying the resources.
1. Open PowerShell and change to your directory containing the NoOps Accelerator, this demonstration uses **c\anoa**
2. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\overlays\management-services\sqlserver'**
3. Issue **$context = Get-AzContext** and record the following values: -
- Subscription ID: **$context.Subscription.Id**
> <span class="note">NOTE</span>: If more than one value is returned, choose the subscription you are targeting to create the sql server overlay. You can also use **Set-AzContext** to set your current subscription for this session.
4. Issue the command:
**Azure CLI**
``` PowerShell
az deployment sub what-if --subscription $context.Subscription.Id --template-file 'deploy.bicep' --parameters '@parameters/deploy.parameters.json' --location $location
```
> <span class="note">NOTE</span>: The **--location** parameter is used to specify the location for the resource group. This is not the location for the Sql Server. The location for the Sql Server is specified in the **parameters.json** file.
5. Review the output of the command and verify that the deployment will create the resource group and the sql server.
``` PowerShell
Resource and property changes are indicated with these symbols:
+ Create
~ Modify
The deployment will update the following scopes
Scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+ resourceGroups/anoa-usgovvirginia-dev-sqlsrv-001-rg [2021-04-01]
apiVersion: "2021-04-01"
id: "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/anoa-usgovvirginia-dev-sqlsrv-001-rg"
location: "usgovvirginia"
name: "anoa-usgovvirginia-dev-sqlsrv-001-rg"
type: "Microsoft.Resources/resourceGroups"
properties.endIpAddress: "0.0.0.0"
properties.startIpAddress: "0.0.0.0"
type: "Microsoft.Sql/servers/firewallRules"
+ Microsoft.Sql/servers/anoa-usgovvirginia-dev-sqlsrv-001-sql/providers/Microsoft.Authorization/locks/anoa-usgovvirginia-dev-sqlsrv-001-sql-CanNotDelete-lock [2017-04-01]
apiVersion: "2017-04-01"
id: "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/anoa-usgovvirginia-dev-sqlsrv-001-rg/providers/Microsoft.Sql/servers/anoa-usgovvirginia-dev-sqlsrv-001-sql/providers/Microsoft.Authorization/locks/anoa-usgovvirginia-dev-sqlsrv-001-sql-CanNotDelete-lock"
name: "anoa-usgovvirginia-dev-sqlsrv-001-sql-CanNotDelete-lock" properties.level: "CanNotDelete"
properties.notes: "Cannot delete resource or child resources."
type: "Microsoft.Authorization/locks"
Resource changes: 4 to create, 1 to modify.
```
7. This ouput tells us that there will be a creation of 2 resources (resource group & sql server) and that the values are as expected. The **WhatIf** command is a great way to validate the deployment before actually deploying the resources. If you are satisfied with the deployment, then deploy the infrastructure by removing the **WhatIf** value.
##### Deploy Sql Server Overlay
1. Issue the command updating the **--subscription** parameter with your subscription id and the **--location** parameter to your location
**Azure CLI**
``` PowerShell
az deployment sub create --name 'deploy-sql-server' --template-file 'deploy.bicep' --parameters '@parameters/deploy.parameters.json' --location $location --subscription $context.Subscription.Id --only-show-errors
```
##### Remove the Sql Server Overlay
1. Issue this command to remove the resources created by the overlay:
**Azure CLI**
``` PowerShell
Remove-AzResourceGroup -Name 'anoa-usgovvirginia-dev-sqlsrv-001-rg'
```
<span class="note">NOTE</span>: The resource group name is based on the parameters you used when deploying the overlay. Change the resource group name to match your previous deployment.
##### References
---
[Deploying Management Groups with the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/management-groups)
[Deploying Roles with the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/roles)
[Deploying Policy for Guardrails with the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/Policy)
[Deploying SCCA Compliant Hub and 1-Spoke using the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/platforms/lz-platform-scca-hub-1spoke)
[Deploying a Kubernetes Private Cluster Workload using the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/workloads/wl-aks-spoke)

547
docs/training/bicep/Demonstration 6 - Workload.md Normal file
Просмотреть файл

@ -0,0 +1,547 @@
<!-- markdownlint-configure-file { "MD004": { "style": "consistent" } } -->
<!-- markdownlint-disable MD033 -->
<style>
body { font-family: Segoe UI Light; }
h1 { font-size: 20pt; }
h2 { font-size: 18pt; }
h3 { color: #002060; font-size: 16pt; font-weight: bold; }
h4 { color: #002060; font-size: 14pt; font-weight: bold; margin-top: 15px; margin-bottom: 15px; }
h5 { color: #002060; font-size: 12pt; font-weight: bold; }
h6 { color: #002060; font-size: 12pt; font-weight: normal; }
.title {color: #002060; font-size: 12pt; font-weight: bold; text-align: right; margin-bottom: 40px;}
hr {border: 0; height: 1px; background: #333; background-image: -webkit-linear-gradient(left, #ccc, #333, #ccc); background-image: -moz-linear-gradient(left, #ccc, #333, #ccc); background-image: -ms-linear-gradient(left, #ccc, #333, #ccc); background-image: -o-linear-gradient(left, #ccc, #333, #ccc);}
.note { color: #ff6347; font-size: 12pt; font-weight: bold; }
pre {font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-weight: normal; white-space: pre-wrap; overflow-x: auto;}
</style>
<!-- markdownlint-enable MD033 -->
# Demonstration: Create an SQL Server Workload Spoke using Azure NoOps Accelerator
<div class="title">A step-by-step creation and deployment of a SQL Server Workload Spoke using the Azure NoOps Accelerator.
</div>
### Setup & Prerequisite Software
> If already done this in previous labs, then you can skip to Part 1
1. You must have installed the latest [Git client](https://git-scm.com) for working with source control
1. You must have the latest version of [Visual Studio Code](https://code.visualstudio.com/) for authoring bicep files
1. Installed the [bicep extension](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#vs-code-and-bicep-extension) in Visual Studio Code
1. You must have installed either the the latest version of **AZ CLI**, see [How to install the Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli), or **Azure PowerShell**, see [Install the Azure Az PowerShell module](https://learn.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-9.0.1) for deploying bicep files
**PowerShell Quick Installation for Azure CLI**
``` PowerShell
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
```
**PowerShell Quick Installation for Azure PowerShell**
``` PowerShell
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
```
1. You must have installed the latest version of [Azure Bicep](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#azure-powershell)
1. Either clone, fork, or download the [Azure NoOps Accelerator](https://aka.ms/azurenoops) to your local system. This demonstration uses **c:\anoa** as the root directory containing the downloaded, cloned, or forked project from GitHub
### Before we Begin
You will be making modifications to several .json files for the deployment which require knowing several sensitive pieces of information.
You can record those values here or, preferred, using your terminal save the values as variables. Additionally, you can record and save these values in Azure Key Vault if using the Azure NoOps Accelerator on a pipeline or through a automation platform.
Saving data as variables for use while executing this demonstration or lab will help. This code below will make executing the commands through PowerShell simpler and recalling these values.
``` PowerShell
az cloudset --name [AzureCloud | AzureGovernment]
az login
$context = Get-AzContext
$location = [your region]
```
#### OPTIONAL
If you choose to save and record your values use the table below. This is sensitive information and care should be taken.
| Name | Value(s) | How Used |
| ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- |
| Subscription ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying workloads, overlays, enclaves, or platforms. You can use multiple subscriptions for your tiers. |
| Location | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying workloads, overlays, enclaves, or platforms (eastus, usgovvirgina, etc..). |
### Part 1: Create an Workload Folder
> <span class="note">NOTE</span>: For this demonstration we will be using AZ CLI with PowerShell. You can use AZ CLI with Bash or Azure PowerShell. The commands are the same. The only difference is the syntax.
---
#### Create Sql Server Workload Spoke folder
1. Change to your directory containing the Azure NoOps Accelerator, this demonstration uses **c:\anoa**
1. Open Visual Studio Code in your directory containing the Azure NoOps Accelerator
1. Open folder directory **/src/bicep/workloads/**
1. Create a folder called **wl-sqlserver-spoke** in the **//src/bicep/workloads/** by right-click the folder and selecting **new folder**
> <span class="note">NOTE</span>: The folder name must start with **wl-** and end with **-spoke**. This is how the Azure NoOps Accelerator identifies the folder as a workload spoke.
2. In the same folder create a folder called **parameters** by right-click the **wl-sqlserver-spoke** folder and selecting **new folder**
3. Add files to the **wl-sqlserver-spoke** folder by right-click the **wl-sqlserver-spoke** folder, selecting **new file** and naming the file:
- **deploy.bicep**
- **readme.md**
- **bicepconfig.json**
4. Add files to the **wl-sqlserver-spoke/parameters** folder by right-click the **wl-sqlserver-spoke/parameters** folder and selecting **new file**:
- **deploy.parameters.json**
### Part 2: Build the Bicep for the SQL Server Workload Spoke
> <span class="note">NOTE</span>: In this demonstration, we will be building a SQL Server Workload Spoke with Azure Bicep. This will be a Tier 3 spoke that will be deployed with an VNET. The SQL Server Workload will use the VNET created in the spoke. The spoke will be deployed to a subscription that is the same as the subscription where the platform(hub/spoke network) is deployed. In production scenrieos, you can use different subscriptions for the platform(hub/spoke network) and workloads.
---
1. Open the **/deploy.bicep** file in the **wl-sqlserver-spoke** folder and make the following changes:
**Azure Bicep**
``` PowerShell
/*
SUMMARY: Workload Module to deploy a Sql Server Workload to an target sub.
DESCRIPTION: The following components will be options in this deployment
Sql Server Workload Spoke
AUTHOR/S: <your name>
*/
targetScope = 'subscription' //Deploying at Subscription scope to allow resource groups to be created and resources in one deployment
// REQUIRED PARAMETERS
// Example (JSON)
// These are the required parameters for the deployment
// -----------------------------
// "parRequired": {
// "value": {
// "orgPrefix": "anoa",
// "templateVersion": "v1.0",
// "deployEnvironment": "dev"
// }
// }
@description('Required values used with all resources.')
param parRequired object
// REQUIRED TAGS
// Example (JSON)
// These are the required tags for the deployment
// -----------------------------
// "parTags": {
// "value": {
// "organization": "anoa",
// "region": "eastus",
// "templateVersion": "v1.0",
// "deployEnvironment": "dev",
// "deploymentType": "NoOpsBicep"
// }
// }
@description('Required tags values used with all resources.')
param parTags object
@description('The region to deploy resources into. It defaults to the deployment location.')
param parLocation string = deployment().location
```
> <span class="note">NOTE</span>: Just like the overlay, we need to add the **subscription** to the **targetScope** property and add the required parameters. The **targetScope** property is used to define where the Bicep file will be deployed. The **targetScope** property can be set to **resourceGroup** or **subscription**.
1. Since this is a workload spoke, we need to add workload specific parameters. Add the following parameters to the **/deploy.bicep** file:
**Azure Bicep**
``` PowerShell
// WORKLOAD PARAMETERS
@description('Required values used with the workload, Please review the Read Me for required parameters')
param parWorkloadSpoke object
```
We will be adding the **parWorkloadSpoke** parameters to the **/parameters/deploy.parameters.json** file in Part 3.
> <span class="note">NOTE</span>: The **parWorkloadSpoke** parameter is a **JSON** object that will contain all the parameters for the workload spoke. The **parWorkloadSpoke** parameter will be used to pass the parameters to the workload spoke overlay to create the Tier 3 spoke as part of a Hub 3 Spoke Platform.
1. The workload spoke has specific parameters it needs to use resources from the Hub 3 Spoke Platform including Hub Network and Log Analytics paramters.Add the following parameters to the **/deploy.bicep** file:
**Azure Bicep**
``` PowerShell
// HUB NETWORK PARAMETERS
@description('The subscription ID for the Hub Network.')
param parHubSubscriptionId string
// Hub Resource Group Name
// (JSON Parameter)
// ---------------------------
// "parHubResourceGroupName": {
// "value": "anoa-eastus-platforms-hub-rg"
// }
@description('The resource group name for the Hub Network.')
param parHubResourceGroupName string
// Hub Virtual Network Name
// (JSON Parameter)
// ---------------------------
// "parHubResourceGroupName": {
// "value": "anoa-eastus-platforms-hub-rg"
// }
@description('The virtual network name for the Hub Network.')
param parHubVirtualNetworkName string
// Hub Virtual Network Resource Id
// (JSON Parameter)
// ---------------------------
// "parHubVirtualNetworkResourceId": {
// "value": "/subscriptions/xxxxxxxx-xxxxxx-xxxxx-xxxxxx-xxxxxx/resourceGroups/anoa-eastus-platforms-hub-rg/providers/Microsoft.Network/virtualNetworks/anoa-eastus-platforms-hub-vnet/subnets/anoa-eastus-platforms-hub-vnet"
// }
@description('The virtual network resource Id for the Hub Network.')
param parHubVirtualNetworkResourceId string
// LOGGING PARAMETERS
@description('Log Analytics Workspace Resource Id Needed for NSG, VNet and Activity Logging')
param parLogAnalyticsWorkspaceResourceId string
@description('Log Analytics Workspace Name Needed Activity Logging')
param parLogAnalyticsWorkspaceName string
```
> <span class="note">NOTE</span>: The **parHubSubscriptionId** parameter is the subscription Id of the Hub Network. The **parHubResourceGroupName** parameter is the resource group name of the Hub Network. The **parHubVirtualNetworkName** parameter is the virtual network name of the Hub Network. The **parHubVirtualNetworkResourceId** parameter is the virtual network resource Id of the Hub Network. The **parLogAnalyticsWorkspaceResourceId** parameter is the Log Analytics Workspace resource Id. The **parLogAnalyticsWorkspaceName** parameter is the Log Analytics Workspace name. These parameters will be used to create the Tier 3 spoke as part of a Hub 3 Spoke Platform.
2. Next, we will be adding the SQL Server object parameter for the deployment. The SQL Server object parameter is the object that will have all the parameters that defines a Sql Server for Azure. Add the following parameters to the **/deploy.bicep** file:
**Azure Bicep**
``` PowerShell
// SQL SERVER PARAMETERS
@description('Defines the Sql Server Object.')
param parSqlServer object
```
> <span class="note">NOTE</span>: The **parSqlServer** parameter will be used to create the Sql Server resource and will contain the following properties:
| Name | Type | Description |
| -------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| name | string | The name of the Sql Server. |
| location | string | The location of the Sql Server. |
| tags | object | The tags of the Sql Server. |
| sku | string | The sku of the Sql Server. |
| version | string | The version of the Sql Server. |
| administratorLogin | string | The administrator login of the Sql Server. |
| administratorLoginPassword | string | The administrator login password of the Sql Server. |
| publicNetworkAccess | string | The public network access of the Sql Server. |
| minimalTlsVersion | string | The minimal TLS version of the Sql Server. |
| databases | int | The databases for the Sql Server. |
| firewallRules | array | The firewall rules of the Sql Server. |
| minimalTlsVersion | string | Minimal TLS version allowed. [1.0, 1.1, 1.2] |
| publicNetworkAccess | bool | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set. |
| enableLocks | bool | Enable resource lock |
We will be adding the **parSqlServer** parameters to the **/parameters/deploy.parameters.json** file in Part 3.
1. Now we will start building the Tier 3 module for the deployment. The Tier 3 module are used to create the resources for the workload deployment. Add the following modules to the **/deploy.bicep** file:
**Azure Bicep**
``` PowerShell
//=== TAGS ===
var referential = {
workload: parWorkloadSpoke.name
}
@description('Resource group tags')
module modTags '../../azresources/Modules/Microsoft.Resources/tags/az.resources.tags.bicep' = {
name: 'Sql-Resource-Tags-${parDeploymentNameSuffix}'
scope: subscription()
params: {
tags: union(parTags, referential)
}
}
//=== Workload Tier 3 Buildout ===
module modTier3 '../../overlays/management-services/workloadSpoke/deploy.bicep' = {
name: 'deploy-wl-vnet-${parLocation}-${parDeploymentNameSuffix}'
scope: subscription(parWorkloadSpoke.subscriptionId)
params: {
//Required Parameters
parRequired:parRequired
parLocation: parLocation
parTags: modTags.outputs.tags
//Hub Network Parameters
parHubSubscriptionId: parHubSubscriptionId
parHubVirtualNetworkResourceId: parHubVirtualNetworkResourceId
parHubVirtualNetworkName: parHubVirtualNetworkName
parHubResourceGroupName: parHubResourceGroupName
//WorkLoad Parameters
parWorkloadSpoke: parWorkloadSpoke
//Logging Parameters
parLogAnalyticsWorkspaceName: parLogAnalyticsWorkspaceName
parLogAnalyticsWorkspaceResourceId: parLogAnalyticsWorkspaceResourceId
parEnableActivityLogging: true
}
}
//=== End Workload Tier 3 Buildout ===
```
1. Next, we will start building the Sql Server Overlay module for the deployment. The Sql Server Overlay module are used to create the resources for the Sql Server deployment. Add the following modules to the **/deploy.bicep** file:
**Azure Bicep**
``` PowerShell
//=== Sql Server Workload Buildout ===
module modSqlServerDeploy '../../overlays/management-services/sqlServer/deploy.bicep' = {
name: 'deploy-sql-${parLocation}-${parDeploymentNameSuffix}'
scope: subscription(parWorkloadSpoke.subscriptionId)
params: {
parLocation: parLocation
parSqlServer: parSqlServer
parRequired: parRequired
parTags: modTags.outputs.tags
parTargetResourceGroup: modTier3.outputs.workloadResourceGroupName
parTargetSubscriptionId: parWorkloadSpoke.subscriptionId
}
dependsOn: [
modTier3
]
}
```
> <span class="note">IMPORTANT</span>: The **modSqlServerDeploy** module uses the Workload Tier 3 module as a dependency. This is because the Sql Server Overlay module will be deployed to the Workload Spoke Tier 3 resource group.
### Part 3: Build the Parameters for the Sql Server Workload Deployment
> <span class="note">NOTE</span>: The following steps will be adding the parameters for the Sql Server Workload deployment. The parameters will be added to the **/parameters/deploy.parameters.json** file.
---
1. Now let's build the parameters for the Sql Server Workload. Add the following to the **/parameters.json** file:
**JSON**
``` JSON
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"parRequired": {
"value": {
"orgPrefix": "anoa",
"templateVersion": "v1.0",
"deployEnvironment": "dev"
}
},
"parTags": {
"value": {
"organization": "anoa",
"templateVersion": "v1.0",
"deployEnvironment": "dev",
"deploymentType": "NoOpsBicep"
}
},
"parWorkloadSpoke": {
"value": {
"name": "sqlServer",
"shortName": "sqlServer",
"subscriptionId": "<<your subscriptionId>>",
"enableDdosProtectionPlan": false,
"network": {
"virtualNetworkAddressPrefix": "10.0.125.0/26",
"subnetAddressPrefix": "10.0.125.0/26",
"allowVirtualNetworkAccess": true,
"useRemoteGateway": false,
"virtualNetworkDiagnosticsLogs": [],
"virtualNetworkDiagnosticsMetrics": [],
"networkSecurityGroupRules": [],
"NetworkSecurityGroupDiagnosticsLogs": [
"NetworkSecurityGroupEvent",
"NetworkSecurityGroupRuleCounter"
],
"subnetServiceEndpoints": [
{
"service": "Microsoft.Storage"
}
],
"subnets": [],
"routeTable": {
"disableBgpRoutePropagation": true,
"routes": [
{
"name": "wl-routetable",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopIpAddress": "10.0.100.4",
"nextHopType": "VirtualAppliance"
}
}
]
}
},
"storageAccountAccess": {
"enableRoleAssignmentForStorageAccount": false,
"principalIds": [
"<<PrincipalID>>"
],
"roleDefinitionIdOrName": "Contributor"
}
}
},
"parHubSubscriptionId": {
"value": "<<hub subscriptionId>>"
},
"parHubResourceGroupName": {
"value": "anoa-eastus-dev-hub-rg"
},
"parHubVirtualNetworkName": {
"value": "anoa-eastus-dev-hub-vnet"
},
"parHubVirtualNetworkResourceId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/anoa-eastus-dev-hub-rg/providers/Microsoft.Network/virtualNetworks/anoa-eastus-dev-hub-vnet"
},
"parLogAnalyticsWorkspaceResourceId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/anoa-eastus-dev-logging-rg/providers/microsoft.operationalinsights/workspaces/anoa-eastus-dev-logging-log"
},
"parLogAnalyticsWorkspaceName": {
"value": "anoa-eastus-dev-logging-log"
},
"parSqlServer": {
"value": {
"sqlServerName": "sqlsrv-001",
"administratorLogin": "azureuser",
"administratorLoginPassword": "Rem0te@2020246",
"minimalTlsVersion": "1.2",
"publicNetworkAccess": "Enabled",
"enableLocks": 'CanNotDelete',
"databases": [
{
"name": "anoa",
"collation": "SQL_Latin1_General_CP1_CI_AS",
"licenseType": "LicenseIncluded",
"maxSizeBytes": 34359738368,
"skuCapacity": 12,
"skuFamily": "Gen5",
"skuName": "BC_Gen5",
"skuTier": "BusinessCritical"
}
],
"firewallRules": [
{
"endIpAddress": "0.0.0.0",
"name": "AllowAllWindowsAzureIps",
"startIpAddress": "0.0.0.0"
}
]
}
}
}
}
```
> <span class="note">NOTE</span>: The **parWorkloadSpoke** parameter is the same as the one used in the previous section. The **parSqlServer** parameter is the same as the one used in the previous section. It is important make sure that all network parameters are correct. IP addresses and subnet ranges should be unique and not overlap with other subnets in the hub or other workload spokes.
---
1. Make the following changes to the **deploy.parameters.json** file or leave default values:
- parRequired.orgPrefix = **\<your org prefix or the default 'anoa'\>**
- parTags.organization = **\<your org prefix or the default ANOA\>**
- parTags.region = **\<your Azure region (eastus, usgovvirginia, etc...)\>**
- parHubSubscriptionId = **\<subscription Id to Hub subscription\>**
- parHubResourceGroupName = **\<Resource Group Name to Hub RG\>**
- parHubVirtualNetworkResourceId = **\<Virtual Network Resource Id to Hub Network\>**
- parHubVirtualNetworkName = **\<Virtual Network Name of the Hub Network\>**
- parLogAnalyticsWorkspaceResourceId = **\<Log Analytics Workspace Resource Id to Hub Network\>**
- parLogAnalyticsWorkspaceName = **\<Log Analytics Workspace Name to Hub Network\>**
- parSqlServer.sqlServerName = **\<your sql server name\>**
- parSqlServer.administratorLogin = **\<your sql server administrator login\>**
- parSqlServer.administratorLoginPassword = **\<your sql server administrator login password\>**
- parSqlServer.databases.name = **\<your sql server database name\>**
> <span class="note">NOTE</span>: All Hub Network parameters are required. If you are using the default Hub/3 Spoke deployment, you can leave the default values. If you are using a custom Hub/Spoke deployment, you will need to update the parameters with the values from your custom Hub deployment. Make sure to fill in <<subscriptionId>> parameters with the correct subscriptions.
### Part 4: Deploy Sql Server Workload
> <span class="note">NOTE</span>: The following steps will deploy the Sql Server workload with an Tier 3 Spoke Network. The deployment will take approximately 20 minutes to complete. The deployment will fail if there is not a existing Hub/3 Spoke Network deployed. If the deployment fails, check the deployment logs for more information.
---
##### Validate the deployment with WhatIf
> <span class="note">NOTE</span>: The **WhatIf** parameter is used to validate the deployment without actually deploying the resources. This is a great way to validate the deployment before actually deploying the resources.
1. Open PowerShell and change to your directory containing the NoOps Accelerator, this demonstration uses **c\anoa**
2. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\workloads\wl-sqlserver-spoke\'**
3. Issue **$context = Get-AzContext** and record the following values: -
- Subscription ID: **$context.Subscription.Id**
> <span class="note">NOTE</span>: If more than one value is returned, choose the subscription you are targeting to create the sql server workload. You can also use **Set-AzContext** to set your current subscription for this session.
4. Issue the command:
**Azure CLI**
``` PowerShell
az deployment sub what-if --subscription $context.Subscription.Id --template-file 'deploy.bicep' --parameters '@parameters/deploy.parameters.json' --location $location
```
> <span class="note">NOTE</span>: The **--location** parameter is used to specify the location for the resource group. This is not the location for the Sql Server. The location for the Sql Server is specified in the **parameters.json** file.
5. Review the output of the command and verify that the deployment will create the resource group and the sql server.
##### Deploy Sql Server Workload Spoke
1. Open PowerShell and change to your directory containing the NoOps Accelerator, this demonstration uses **c\anoa**
1. Issue the command **az login** and log into your tenant
1. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\overlays\sqlserver'**
1. Issue **$context = Get-AzContext** and record the following values: -
- Subscription ID: **$context.Subscription.Id**
> **NOTE**: If more than one value is returned, choose the subscription you are targeting to create the sql server overlay. You can also use **Set-AzContext** to set your current subscription for this session.
2. Issue the command updating the **--subscription** parameter with your subscription id and the **--location** parameter to your location
**Azure CLI**
``` PowerShell
az deployment sub create --name 'deploy-sql-server' --template-file 'deploy.bicep' --parameters '@parameters/deploy.parameters.json' --location $location --subscription $context.Subscription.Id --only-show-errors
```
##### Remove the Sql Server Overlay
1. Issue thus command:
**Azure CLI**
``` PowerShell
Remove-AzResourceGroup -Name 'anoa-usgovvirginia-dev-sqlsrv-rg'
```
<span class="note">NOTE</span>: The resource group name is based on the parameters you used when deploying the overlay. Change the resource group name to match your previous deployment.
##### References
---
[Deploying Management Groups with the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/management-groups)
[Deploying Roles with the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/roles)
[Deploying Policy for Guardrails with the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/Policy)
[Deploying SCCA Compliant Hub and 1-Spoke using the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/platforms/lz-platform-scca-hub-1spoke)
[Deploying a Kubernetes Private Cluster Workload using the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/workloads/wl-aks-spoke)

573
docs/training/bicep/Demonstration 8 - Enclave.md Normal file
Просмотреть файл

@ -0,0 +1,573 @@
<!-- markdownlint-configure-file { "MD004": { "style": "consistent" } } -->
<!-- markdownlint-disable MD033 -->
<style>
body { font-family: Segoe UI Light; }
h1 { font-size: 20pt; }
h2 { font-size: 18pt; }
h3 { color: #002060; font-size: 16pt; font-weight: bold; }
h4 { color: #002060; font-size: 14pt; font-weight: bold; margin-top: 15px; margin-bottom: 15px; }
h5 { color: #002060; font-size: 12pt; font-weight: bold; }
h6 { color: #002060; font-size: 12pt; font-weight: normal; }
.title {color: #002060; font-size: 12pt; font-weight: bold; text-align: right; margin-bottom: 40px;}
hr {border: 0; height: 1px; background: #333; background-image: -webkit-linear-gradient(left, #ccc, #333, #ccc); background-image: -moz-linear-gradient(left, #ccc, #333, #ccc); background-image: -ms-linear-gradient(left, #ccc, #333, #ccc); background-image: -o-linear-gradient(left, #ccc, #333, #ccc);}
.note { color: #ff6347; font-size: 12pt; font-weight: bold; }
pre {font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-weight: normal; white-space: pre-wrap; overflow-x: auto;}
</style>
<!-- markdownlint-enable MD033 -->
# Demonstration: Deploy an SQL Server Mission Enclave using Azure NoOps Accelerator
<div class="title">A step-by-step creation and deployment of an Mission Enclave for a SQL Server and Hub/3 Spoke Platform using the Azure NoOps Accelerator.
</div>
### Setup & Prerequisite Software
> If already done this in previous labs, then you can skip to Part 1
1. You must have installed the latest [Git client](https://git-scm.com) for working with source control
1. You must have the latest version of [Visual Studio Code](https://code.visualstudio.com/) for authoring bicep files
1. Installed the [bicep extension](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#vs-code-and-bicep-extension) in Visual Studio Code
1. You must have installed either the the latest version of **AZ CLI**, see [How to install the Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli), or **Azure PowerShell**, see [Install the Azure Az PowerShell module](https://learn.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-9.0.1) for deploying bicep files
**PowerShell Quick Installation for Azure CLI**
``` PowerShell
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
```
**PowerShell Quick Installation for Azure PowerShell**
``` PowerShell
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
```
1. You must have installed the latest version of [Azure Bicep](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#azure-powershell)
1. Either clone, fork, or download the [Azure NoOps Accelerator](https://aka.ms/azurenoops) to your local system. This demonstration uses **c:\anoa** as the root directory containing the downloaded, cloned, or forked project from GitHub
### Before we Begin
You will be making modifications to several .json files for the deployment which require knowing several sensitive pieces of information.
You can record those values here or, preferred, using your terminal save the values as variables. Additionally, you can record and save these values in Azure Key Vault if using the Azure NoOps Accelerator on a pipeline or through a automation platform.
Saving data as variables for use while executing this demonstration or lab will help. This code below will make executing the commands through PowerShell simpler and recalling these values.
``` PowerShell
az cloudset --name [AzureCloud | AzureGovernment]
az login
$context = Get-AzContext
$location = [your region]
```
#### OPTIONAL
If you choose to save and record your values use the table below. This is sensitive information and care should be taken.
| Name | Value(s) | How Used |
| ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- |
| Subscription ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying workloads, overlays, enclaves, or platforms. You can use multiple subscriptions for your tiers. |
| Location | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying workloads, overlays, enclaves, or platforms (eastus, usgovvirgina, etc..). |
### Part 1: Create an Enclave Folder
> <span class="note">NOTE</span>: For this demonstration we will be using AZ CLI with PowerShell. You can use AZ CLI with Bash or Azure PowerShell. The commands are the same. The only difference is the syntax.
---
#### Create Sql Server Enclave folder
1. Change to your directory containing the Azure NoOps Accelerator, this demonstration uses **c:\anoa**
1. Open Visual Studio Code in your directory containing the Azure NoOps Accelerator
1. Open folder directory **/src/bicep/enclaves/**
1. Create a folder called **enclaves-scca-hub3spoke-sqlserver** in the **/src/bicep/enclaves/** by right-click the folder and selecting **new folder**
> <span class="note">NOTE</span>: The folder name must start with **enclaves-scca-hub3spoke**. This is how the Azure NoOps Accelerator identifies the folder as a enclave. The rest of the folder name is used to identify the workload. The folder name must be unique. If you have multiple enclaves for the same workload, then you can add a suffix to the folder name. For example, **enclaves-scca-hub3spoke-sqlserver-1**. The suffix is not used by the Azure NoOps Accelerator, but it is used to identify the folder.
1. In the same folder create a folder called **parameters** by right-click the **enclaves-scca-hub3spoke-sqlserver** folder and selecting **new folder**
2. Add files to the **enclaves-scca-hub3spoke-sqlserver** folder by right-click the **enclaves-scca-hub3spoke-sqlserver** folder, selecting **new file** and naming the file:
- **deploy.bicep**
- **readme.md**
- **bicepconfig.json**
3. Add files to the **enclaves-scca-hub3spoke-sqlserver/parameters** folder by right-click the **enclaves-scca-hub3spoke-sqlserver/parameters** folder and selecting **new file**:
- **deploy.parameters.json**
### Part 2: Build the Bicep for the SQL Server Mission Enclave
> <span class="note">NOTE</span>: In this demonstration, we will be building a SQL Server Mission Enclave with Azure Bicep.
---
1. Open the **/deploy.bicep** file in the **enclaves-scca-hub3spoke-sqlserver** folder and make the following changes:
**Azure Bicep**
``` PowerShell
/*
SUMMARY: Workload Module to deploy a Sql Server Workload to an target sub.
DESCRIPTION: The following components will be options in this deployment
Sql Server Workload Spoke
AUTHOR/S: <your name>
*/
targetScope = 'subscription' //Deploying at Subscription scope to allow resource groups to be created and resources in one deployment
// REQUIRED PARAMETERS
// Example (JSON)
// These are the required parameters for the deployment
// -----------------------------
// "parRequired": {
// "value": {
// "orgPrefix": "anoa",
// "templateVersion": "v1.0",
// "deployEnvironment": "dev"
// }
// }
@description('Required values used with all resources.')
param parRequired object
// REQUIRED TAGS
// Example (JSON)
// These are the required tags for the deployment
// -----------------------------
// "parTags": {
// "value": {
// "organization": "anoa",
// "region": "eastus",
// "templateVersion": "v1.0",
// "deployEnvironment": "dev",
// "deploymentType": "NoOpsBicep"
// }
// }
@description('Required tags values used with all resources.')
param parTags object
@description('The region to deploy resources into. It defaults to the deployment location.')
param parLocation string = deployment().location
```
> <span class="note">NOTE</span>: Just like the overlay, we need to add the **subscription** to the **targetScope** property and add the required parameters. The **targetScope** property is used to define where the Bicep file will be deployed. The **targetScope** property can be set to **resourceGroup** or **subscription**.
1. Since this is a mission enclave, we need to add Hub/3 Spoke platform specific parameters. Add the following parameters to the **/deploy.bicep** file:
**Azure Bicep**
``` PowerShell
@description('Hub Virtual network configuration. See azresources/hub-spoke-core/vdss/hub/readme.md')
param parHub object
@description('Operations Spoke Virtual network configuration. See azresources/hub-spoke-core/vdms/operations/readme.md')
param parOperationsSpoke object
@description('Identity Spoke Virtual network configuration. See azresources/hub-spoke-core/vdss/identity/readme.md')
param parIdentitySpoke object
@description('Shared Services Spoke Virtual network configuration. See azresources/hub-spoke-core/vdms/sharedservices/readme.md')
param parSharedServicesSpoke object
@description('Enables Operations Network Artifacts Resource Group with KV and Storage account for the ops subscriptions used in the deployment.')
param parNetworkArtifacts object
@description('Enables DDOS deployment on the Hub Network.')
param parDdosStandard object
@description('A suffix to use for naming deployments uniquely. It defaults to the Bicep resolution of the "utcNow()" function.')
param parDeploymentNameSuffix string = utcNow()
@description('Required. Azure Firewall configuration. Azure Firewall is deployed in Forced Tunneling mode where a route table must be added as the next hop.')
param parAzureFirewall object
@description('Enables logging parmeters and Microsoft Sentinel within the Log Analytics Workspace created in this deployment. See azresources/hub-spoke-core/vdms/logging/readme.md')
param parLogging object
@description('Microsoft Defender for Cloud. It includes contact email and phone.')
param parSecurityCenter object
@description('When set to "true", provisions Azure Bastion Host with Jumpboxes, when specified. It defaults to "false".')
param parRemoteAccess object
```
> <span class="note">NOTE</span>: The **parHub**, **parOperationsSpoke**, **parIdentitySpoke**, **parSharedServicesSpoke**, **parNetworkArtifacts**, **parDdosStandard**, **parAzureFirewall**, **parLogging**, **parSecurityCenter**, and **parRemoteAccess** parameters are used to pass in the configuration for the Hub/3 Spoke platform. The configuration for the Hub/3 Spoke platform is stored in the **/src/bicep/azresources/hub-spoke-core** folder.
1. The workload spoke has specific parameters it needs to use resources from the Hub 3 Spoke Platform including Hub Network and Log Analytics paramters.Add the following parameters to the **/deploy.bicep** file:
**Azure Bicep**
``` PowerShell
// HUB NETWORK PARAMETERS
@description('The subscription ID for the Hub Network.')
param parHubSubscriptionId string
// Hub Resource Group Name
// (JSON Parameter)
// ---------------------------
// "parHubResourceGroupName": {
// "value": "anoa-eastus-platforms-hub-rg"
// }
@description('The resource group name for the Hub Network.')
param parHubResourceGroupName string
// Hub Virtual Network Name
// (JSON Parameter)
// ---------------------------
// "parHubResourceGroupName": {
// "value": "anoa-eastus-platforms-hub-rg"
// }
@description('The virtual network name for the Hub Network.')
param parHubVirtualNetworkName string
// Hub Virtual Network Resource Id
// (JSON Parameter)
// ---------------------------
// "parHubVirtualNetworkResourceId": {
// "value": "/subscriptions/xxxxxxxx-xxxxxx-xxxxx-xxxxxx-xxxxxx/resourceGroups/anoa-eastus-platforms-hub-rg/providers/Microsoft.Network/virtualNetworks/anoa-eastus-platforms-hub-vnet/subnets/anoa-eastus-platforms-hub-vnet"
// }
@description('The virtual network resource Id for the Hub Network.')
param parHubVirtualNetworkResourceId string
// LOGGING PARAMETERS
@description('Log Analytics Workspace Resource Id Needed for NSG, VNet and Activity Logging')
param parLogAnalyticsWorkspaceResourceId string
@description('Log Analytics Workspace Name Needed Activity Logging')
param parLogAnalyticsWorkspaceName string
```
> <span class="note">NOTE</span>: The **parHubSubscriptionId** parameter is the subscription Id of the Hub Network. The **parHubResourceGroupName** parameter is the resource group name of the Hub Network. The **parHubVirtualNetworkName** parameter is the virtual network name of the Hub Network. The **parHubVirtualNetworkResourceId** parameter is the virtual network resource Id of the Hub Network. The **parLogAnalyticsWorkspaceResourceId** parameter is the Log Analytics Workspace resource Id. The **parLogAnalyticsWorkspaceName** parameter is the Log Analytics Workspace name. These parameters will be used to create the Tier 3 spoke as part of a Hub 3 Spoke Platform.
2. Next, we will be adding the SQL Server object parameter for the deployment. The SQL Server object parameter is the object that will have all the parameters that defines a Sql Server for Azure. Add the following parameters to the **/deploy.bicep** file:
**Azure Bicep**
``` PowerShell
// SQL SERVER PARAMETERS
@description('Defines the Sql Server Object.')
param parSqlServer object
```
> <span class="note">NOTE</span>: The **parSqlServer** parameter will be used to create the Sql Server resource and will contain the following properties:
| Name | Type | Description |
| -------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| name | string | The name of the Sql Server. |
| location | string | The location of the Sql Server. |
| tags | object | The tags of the Sql Server. |
| sku | string | The sku of the Sql Server. |
| version | string | The version of the Sql Server. |
| administratorLogin | string | The administrator login of the Sql Server. |
| administratorLoginPassword | string | The administrator login password of the Sql Server. |
| publicNetworkAccess | string | The public network access of the Sql Server. |
| minimalTlsVersion | string | The minimal TLS version of the Sql Server. |
| databases | int | The databases for the Sql Server. |
| firewallRules | array | The firewall rules of the Sql Server. |
| minimalTlsVersion | string | Minimal TLS version allowed. [1.0, 1.1, 1.2] |
| publicNetworkAccess | bool | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set. |
| enableLocks | bool | Enable resource lock |
We will be adding the **parSqlServer** parameters to the **/parameters/deploy.parameters.json** file in Part 3.
1. Now we will start building the Tier 3 module for the deployment. The Tier 3 module are used to create the resources for the workload deployment. Add the following modules to the **/deploy.bicep** file:
**Azure Bicep**
``` PowerShell
//=== TAGS ===
var referential = {
workload: parWorkloadSpoke.name
}
@description('Resource group tags')
module modTags '../../azresources/Modules/Microsoft.Resources/tags/az.resources.tags.bicep' = {
name: 'Sql-Resource-Tags-${parDeploymentNameSuffix}'
scope: subscription()
params: {
tags: union(parTags, referential)
}
}
//=== Workload Tier 3 Buildout ===
module modTier3 '../../overlays/management-services/workloadSpoke/deploy.bicep' = {
name: 'deploy-wl-vnet-${parLocation}-${parDeploymentNameSuffix}'
scope: subscription(parWorkloadSpoke.subscriptionId)
params: {
//Required Parameters
parRequired:parRequired
parLocation: parLocation
parTags: modTags.outputs.tags
//Hub Network Parameters
parHubSubscriptionId: parHubSubscriptionId
parHubVirtualNetworkResourceId: parHubVirtualNetworkResourceId
parHubVirtualNetworkName: parHubVirtualNetworkName
parHubResourceGroupName: parHubResourceGroupName
//WorkLoad Parameters
parWorkloadSpoke: parWorkloadSpoke
//Logging Parameters
parLogAnalyticsWorkspaceName: parLogAnalyticsWorkspaceName
parLogAnalyticsWorkspaceResourceId: parLogAnalyticsWorkspaceResourceId
parEnableActivityLogging: true
}
}
//=== End Workload Tier 3 Buildout ===
```
1. Next, we will start building the Sql Server Overlay module for the deployment. The Sql Server Overlay module are used to create the resources for the Sql Server deployment. Add the following modules to the **/deploy.bicep** file:
**Azure Bicep**
``` PowerShell
//=== Sql Server Workload Buildout ===
module modSqlServerDeploy '../../overlays/management-services/sqlServer/deploy.bicep' = {
name: 'deploy-sql-${parLocation}-${parDeploymentNameSuffix}'
scope: subscription(parWorkloadSpoke.subscriptionId)
params: {
parLocation: parLocation
parSqlServer: parSqlServer
parRequired: parRequired
parTags: modTags.outputs.tags
parTargetResourceGroup: modTier3.outputs.workloadResourceGroupName
parTargetSubscriptionId: parWorkloadSpoke.subscriptionId
}
dependsOn: [
modTier3
]
}
```
> <span class="note">IMPORTANT</span>: The **modSqlServerDeploy** module uses the Workload Tier 3 module as a dependency. This is because the Sql Server Overlay module will be deployed to the Workload Spoke Tier 3 resource group.
### Part 3: Build the Parameters for the Sql Server Workload Deployment
> <span class="note">NOTE</span>: The following steps will be adding the parameters for the Sql Server Workload deployment. The parameters will be added to the **/parameters/deploy.parameters.json** file.
---
1. Now let's build the parameters for the Sql Server Workload. Add the following to the **/parameters.json** file:
**JSON**
``` JSON
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"parRequired": {
"value": {
"orgPrefix": "anoa",
"templateVersion": "v1.0",
"deployEnvironment": "dev"
}
},
"parTags": {
"value": {
"organization": "anoa",
"templateVersion": "v1.0",
"deployEnvironment": "dev",
"deploymentType": "NoOpsBicep"
}
},
"parWorkloadSpoke": {
"value": {
"name": "sqlServer",
"shortName": "sqlServer",
"subscriptionId": "<<your subscriptionId>>",
"enableDdosProtectionPlan": false,
"network": {
"virtualNetworkAddressPrefix": "10.0.125.0/26",
"subnetAddressPrefix": "10.0.125.0/26",
"allowVirtualNetworkAccess": true,
"useRemoteGateway": false,
"virtualNetworkDiagnosticsLogs": [],
"virtualNetworkDiagnosticsMetrics": [],
"networkSecurityGroupRules": [],
"NetworkSecurityGroupDiagnosticsLogs": [
"NetworkSecurityGroupEvent",
"NetworkSecurityGroupRuleCounter"
],
"subnetServiceEndpoints": [
{
"service": "Microsoft.Storage"
}
],
"subnets": [],
"routeTable": {
"disableBgpRoutePropagation": true,
"routes": [
{
"name": "wl-routetable",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopIpAddress": "10.0.100.4",
"nextHopType": "VirtualAppliance"
}
}
]
}
},
"storageAccountAccess": {
"enableRoleAssignmentForStorageAccount": false,
"principalIds": [
"<<PrincipalID>>"
],
"roleDefinitionIdOrName": "Contributor"
}
}
},
"parHubSubscriptionId": {
"value": "<<hub subscriptionId>>"
},
"parHubResourceGroupName": {
"value": "anoa-eastus-dev-hub-rg"
},
"parHubVirtualNetworkName": {
"value": "anoa-eastus-dev-hub-vnet"
},
"parHubVirtualNetworkResourceId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/anoa-eastus-dev-hub-rg/providers/Microsoft.Network/virtualNetworks/anoa-eastus-dev-hub-vnet"
},
"parLogAnalyticsWorkspaceResourceId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/anoa-eastus-dev-logging-rg/providers/microsoft.operationalinsights/workspaces/anoa-eastus-dev-logging-log"
},
"parLogAnalyticsWorkspaceName": {
"value": "anoa-eastus-dev-logging-log"
},
"parSqlServer": {
"value": {
"sqlServerName": "sqlsrv-001",
"administratorLogin": "azureuser",
"administratorLoginPassword": "Rem0te@2020246",
"minimalTlsVersion": "1.2",
"publicNetworkAccess": "Enabled",
"enableLocks": 'CanNotDelete',
"databases": [
{
"name": "anoa",
"collation": "SQL_Latin1_General_CP1_CI_AS",
"licenseType": "LicenseIncluded",
"maxSizeBytes": 34359738368,
"skuCapacity": 12,
"skuFamily": "Gen5",
"skuName": "BC_Gen5",
"skuTier": "BusinessCritical"
}
],
"firewallRules": [
{
"endIpAddress": "0.0.0.0",
"name": "AllowAllWindowsAzureIps",
"startIpAddress": "0.0.0.0"
}
]
}
}
}
}
```
> <span class="note">NOTE</span>: The **parWorkloadSpoke** parameter is the same as the one used in the previous section. The **parSqlServer** parameter is the same as the one used in the previous section. It is important make sure that all network parameters are correct. IP addresses and subnet ranges should be unique and not overlap with other subnets in the hub or other workload spokes.
---
1. Make the following changes to the **deploy.parameters.json** file or leave default values:
- parRequired.orgPrefix = **\<your org prefix or the default 'anoa'\>**
- parTags.organization = **\<your org prefix or the default ANOA\>**
- parTags.region = **\<your Azure region (eastus, usgovvirginia, etc...)\>**
- parHubSubscriptionId = **\<subscription Id to Hub subscription\>**
- parHubResourceGroupName = **\<Resource Group Name to Hub RG\>**
- parHubVirtualNetworkResourceId = **\<Virtual Network Resource Id to Hub Network\>**
- parHubVirtualNetworkName = **\<Virtual Network Name of the Hub Network\>**
- parLogAnalyticsWorkspaceResourceId = **\<Log Analytics Workspace Resource Id to Hub Network\>**
- parLogAnalyticsWorkspaceName = **\<Log Analytics Workspace Name to Hub Network\>**
- parSqlServer.sqlServerName = **\<your sql server name\>**
- parSqlServer.administratorLogin = **\<your sql server administrator login\>**
- parSqlServer.administratorLoginPassword = **\<your sql server administrator login password\>**
- parSqlServer.databases.name = **\<your sql server database name\>**
> <span class="note">NOTE</span>: All Hub Network parameters are required. If you are using the default Hub/3 Spoke deployment, you can leave the default values. If you are using a custom Hub/Spoke deployment, you will need to update the parameters with the values from your custom Hub deployment. Make sure to fill in <<subscriptionId>> parameters with the correct subscriptions.
### Part 4: Deploy Sql Server Workload
> <span class="note">NOTE</span>: The following steps will deploy the Sql Server workload with an Tier 3 Spoke Network. The deployment will take approximately 20 minutes to complete. The deployment will fail if there is not a existing Hub/3 Spoke Network deployed. If the deployment fails, check the deployment logs for more information.
---
##### Validate the deployment with WhatIf
> <span class="note">NOTE</span>: The **WhatIf** parameter is used to validate the deployment without actually deploying the resources. This is a great way to validate the deployment before actually deploying the resources.
1. Open PowerShell and change to your directory containing the NoOps Accelerator, this demonstration uses **c\anoa**
2. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\workloads\wl-sqlserver-spoke\'**
3. Issue **$context = Get-AzContext** and record the following values: -
- Subscription ID: **$context.Subscription.Id**
> <span class="note">NOTE</span>: If more than one value is returned, choose the subscription you are targeting to create the sql server workload. You can also use **Set-AzContext** to set your current subscription for this session.
4. Issue the command:
**Azure CLI**
``` PowerShell
az deployment sub what-if --subscription $context.Subscription.Id --template-file 'deploy.bicep' --parameters '@parameters/deploy.parameters.json' --location $location
```
> <span class="note">NOTE</span>: The **--location** parameter is used to specify the location for the resource group. This is not the location for the Sql Server. The location for the Sql Server is specified in the **parameters.json** file.
5. Review the output of the command and verify that the deployment will create the resource group and the sql server.
##### Deploy Sql Server Workload Spoke
1. Open PowerShell and change to your directory containing the NoOps Accelerator, this demonstration uses **c\anoa**
1. Issue the command **az login** and log into your tenant
1. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\overlays\sqlserver'**
1. Issue **$context = Get-AzContext** and record the following values: -
- Subscription ID: **$context.Subscription.Id**
> **NOTE**: If more than one value is returned, choose the subscription you are targeting to create the sql server overlay. You can also use **Set-AzContext** to set your current subscription for this session.
2. Issue the command updating the **--subscription** parameter with your subscription id and the **--location** parameter to your location
**Azure CLI**
``` PowerShell
az deployment sub create --name 'deploy-sql-server' --template-file 'deploy.bicep' --parameters '@parameters/deploy.parameters.json' --location $location --subscription $context.Subscription.Id --only-show-errors
```
##### Remove the Sql Server Overlay
1. Issue thus command:
**Azure CLI**
``` PowerShell
Remove-AzResourceGroup -Name 'anoa-usgovvirginia-dev-sqlsrv-rg'
```
<span class="note">NOTE</span>: The resource group name is based on the parameters you used when deploying the overlay. Change the resource group name to match your previous deployment.
##### References
---
[Deploying Management Groups with the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/management-groups)
[Deploying Roles with the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/roles)
[Deploying Policy for Guardrails with the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/Policy)
[Deploying SCCA Compliant Hub and 1-Spoke using the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/platforms/lz-platform-scca-hub-1spoke)
[Deploying a Kubernetes Private Cluster Workload using the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/workloads/wl-aks-spoke)

21
docs/training/bicep/Demonstration 9 - RolesManagement.md Normal file
Просмотреть файл

@ -0,0 +1,21 @@
<!-- markdownlint-configure-file { "MD004": { "style": "consistent" } } -->
<!-- markdownlint-disable MD033 -->
<style>
body { font-family: Segoe UI Light; }
h1 { font-size: 20pt; }
h2 { font-size: 18pt; }
h3 { color: #002060; font-size: 16pt; font-weight: bold; }
h4 { color: #002060; font-size: 14pt; font-weight: bold; margin-top: 15px; margin-bottom: 15px; }
h5 { color: #002060; font-size: 12pt; font-weight: bold; }
h6 { color: #002060; font-size: 12pt; font-weight: normal; }
.title {color: #002060; font-size: 12pt; font-weight: bold; text-align: right; margin-bottom: 40px;}
hr {border: 0; height: 1px; background: #333; background-image: -webkit-linear-gradient(left, #ccc, #333, #ccc); background-image: -moz-linear-gradient(left, #ccc, #333, #ccc); background-image: -ms-linear-gradient(left, #ccc, #333, #ccc); background-image: -o-linear-gradient(left, #ccc, #333, #ccc);}
.note { color: #ff6347; font-size: 12pt; font-weight: bold; }
pre {font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-weight: normal; white-space: pre-wrap; overflow-x: auto;}
</style>
<!-- markdownlint-enable MD033 -->
# Demonstration: Create and Deploy Roles using Azure NoOps Accelerator
<div class="title">A step-by-step creation and deployment of Roles for an Mission Enclave using the Azure NoOps Accelerator.
</div>

295
docs/training/terraform/Demonstration 1 - Incrementally Deploy Enclave.md Normal file
Просмотреть файл

@ -0,0 +1,295 @@
<!-- markdownlint-configure-file { "MD004": { "style": "consistent" } } -->
<!-- markdownlint-disable MD033 -->
<style>
body { font-family: Segoe UI Light; }
h1 { font-size: 20pt; }
h2 { font-size: 18pt; }
h3 { color: #002060; font-size: 16pt; font-weight: bold; }
h4 { color: #002060; font-size: 14pt; font-weight: bold; margin-top: 15px; margin-bottom: 15px; }
h5 { color: #002060; font-size: 12pt; font-weight: bold; }
h6 { color: #002060; font-size: 12pt; font-weight: normal; }
.title {color: #002060; font-size: 12pt; font-weight: bold; text-align: right; margin-bottom: 40px;}
hr {border: 0; height: 1px; background: #333; background-image: -webkit-linear-gradient(left, #ccc, #333, #ccc); background-image: -moz-linear-gradient(left, #ccc, #333, #ccc); background-image: -ms-linear-gradient(left, #ccc, #333, #ccc); background-image: -o-linear-gradient(left, #ccc, #333, #ccc);}
.note { color: #ff6347; font-size: 12pt; font-weight: bold; }
pre {font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-weight: normal; white-space: pre-wrap; overflow-x: auto;}
</style>
<!-- markdownlint-enable MD033 -->
# Demonstration: Incrementally Deploy a Mission Enclave with Azure Kubernetes Services using Azure NoOps Accelerator and Terraform
<div class="title">A step-by-step deployment using the NoOps Accelerator to deploy an infrastructure with a private Kubernetes cluster.
</div>
### Setup & Prerequisite Software
1. You must have installed the latest [Git client](https://git-scm.com) for working with source control
1. You must have the latest version of [Visual Studio Code](https://code.visualstudio.com/) for authoring bicep files
1. Installed the [bicep extension](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#vs-code-and-bicep-extension) in Visual Studio Code
1. You must have installed either the the latest version of **AZ CLI**, see [How to install the Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli), or **Azure PowerShell**, see [Install the Azure Az PowerShell module](https://learn.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-9.0.1) for deploying bicep files
**PowerShell Quick Installation for Azure CLI**
``` PowerShell
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
```
**PowerShell Quick Installation for Azure PowerShell**
``` PowerShell
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
```
1. You must have installed the latest version of [Azure Terraform](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#azure-powershell)
1. Either clone, fork, or download the [NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator) to your local system. This demonstration uses **c:\anoa** as the root directory containing the downloaded, cloned, or forked project from GitHub
### Before we Begin
You will be making modifications to several .json files for the deployment which require knowing several sensitive pieces of information. You will also create a group in Azure Active Directory, and you will need that group's object id. Finally, you will be creating an application registration in Azure Active Directory and will need the client id and secret.
You can record those values here or, preferred, using your terminal save the values as variables. Additionally, you can record and save these values in Azure Key Vault if using the Azure NoOps Accelerator on a pipeline or through a automation platform.
#### OPTIONAL
If you choose to save and record your values use the table below. This is sensitive information and care should be taken.
| Name | Value(s) | How Used |
| --- | --- | --- |
| Tenant ID | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying management groups or policies. |
| Subscription ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div></br><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying workloads, overlays, enclaves, or platforms. You can use multiple subscriptions for your tiers. |
| Principal ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When using either built-in roles or custom deployed ANOA roles for securing resources. |
| Object ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying resources that need to use an Active Directory Group for access control. |
| Client ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying your Kubernetes cluster for the application registration. |
| Location | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying workloads, overlays, enclaves, or platforms (eastus, usgovvirgina, etc..). |
#### OPTIONAL
Saving data as variables for use while executing this demonstration or lab. This will make executing the commands through PowerShell simpler.
``` PowerShell
az cloudset --name [AzureCloud | AzureGovernment]
az login
$context = Get-AzContext
$location = [your region]
```
### Part 1: Create Management Groups
---
> NOTE: For this demonstration we will be using AZ CLI with PowerShell
1. Open PowerShell and change to your directory containing the NoOps Accelerator, this demonstration uses **c\anoa**
1. Issue the command **az login** and log into your tenant
1. Issue **$context = Get-AzContext** and record the following values:
- Tenant ID: **$context.Tenant.Id**
- Subscription ID: **$context.Subscription.Id**
> **NOTE**: If more than one value is returned, choose the subscription you are targeting to create the management group structure and choose the tenant id for that subscription. You can also use **Set-AzContext** to set your current subscription for this session.
1. Open Visual Studio Code in your directory containing the NoOps Accelerator
1. Change to the **/src/bicep/overlays/management-groups/** directory
1. Open the **/parameters/deploy.parameters.json** file and make the following changes:
- parentMGName: **$context.Tenant.Id**
- subscriptionId: **$context.Subscription.Id**
- parTenantId: **$context.Tenant.Id**
1. In your PowerShell session issue **Set-Location -Path 'c:\anoa\src\bicep\overlays\management-groups'**
1. Issue the command updating the location parameter to the region you wish to deploy to:
**Azure CLI**
``` PowerShell
az deployment mg create --name 'deploy-enclave-mg' --template-file 'deploy.bicep' --parameters '@parameters/deploy.parameters.json' --management-group-id $context.Tenant.Id --location $location --only-show-errors
```
> **NOTE**: This operation will move your subscription to the **management** management group in the structure
> **WARNING**: If you plan to delete the structure remember to **MOVE** your subscription from the **management** management group to your tenant root
### Part 2: Create Roles
---
1. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\overlays\roles'**
1. Open the **/parameters/deploy.parameters.all.json** file and make the following changes:
- parAssignableScopeManagementGroupId: **ANOA** (if you are not using the default, change to the name of your intermediate management group)
1. Issue the command updating the **--management-group-id** paramter to your intermediate management group name or **ANOA** as the default
**Azure CLI**
``` PowerShell
az deployment mg create --name 'deploy-enclave-roles' --template-file 'deploy.bicep' --parameters '@parameters/deploy.parameters.all.json' --management-group-id 'ANOA' --location $location --only-show-errors
```
### Part 3: Delpoy NIST 800.53 R5 Policy
---
1. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\overlays\policy\builtin\assignments'**
1. Open the **deploy-nist80054r5.parameters.json** file and make the following changes:
- parPolicyAssignmentManagementGroupId: **ANOA** (if you are not using the default, change to the name of your intermediate management group)
1. Issue the command updating the **--management-group-id** parameter to your intermediate management group name, or use the default value of **ANOA**, and your **--location**
**Azure CLI**
``` PowerShell
az deployment mg create --name 'deploy-policy-nistr5' --template-file 'policy-nist80053r5.bicep' --parameters 'policy-nist80053r5.parameters.json' --management-group-id 'ANOA' --location $location --only-show-errors
```
### Part 4: Deploy 3-Spoke Platform
---
1. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\platforms\lz-platform-scca-hub-3spoke'**
1. Open the **/parameters/deploy.parameters.json** file and make the following changes:
- parRequired.orgPrefix: **ANOA** (if you are not using the default, change to the name of your intermediate management group)
- parTags.organization: **ANOA** (if you are not using the default, change to the name of your intermediate management group)
- parHub.subscriptionId: **$context.Subscription.Id**
- parIdentitySpoke.subscriptionId: **$context.Subscription.Id**
- parOperationsSpoke.subscriptionId: **$context.Subscription.Id**
- parSharedServicesSpoke.subscriptionId: **$context.Subscription.Id**
1. Issue the command updating the **--location** parameter to your location
**Azure CLI**
``` PowerShell
az deployment sub create --name 'deploy-hub3spoke-network' --subscription $context.Subscription.Id --template-file 'deploy.bicep' --location $location --parameters '@parameters/deploy.parameters.json' --only-show-errors
```
### Part 5: Deploy Kubernetes Workload
---
##### Create an Azure Active Directory Group
1. Return to your Azure Portal
1. Navigate to your Azure Active Directory
1. Click on **Groups** in the left navigation
1. Click on **New Group** in the top breadcrumb navigation
1. Provide the following information:
- Group Type: **security**
- Group Name: **K8S Cluster Administrators**
- Group Description: **Administrators of Kubernetes Clusters**
- Owners: **<\< your login \>>**
- Members: **<\< your login \>>**
- Click the **Create** button
1. Record the Object Id for the group, this will be used in the workload deployment for Kubernetes
##### Create an App Registration in Azure Active Directory
1. Return to your Azure Portal
1. Navigate to your Azure Active Directory
1. Click on **App Registrations** in the left navigation menu
1. Click on **+New Registration** in the top breadcrumb navigation
1. Provide the following information:
- Name: **ar-eastus-k8s-anoa-01** or a name of your liking
- Supported Account Types: **Accounts in this organizational directory only (... - Single Tenant)**
- Redirect URI (Optional): **do not configure, leave as default**
- Click the **Register** button
1. Click on **Overview** in the left navigation and record the following information:
- Application (client) ID: **<\< client id \>>**
1. Click on **Certificates & Secrets** in the left navigation
1. Click on **+New Client Secret** and provide the following information:
- Description: Kubernetes App Registration for ANOA
- Expires: 3 months or choose an appropriate time for your organization
- Click the **Add** button
1. Copy and record the Secret ID. You will use this in your Kubernetes workload deployment.
##### Deploy Kubernetes Workload
1. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\workloads\wl-aks-spoke'**
1. Open the **/parameters/deploy.parameters.json** file and make the following changes:
- parRequired.orgPrefix: **ANOA** or your Intermediate management group name
- parTags.organization: **ANOA** or your Intermediate management group name
- parWorkloadSpoke.subscriptionId: **$context.Subscription.Id**
- parHubSubscriptionId: **$context.Subscription.Id**
- parHubVirtualNetworkResourceId: **$context.Subscription.Id**
- parLogAnalyticsWorkspaceResourceId: **$context.Subscription.Id**
- parKubernetesCluster.aksClusterKubernetesVersion: **1.24.6**
> NOTE: Issue the command **az aks get-versions --location eastus --query orchestrators[-1].orchestratorVersion --output tsv** to retrieve your regions highest version
- parKubernetesCluster.aadProfile.aadProfileTenantId: **$context.Tenant.Id**
- parKubernetesCluster.aadProfile.aadProfileAdminGroupObjectIds: **the Object ID from the K8S Cluster Administrators group**
- parKubernetesCluster.addonProfiles.config.logAnalyticsWorkspaceResourceId: **$context.Subscription.Id**
- parKubernetesCluster.servicePrincipalProfile.clientId: **<<your app registration application (client) ID >>**
- parKubernetesCluster.servicePrincipalProfile.secret: **<<your app registration application (client) IDs secret>>**
1. Issue the command updating the **--subscription** parameter with your subscription id and the **--location** parameter to your location
**Azure CLI**
``` PowerShell
az deployment sub create --name 'deploy-aks-network' --template-file 'deploy.bicep' --parameters '@parameters/deploy.parameters.json' --location $location --subscription $context.Subscription.Id --only-show-errors
```
##### References
---
[Deploying Management Groups with the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/management-groups)
[Deploying Roles with the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/roles)
[Deploying Policy for Guardrails with the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/Policy)
[Deploying SCCA Compliant Hub and 1-Spoke using the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/platforms/lz-platform-scca-hub-1spoke)
[Deploying a Kubernetes Private Cluster Workload using the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/workloads/wl-aks-spoke)

21
docs/training/terraform/Demonstration 10 - PolicyAsCode.md Normal file
Просмотреть файл

@ -0,0 +1,21 @@
<!-- markdownlint-configure-file { "MD004": { "style": "consistent" } } -->
<!-- markdownlint-disable MD033 -->
<style>
body { font-family: Segoe UI Light; }
h1 { font-size: 20pt; }
h2 { font-size: 18pt; }
h3 { color: #002060; font-size: 16pt; font-weight: bold; }
h4 { color: #002060; font-size: 14pt; font-weight: bold; margin-top: 15px; margin-bottom: 15px; }
h5 { color: #002060; font-size: 12pt; font-weight: bold; }
h6 { color: #002060; font-size: 12pt; font-weight: normal; }
.title {color: #002060; font-size: 12pt; font-weight: bold; text-align: right; margin-bottom: 40px;}
hr {border: 0; height: 1px; background: #333; background-image: -webkit-linear-gradient(left, #ccc, #333, #ccc); background-image: -moz-linear-gradient(left, #ccc, #333, #ccc); background-image: -ms-linear-gradient(left, #ccc, #333, #ccc); background-image: -o-linear-gradient(left, #ccc, #333, #ccc);}
.note { color: #ff6347; font-size: 12pt; font-weight: bold; }
pre {font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-weight: normal; white-space: pre-wrap; overflow-x: auto;}
</style>
<!-- markdownlint-enable MD033 -->
# Demonstration: Create and Deploy Policy for Mission Enclave using Azure NoOps Accelerator
<div class="title">A step-by-step creation and deployment of Policy for an Mission Enclave using the Azure NoOps Accelerator.
</div>

203
docs/training/terraform/Demonstration 2 - Deploy Enclave.md Normal file
Просмотреть файл

@ -0,0 +1,203 @@
<!-- markdownlint-configure-file { "MD004": { "style": "consistent" } } -->
<!-- markdownlint-disable MD033 -->
<style>
body { font-family: Segoe UI Light; }
h1 { font-size: 20pt; }
h2 { font-size: 18pt; }
h3 { color: #002060; font-size: 16pt; font-weight: bold; }
h4 { color: #002060; font-size: 14pt; font-weight: bold; margin-top: 15px; margin-bottom: 15px; }
h5 { color: #002060; font-size: 12pt; font-weight: bold; }
h6 { color: #002060; font-size: 12pt; font-weight: normal; }
.title {color: #002060; font-size: 12pt; font-weight: bold; text-align: right; margin-bottom: 40px;}
hr {border: 0; height: 1px; background: #333; background-image: -webkit-linear-gradient(left, #ccc, #333, #ccc); background-image: -moz-linear-gradient(left, #ccc, #333, #ccc); background-image: -ms-linear-gradient(left, #ccc, #333, #ccc); background-image: -o-linear-gradient(left, #ccc, #333, #ccc);}
.note { color: #ff6347; font-size: 12pt; font-weight: bold; }
pre {font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-weight: normal; white-space: pre-wrap; overflow-x: auto;}
</style>
<!-- markdownlint-enable MD033 -->
# Demonstration: Deploy Azure Kubernetes Cluster Mission Enclave using Azure CLI, Terraform and PowerShell
<div class="title">An mission enclave deployment using the Azure NoOps Accelerator for a Azure Kubernetes Service private cluster and Hub/3 Spoke Platform.
</div>
### Setup & Prerequisite Software
1. You must have installed the latest [Git client](https://git-scm.com) for working with source control
1. You must have the latest version of [Visual Studio Code](https://code.visualstudio.com/) for authoring bicep files
1. Installed the [bicep extension](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#vs-code-and-bicep-extension) in Visual Studio Code
1. You must have installed either the the latest version of **AZ CLI**, see [How to install the Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli), or **Azure PowerShell**, see [Install the Azure Az PowerShell module](https://learn.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-9.0.1) for deploying bicep files
**PowerShell Quick Installation for Azure CLI**
``` PowerShell
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
```
**PowerShell Quick Installation for Azure PowerShell**
``` PowerShell
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
```
1. You must have installed the latest version of [Azure Terraform](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#azure-powershell)
1. Either clone, fork, or download the [NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator) to your local system. This demonstration uses **c:\anoa** as the root directory containing the downloaded, cloned, or forked project from GitHub
### Before we Begin
You will be making modifications to several .json files for the deployment which require knowing several sensitive pieces of information. You will also create a group in Azure Active Directory, and you will need that group's object id. Finally, you will be creating an application registration in Azure Active Directory and will need the client id and secret.
You can record those values here or, preferred, using your terminal save the values as variables. Additionally, you can record and save these values in Azure Key Vault if using the Azure NoOps Accelerator on a pipeline or through a automation platform.
#### OPTIONAL
If you choose to save and record your values use the table below. This is sensitive information and care should be taken.
| Name | Value(s) | How Used |
| --- | --- | --- |
| Tenant ID | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying management groups or policies. |
| Subscription ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div></br><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying workloads, overlays, enclaves, or platforms. You can use multiple subscriptions for your tiers. |
| Principal ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When using either built-in roles or custom deployed ANOA roles for securing resources. |
| Object ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying resources that need to use an Active Directory Group for access control. |
| Client ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying your Kubernetes cluster for the application registration. |
| Location | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying workloads, overlays, enclaves, or platforms (eastus, usgovvirgina, etc..). |
#### OPTIONAL
Saving data as variables for use while executing this demonstration or lab. This will make executing the commands through PowerShell simpler.
``` PowerShell
az cloudset --name [AzureCloud | AzureGovernment]
az login
$context = Get-AzContext
$location = [your region]
```
### Part 1: Deploy Kubernetes Workload using an Enclave
> NOTE: If you have already created the Azure Active Diretory group and App Registration you can simply record those values and re-use them in this demonstration.
---
##### Create an Azure Active Directory Group
1. Return to your Azure Portal
1. Navigate to your Azure Active Directory
1. Click on **Groups** in the left navigation
1. Click on **New Group** in the top breadcrumb navigation
1. Provide the following information:
- Group Type: **security**
- Group Name: **K8S Cluster Administrators**
- Group Description: **Administrators of Kubernetes Clusters**
- Owners: **<\< your login \>>**
- Members: **<\< your login \>>**
- Click the **Create** button
1. Record the Object Id for the group, this will be used in the workload deployment for Kubernetes
##### Create an App Registration in Azure Active Directory
1. Return to your Azure Portal
1. Navigate to your Azure Active Directory
1. Click on **App Registrations** in the left navigation menu
1. Click on **+New Registration** in the top breadcrumb navigation
1. Provide the following information:
- Name: **ar-eastus-k8s-anoa-01** or a name of your liking
- Supported Account Types: **Accounts in this organizational directory only (... - Single Tenant)**
- Redirect URI (Optional): **do not configure, leave as default**
- Click the **Register** button
1. Click on **Overview** in the left navigation and record the following information:
- Application (client) ID: **<\< client id \>>**
1. Click on **Certificates & Secrets** in the left navigation
1. Click on **+New Client Secret** and provide the following information:
- Description: Kubernetes App Registration for ANOA
- Expires: 3 months or choose an appropriate time for your organization
- Click the **Add** button
1. Copy and record the Secret ID. You will use this in your Kubernetes workload deployment.
##### Preparing for Deployment
1. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\enclaves\enclave-scca-hub3spoke-aks'**
1.
##### Deploy Kubernetes Workload
1. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\enclaves\enclave-scca-hub3spoke-aks'**
1. Open the **/parameters/deploy.parameters.json** file and make the following changes:
- parRequired.orgPrefix: **<<your organization or ANOA (default)>>**
- parTags.organization: **<<your organization or ANOA (default)>>**
- parTags.region: **<<your Azure region (eastus, usgovvirginia, etc..)>>**
- parHub.subscriptionId: **<<subscriptionId>>**
- parIdentitySpoke.subscriptionId: **<<subscriptionId>>**
- parOperationsSpoke.subscriptionId: **<<subscriptionId>>**
- parSharedServicesSpoke.subscriptionId: **<<subscriptionId>>**
- parAksWorkload.subscriptionId: **<<subscriptionId>>**
- parKubernetesCluster.aksClusterKubernetesVersion: **1.24.6**
> NOTE: Issue the command **az aks get-versions --location eastus --query orchestrators[-1].orchestratorVersion --output tsv** to retrieve your regions highest version
- parKubernetesCluster.aadProfile.aadProfile.TenantId: **<<tenantId>>**
- parKubernetesCluster.aadProfile.aadProfileAdminGroupObjectIds: **<<objectId of AAD Group>>**
- parKubernetesCluster.addonProfiles.config.logAnalyticsWorkspaceResourceId: **<<subscriptionId>>**
- parKubernetesCluster.servicePrincipalProfile.clientId: **<<clientId of AAD App Registration>>**
- parKubernetesCluster.servicePrincipalProfile.secret: **<<secret of AAD App Registration>>**
1. Issue the command updating the **--subscription** parameter with your subscription id and the **--location** parameter to your location
**Azure CLI**
``` PowerShell
az deployment sub create --name 'deploy-scca-enclave-with-aks' --template-file deployCompressed.json' --parameters '@parameters/deploy.parameters.json' --location $location –subscription $context.Subscription.Id --only-show-errors
```
> NOTE: Be sure to review the section **Preparing for Deployment**
##### References
---
[Deploying Management Groups with the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/management-groups)
[Deploying Roles with the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/roles)
[Deploying Policy for Guardrails with the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/Policy)
[Deploying SCCA Compliant Hub and 1-Spoke using the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/platforms/lz-platform-scca-hub-1spoke)
[Deploying a Kubernetes Private Cluster Workload using the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/workloads/wl-aks-spoke)

622
docs/training/terraform/Demonstration 3 - DevOps to NoOps.md Normal file
Просмотреть файл

@ -0,0 +1,622 @@
<!-- markdownlint-configure-file { "MD004": { "style": "consistent" } } -->
<!-- markdownlint-disable MD033 -->
<style>
body { font-family: Segoe UI Light; }
h1 { font-size: 20pt; }
h2 { font-size: 18pt; }
h3 { color: #002060; font-size: 16pt; font-weight: bold; }
h4 { color: #002060; font-size: 14pt; font-weight: bold; margin-top: 15px; margin-bottom: 15px; }
h5 { color: #002060; font-size: 12pt; font-weight: bold; }
h6 { color: #002060; font-size: 12pt; font-weight: normal; }
.title {color: #002060; font-size: 12pt; font-weight: bold; text-align: right; margin-bottom: 40px;}
hr {border: 0; height: 1px; background: #333; background-image: -webkit-linear-gradient(left, #ccc, #333, #ccc); background-image: -moz-linear-gradient(left, #ccc, #333, #ccc); background-image: -ms-linear-gradient(left, #ccc, #333, #ccc); background-image: -o-linear-gradient(left, #ccc, #333, #ccc);}
.note { color: #ff6347; font-size: 12pt; font-weight: bold; }
pre {font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-weight: normal; white-space: pre-wrap; overflow-x: auto;}
</style>
<!-- markdownlint-enable MD033 -->
# Demonstration: Deploy Azure Kubernetes Cluster Mission Enclave using Azure DevOps Services and Terraform
<div class="title">Using Azure DevOps Services for an enclave deployment using the NoOps Accelerator for a Azure Kubernetes Service private cluster and mission landing zone.
</div>
### Setup & Prerequisite Software
1. You must have installed the latest [Git client](https://git-scm.com) for working with source control
1. You must have the latest version of [Visual Studio Code](https://code.visualstudio.com/) for authoring bicep files
1. Installed the [bicep extension](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#vs-code-and-bicep-extension) in Visual Studio Code
1. You must have installed either the the latest version of **AZ CLI**, see [How to install the Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli), or **Azure PowerShell**, see [Install the Azure Az PowerShell module](https://learn.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-9.0.1) for deploying bicep files
**PowerShell Quick Installation for Azure CLI**
``` PowerShell
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
```
**PowerShell Quick Installation for Azure PowerShell**
``` PowerShell
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
```
1. You must have installed the latest version of [Azure Terraform](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#azure-powershell)
1. Either clone, fork, or download the [NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator) to your local system. This demonstration uses **c:\anoa** as the root directory containing the downloaded, cloned, or forked project from GitHub
### Before we Begin
You will be making modifications to several .json files for the deployment which require knowing several sensitive pieces of information. You will also create a group in Azure Active Directory, and you will need that group's object id. Finally, you will be creating an application registration in Azure Active Directory and will need the client id and secret.
You can record those values here or, preferred, using your terminal save the values as variables. Additionally, you can record and save these values in Azure Key Vault if using the Azure NoOps Accelerator on a pipeline or through a automation platform.
Saving data as variables for use while executing this demonstration or lab will help. This code below will make executing the commands through PowerShell simpler and recalling these values.
``` PowerShell
az cloudset --name [AzureCloud | AzureGovernment]
az login
$context = Get-AzContext
$location = [your region]
```
### Part 1: Setup Azure DevOps Services
> <span class="note">NOTE</span>: If you are on an Azure government cloud, Azure DevOps Services is not available. You can access the service, but you will not be able to choose an Azure government region to host your Azure DevOps Services. In this situation, either deploy Azure DevOps Server as a VM or a physical server in your environment.
> <span class="note">NOTE</span>: If you are using a VM or on-premise Azure DevOps Server, replace **dev.azure.com** with your deployment URL for this demonstration.
---
#### Create an Account or Sign-In to Azure DevOps Services
1. Navigate to [https://dev.azure.com](https://dev.azure.com) and create an account or log in
#### Create a new Project
1. Create a new project with the following settings:
- Name: **anoa**
- Description: **Azure NoOps Accelerator**
- Visibility: **Enterprise** *or* **Private**
- Advanced:
- Version Control: **Git**
- Work item process: **Agile**
#### Download the Azure NoOps Accelerator and Create a Repository
1. Download the latest Azure NoOps Acelerator version from [https://github.com/Azure/NoOpsAccelerator/releases](https://github.com/Azure/NoOpsAccelerator/releases) and unzip to a directory on your computer. This demonstration uses **c:\anoa** as the root directory.
1. Open PowerShell or your terminal of choice and change to the directory where you unzipped the Azure NoOps Accelerator
``` PowerShell
Set-Location -Path 'c:\anoa'
```
1. Issue Git commands to create a repository
``` PowerShell
git init .
git add *
git commit -m "Initialized ANOA"
```
1. Connect your local repository to Azure DevOps Services and push your changes
``` PowerShell
git remote add origin https://<your login name>@dev.azure.com/<your organization name>/<your project name>/_git/anoa
git push -u origin --all
```
#### OPTIONAL: Setup Areas and Iterations for Incremental Development
> <span class="note">NOTE</span>: This step demonstrates setting up a hierarical backlog using a three week sprint for controlling and releasing changes on a predictable schedule.
1. In Azure DevOps Services, click on **Project Settings** found at the bottom left of the page
1. In the **Boards** section, click on **Project Configuration**
##### OPTIONAL: Setup Areas
> <span class="note">NOTE</span>: Areas are used here to create a hierarchy to show progress and effort roll-up for enterprise reporting. This is just an example below. You could also use your archetypes or management groups in Azure as a basis for establishing this structure.
1. Create a new child under **anoa** named **Modern Portfolio**
1. Create a new child under **Modern Portfolio** named **Mission Owner Alpha**
1. Create a new child under **Mission Owner Alpha** named **NoOps Team**
1. Create a new child under **Mission Owner Alpha** named **Application Development Team**
1. Create a new child under **Modern Portfolio** named **Mission Owner Bravo**
##### OPTIONAL: Setup Iterations
1. Click on Iterations found at the top breadcrumb navigation element
1. Delete the pre-configured **Iteration 1**, **Iteration 2**, and **Iteration 3** elements
> <span class="note">NOTE</span>: Adjust the years/dates to represent your current dates
1. Create a new child under **anoa** named **Fiscal Year 2023**
- Start Date: 7/1/2022
- End Date: 6/30/2023
1. Create a new child under **Fiscal Year 2022** named **Program Increment 1**
- Start Date: 7/1/2022
- End Date: 9/23/2022
Use this PowerShell snippet to calculate the Program Increment period:
$d = ([DateTime]'7/1/2022').AddDays(84); while ($d.DayOfWeek -eq "Saturday" -or $d.DayOfWeek -eq "Sunday") { $d = $d.AddDays(1) }; $d
The $d = ([DateTime]'7/1/2022') part of the PowerShell is the start of the Program Increment. If you need to make a second Program Increment change the $d = ([DateTime]'7/1/2022') statement to the start of the second Program Increment, for example: $d = ([DateTime]'9/23/2022')
1. Create a new child under **Program Increment 1** named **Sprint 1**
- Start Date: 7/1/2022
- End Date: 7/21/2022 **Note:** This is a three week sprint
1. Create the remaning two sprints in **Program Increment 1**:
- Name: **Sprint 2**
- Start Date: 7/22/2022
- End Date: 8/11/2022
- Name: **Sprint 3**
- Start Date: 8/12/2022
- End Date: 9/1/2022
1. Create the **Innovation & Planning Sprint**:
- Name: IP Sprint
- Start Date: 9/2/2022
- End Date: 9/23/2022
##### OPTIONAL: Configure the 'anoa Team' for Iterations and Areas
> <span class="note">NOTE</span>: You would use this process for any other teams created in this project to establish enterprise alingment and autonomy.
1. Click on **Team Configuration** found under the **Boards** heading while in the **Project Configuration**
1. Verify that you have **anoa Team** chosen with the Team Selector on the top-most breadcrump navigation element.
1. Uncheck the box for **Features**
> <span class="note">NOTE</span>: Typically, when establishing enterprise autonomy and alignment, you will not have an Azure Board expose more than one type of backlog item. A different team would be responsible for creating Features. Creating Features would happen on the Program Increment Planning sessions.
1. Choose **Bugs are managed with requirements** in the **Working with bugs** section. This will allow bugs to visually appear on your Azure Board.
1. Click on **Iterations**, then click on **+ Select Iteration(s)** and assign the **anoa Team** only the sprints including the IP sprint
1. Click on **Areas** in the breadcrumb navigation element
1. Click on **change** and navigate the hierarchy and choose **anoa Team**
1. In the area listed below, hover over the area, click the ellipses, then choose **include sub-areas**
1. You have completed configuration a Team for use with a hierarchy of time and areas.
### OPTIONAL: Part 2: Using Kanban for Change Visibility
This is the entry point for Developers, Cyber, and Operations to shift-left and work together for changes. A new team will be created called **anoa Team**. This is an Azure AD backed team. Add the Developers, Cyber, and Operations persons to this team which will grant access to the repository for changes.
---
#### OPTIONAL: Configure Azure Boards
1. Click on **Boards** found under the **Boards** heading in the left navigation
1. Click on the gear icon located at the top-right of the Azure Board
1. On the **Fields** page, make the following changes:
- Click on **+ Field** and add **Iteration Path**
- Check the box to **Show empty fields**
- Make the same two changes to the **Bug** page (this will be a tab named Bug)
> <span class="note">NOTE</span>: Bug will only display as a tab here if you have enabled it in one of these areas:
>
> 1. Choose **Bugs are managed with requirements** in the **Working with bugs** section while configuring a team, or
>
> 1. In the **General** section, the **Working with bugs**, you choose **Bugs are managed with requirements**
1. Click on **Columns** under the **Boards** section and configure:
- Rename **New** to **Backlog**
- Rename **Active** to **In-Progress** and split to **doing and done**
- Delete **Resolved**
1. Click on **Swimlanes** under the **Boards** section and configure:
- Click on **+ Swimlane** and add a new swimlane named **Architectural**
- Rename the default swimlane to **Business**
- Click on **Save and Close** button to return to your configured Azure Board
### Part 3: Deploy Kubernetes Workload using an Enclave
> <span class="note">NOTE</span>: If you have already created the Azure Active Directory group and App Registration you can simply record those values and re-use them in this demonstration.
---
#### Create an Azure Active Directory Group
1. Return to your Azure Portal
1. Navigate to your Azure Active Directory
1. Click on **Groups** in the left navigation
1. Click on **New Group** in the top breadcrumb navigation
1. Provide the following information:
- Group Type: **security**
- Group Name: **K8S Cluster Administrators**
- Group Description: **Administrators of Kubernetes Clusters**
- Owners: **<\< your login \>>**
- Members: **<\< your login \>>**
- Click the **Create** button
1. Record the Object Id for the group, this will be used in the workload deployment for Kubernetes
#### Create an App Registration in Azure Active Directory for Kubernetes
1. Return to your Azure Portal
1. Navigate to your Azure Active Directory
1. Click on **App Registrations** in the left navigation menu
1. Click on **+New Registration** in the top breadcrumb navigation
1. Provide the following information:
- Name: **ar-k8s-dev-eastus-001** or a name of your liking
- Supported Account Types: **Accounts in this organizational directory only (... - Single Tenant)**
- Redirect URI (Optional): **do not configure, leave as default**
- Click the **Register** button
1. Click on **Overview** in the left navigation and record the following information:
- Application (client) ID: **<\< client id \>>**
1. Click on **Certificates & Secrets** in the left navigation
1. Click on **+New Client Secret** and provide the following information:
- Description: Kubernetes App Registration for ANOA
- Expires: 3 months or choose an appropriate time for your organization
- Click the **Add** button
1. Copy and record the Secret ID. You will use this in your Kubernetes workload deployment.
> <span class="note">NOTE</span>: You can also use Azure Key Vault to store these credentials and pull them out in a pipeline.
#### Create an App Registration in Azure Active Directory for Azure DevOps Services
1. Return to your Azure Portal
1. Navigate to your Azure Active Directory
1. Click on **App Registrations** in the left navigation menu
1. Click on **+New Registration** in the top breadcrumb navigation
1. Provide the following information:
- Name: **ar-adopipeline-dev-eastus-001** or a name of your liking
- Supported Account Types: **Accounts in this organizational directory only (... - Single Tenant)**
- Redirect URI (Optional): **do not configure, leave as default**
- Click the **Register** button
1. Click on **Overview** in the left navigation and record the following information:
- Application (client) ID: **<\< client id \>>**
1. Click on **Certificates & Secrets** in the left navigation
1. Click on **+New Client Secret** and provide the following information:
- Description: **cs-adopipeline-dev-eastus-001**
- Expires: **3 months or choose an appropriate time for your organization**
- Click the **Add** button
1. Copy and record the Secret ID. You will use this in your Azure DevOps Services Pipeline when you create the Service Connection.
> <span class="note">NOTE</span>: You can also use Azure Key Vault to store these credentials and pull them out in a pipeline.
#### OPTIONAL: Implement Kanban for Change Tracking
1. Create a new User Story work item on the Azure Board:
- Name: **Deploy AKS Enclave**
- Assigned: **Assign to you**
- Area: **anoa\Modern Portfolio\Mission Owner Alpha\NoOps Team**
- Iteration: **anoa\Fiscal Year 2023\Program Increment 1\Sprint 1**
- Description: **Review, modify, update /src/bicep/enclaves/enclave-scca-hub3spoke-aks/parameters/deploy.parameters.json to support deployment of Azure Kubernetes Service private cluster for workload.**
- Acceptance Criteria:
- Azure Key Vault implemented to store credentials and secrets
- Bastion is accessed using Azure Key Vault
- Kubernetes Private Cluster is accessible through Bastion
- Planning:
- Story Points: **13** (scale is 1,2,3,5,8,13,21 where 1 is easiest and 21 is hardest)
- Priority: **1** (scale is 1,2,3,4 where 1 is highest and 4 is lowest)
- Risk: **2 - Medium**
- Classification
- Value area: **Architectural**
1. Click **Save and close** to return to the Azure Board
1. Drag the User Story to the **In-Progress - Doing** column in the **Architectural** swimlane
#### OPTIONAL: Decompose the User Story to Supporting Tasks
1. From the Azure Board, hover over the **Deploy AKS Enclave** workitem, then click on the ellipses, and finally click on **Add Task** and add the following tasks:
- CYBER: Review Azure Key Vault Implementation
- CYBER: Review VNET Peering to Hub and Firewall
- OPS: Review Monitor Solution Deployments
- OPS: Modify Solution Parameter Names
- DEV: Modify Subscription ID and Tenant ID Values
- DEV: Modify Object ID and Role ID Values
> <span class="note">NOTE</span>: You can assign different people to these tasks and operate them on the Task board. The Task Board is where you run your sprints and manage your sprint backlog.
#### OPTIONAL: Create a Remote Branch to Track Changes
1. From the Azure Boards, choose the **anoa Team** to show the **anoa Team Azure Board**.
1. Open the **Deploy AKS Enclave** work item and click **Create Branch** in the **Development** section
1. Name the branch **topics/tb-\<id of work item\>**
1. Return to your PowerShell, or open a PowerShell session, or other terminal with access to use Git and checkout the remote branch:
``` PowerShell
git fetch
git checkout topics/tb-\<id of work item\>
```
> <span class="note">NOTE</span>: It is good Continuous Integration practice to commit your changes often
> <span class="note">NOTE</span>: Team members can also branch the Tasks, if used, and make changes to the same file. If they make changes to the same file in the same location, Git will force a merge confict, otherwise Git's merge process will make every attempt to resolve the merge process.
1. Return to PowerShell and issue **code .** to launch Visual Studio Code in the **c:\anoa** directory
#### Update the deploy.parameters.json File
1. In Visual Studio Code, expand the folders to **/src/bicep/enclaves/enclave-scca-hub3spoke-aks/** and open the **deploy.parameters.json** file
> <span class="note">NOTE</span>: The **deploy.parameters.json** file is in JSON syntax. In this document the parameters to change will be referenced in dotted notation. For example, given this JSON:
>
> "parTags": {
> "value": {
> "organization": "anoa",
> "region": "<<region>>",
> "templateVersion": "v1.0",
> "deployEnvironment": "dev",
> "deploymentType": "NoOpsTerraform"
> }
>
> A change to the organiation would be communicated: **parTags.organization**, or a change to the region: **parTags.region**
> <span class="note">NOTE</span>: You can use the same subscription for the HUB, IDENTITY, OPERATIONS, and SHARED SERVICES
> <span class="note">NOTE</span>: If you use AZ CLI and login through your Powershell session you can capture most of the values necessary for the changes. Use the following script to capture the changes:
1. Make the following changes to the **deploy.parameters.json** file:
- parRequired.orgPrefix = **\<your org prefix or the default 'anoa'\>**
- parTags.organization = **\<your org prefix or the default ANOA\>**
- parTags.region = **\<your Azure region (eastus, usgovvirginia, etc...)\>**
- parHub.subscriptionId = **\<subscription Id to host the HUB spoke\>**
- parIdentitySpoke.subscriptionId = **\<subscription Id to host the IDENTITY spoke\>**
- parOperationsSpoke.subscriptionId = **\<subscription Id to host the OPERATIONS spoke\>**
- parSharedServicesSpoke.subscriptionId = **\<subscription Id to host the SHARED SERVICES spoke\>**
- parAksWorkload.subscriptionId = **\<subscription Id to host the AKS Private Cluster\>**
- parKubernetesCluster.aksClusterKubernetesVersion: **1.25.2**
> <span class="note">NOTE</span>: Issue the command **az aks get-versions --location eastus --query orchestrators[-1].orchestratorVersion --output tsv** to retrieve your regions highest version
- parKubernetesCluster.aadProfile.aadProfile.TenantId: **<\<tenant Id for this enclave deployment>>**
- parKubernetesCluster.aadProfile.aadProfileAdminGroupObjectIds: **<\<objectId of AAD Group for Kubernetes Administrators>>**
> <span class="note">NOTE</span>: See **Part 3: Deploy Kubernetes Workload using an Enclave**, **Create an Azure Active Directory Group** about creating an AAD group for the *parKubernetesCluster.aadProfile.aadProfileAdminGroupObjectIds* configuration element.
- parKubernetesCluster.addonProfiles.config.logAnalyticsWorkspaceResourceId: **<\<subscriptionId>>**
- parKubernetesCluster.servicePrincipalProfile.clientId: **<<clientId of AAD App Registration>>**
- parKubernetesCluster.servicePrincipalProfile.secret: **<\<secret of AAD App Registration>>**
> <span class="note">NOTE</span>: See **Part 3: Deploy Kubernetes Workload using an Enclave**, **Create an App Registration in Azure Active Directory** about creating an app registration and retrieving the clientId and secret for the *parKubernetesCluster.servicePrincipalProfile.clientId* and the *parKubernetesCluster.servicePrincipalProfile.secret* configuration elements.
>
> <span class="note">NOTE</span>: If using **AZ AD SP LIST** for your service principals the **<\<clientId\>>** is the **appId** of the JSON returned from the AZ AD SP LIST command.
- parNetworkArtifacts.enable = **true**
- parNetworkArtifacts.keyVaultPolicies = **<\<an array of principles from your Azure AD who will have permissions for keys and secrets>\>**
> <span class="note">NOTE</span>: Setting *parNetworkArtifacts.enable* to true will create an Azure Key Vault and place the Bastion credentials in this Azure Key Vault. *parNetworkArtifacts.keyVaultPolicies* is an array of people who will be granted access to the keys and secrets. Copy the following JSON to grant multiple people access (**make sure there is a comma , after the last brace }**):
>
> ``` json
> {
> "objectId": "3c42836c-2712-418f-963b-7a1293d36d63",
> "permissions": {
> "keys": ["get", "list", "update"],
> "secrets": ["get", "list", "set"]
> },
> "tenantId": "0ff59ae6-406c-4aba-a174-fddb35d8dd6f"
> },
> ```
>
#### OPTIONAL: Commit the Branch and Merge into Main
1. Return to your PowerShell session or terminal
1. Issue the following commands to commit and push on your branch:
``` PowerShell
git add *
git commit -m "Updated deploy.parameters.json for AKS Enclave Deployment"
git push
```
> <span class="note">NOTE</span>: If your following the decomposition process of the **Deploy AKS Enclave** user story your actions have mapped to the tasks in this way:
>
> **CYBER: Review Azure Key Vault Implementation**
> When you enabled Network Artifacts and assigned one or more people permissions to keys/secrets you completed this task.
>
> **CYBER: Review VNET Peering to Hub and Firewall**
> When you updated the subscription Id for the HUB spoke and reviewed the Azure Firewall configuration and VNET peerings with the configuration element: *peerToSpokeVirtualNetwork: true* you completed this task.
>
> **OPS: Review Monitor Solution Deployments**
> When you updated the subscription Id for the OPERATIONS spoke and reviewed the network configuration allowing traffic from spokes you completed this task.
>
> **OPS: Modify Diagnostics Logs**
> When you reviewed the available diagnostics logs in the *parOperationsSpoke* configuration element you completed this task.
>
> **DEV: Modify Subscription ID and Tenant ID Values**
> When you updated deploy.parameters.json with the correct subscription Id's and tenant Id's you completed this task.
>
> **DEV: Modify Object ID and Role ID Values**
> When you created the app registration, and Azure AD group for Kubernetes then updated deploy.parameters.json with those values you completed this task.
1. Return Azure DevOps Services or your Azure DevOps Server
1. In the left navigation under the **Repos** heading, click on **Pull Requests**
1. Your branch will be listed, click on the **Create a pull request** button located to the far right
1. You will be able to review your changes on the **Files** tab. Return to the **Overview** tab and click the **Create** button to create a pull request
> <span class="note">NOTE</span>: If you have governance or process around your PR processes engage them here. For this execise we will be simply approving and completing the PR.
1. Click on the **Approve** button
1. Click on the **Complete** button
1. Click on the **Complete merge** button
> <span class="note">NOTE</span>: Feel free to use the merge type for your team. The checkbox to **Delete topics/tb-### after merging** refers ONLY to the remote branch that is on Azure DevOps Services and not any branches on your local computer. Those must be removed manually after the PR process.
### Part 4: Setup the Azure DevOps Services Pipeline
1. Return to Azure DevOps Services
1. Click on **Project Settings** in the lower left
1. Click on **Service Connections** in the **Pipelines** section on the left
1. Click the **New Service Connection** button in the top right and create a new Service Connection with the following information:
- Service Connection Type: **Azure Resource Manager**
> <span class="note">NOTE</span>: Scroll down and click the **Next** button to see the Authentication Method selection.
- Authentication Method: **Service Principal (manual)**
- Environment: **Azure Cloud**
- Scope Level: **Subscription**
- Subscription ID: **subscriptionId of the subscription this service connection will access**
- Service Principal ID: **The *client id* of App Registration** you created in the **Part 3: Deploy Kubernetes Workload using an Enclave, Create an App Registration in Azure Active Directory for Azure DevOps Services** section.
- Service Principal Key (if using): **The *value* of App Registration's Client Secret** you created in the **Part 3: Deploy Kubernetes Workload using an Enclave, Create an App Registration in Azure Active Directory for Azure DevOps Services** section.
- Tenant ID: **Tenant ID you are using for your deployment**
- Service Connection Name: **sc-\<subscription name\>-subscription**
- Description: **optional if you want a description**
- Check the Checkbox: **Grant access permissions to all pipelines** (otherwise you will need to authorize this for each pipeline. Defer to your organization's security and governance for this setting)
- Click on **Verify and Save**
> <span class="note">NOTE</span>: If you have any issues, resolve them before proceeding. The App Registration that is used in this Service Connection must be added to the **OWNERS** role of the subscription.
1. Return to Pipelines, and **Create a New Pipeline**
1. Copy and Paste the .yaml for the pipeline:
''' yaml
'''
#### References
---
[Deploying Management Groups with the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/management-groups)
[Deploying Roles with the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/roles)
[Deploying Policy for Guardrails with the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/Policy)
[Deploying SCCA Compliant Hub and 1-Spoke using the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/platforms/lz-platform-scca-hub-1spoke)
[Deploying a Kubernetes Private Cluster Workload using the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/workloads/wl-aks-spoke)

498
docs/training/terraform/Demonstration 5 - Overlay.md Normal file
Просмотреть файл

@ -0,0 +1,498 @@
<!-- markdownlint-configure-file { "MD004": { "style": "consistent" } } -->
<!-- markdownlint-disable MD033 -->
<style>
body { font-family: Segoe UI Light; }
h1 { font-size: 20pt; }
h2 { font-size: 18pt; }
h3 { color: #002060; font-size: 16pt; font-weight: bold; }
h4 { color: #002060; font-size: 14pt; font-weight: bold; margin-top: 15px; margin-bottom: 15px; }
h5 { color: #002060; font-size: 12pt; font-weight: bold; }
h6 { color: #002060; font-size: 12pt; font-weight: normal; }
.title {color: #002060; font-size: 12pt; font-weight: bold; text-align: right; margin-bottom: 40px;}
hr {border: 0; height: 1px; background: #333; background-image: -webkit-linear-gradient(left, #ccc, #333, #ccc); background-image: -moz-linear-gradient(left, #ccc, #333, #ccc); background-image: -ms-linear-gradient(left, #ccc, #333, #ccc); background-image: -o-linear-gradient(left, #ccc, #333, #ccc);}
.note { color: #ff6347; font-size: 12pt; font-weight: bold; }
pre {font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-weight: normal; white-space: pre-wrap; overflow-x: auto;}
</style>
<!-- markdownlint-enable MD033 -->
# Demonstration: Create an Overlay for SQL Server with Terraform using Azure NoOps Accelerator
<div class="title">A step-by-step creation and deployment of a Sql Server Overlay using the Azure NoOps Accelerator.
</div>
### Setup & Prerequisite Software
> If already done this in previous labs, then you can skip to Part 1
1. You must have installed the latest [Git client](https://git-scm.com) for working with source control
1. You must have the latest version of [Visual Studio Code](https://code.visualstudio.com/) for authoring bicep files
1. Installed the [bicep extension](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#vs-code-and-bicep-extension) in Visual Studio Code
1. You must have installed either the the latest version of **AZ CLI**, see [How to install the Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli), or **Azure PowerShell**, see [Install the Azure Az PowerShell module](https://learn.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-9.0.1) for deploying bicep files
**PowerShell Quick Installation for Azure CLI**
``` PowerShell
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
```
**PowerShell Quick Installation for Azure PowerShell**
``` PowerShell
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
```
1. You must have installed the latest version of [Terraform](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#azure-powershell)
1. Either clone, fork, or download the [Azure NoOps Accelerator](https://aka.ms/azurenoops) to your local system. This demonstration uses **c:\anoa** as the root directory containing the downloaded, cloned, or forked project from GitHub
### Before we Begin
You will be making modifications to several .json files for the deployment which require knowing several sensitive pieces of information.
You can record those values here or, preferred, using your terminal save the values as variables. Additionally, you can record and save these values in Azure Key Vault if using the Azure NoOps Accelerator on a pipeline or through a automation platform.
Saving data as variables for use while executing this demonstration or lab will help. This code below will make executing the commands through PowerShell simpler and recalling these values.
``` PowerShell
az cloudset --name [AzureCloud | AzureGovernment]
az login
$context = Get-AzContext
$location = [your region]
```
#### OPTIONAL
If you choose to save and record your values use the table below. This is sensitive information and care should be taken.
| Name | Value(s) | How Used |
| ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- |
| Subscription ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div></br><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div><br/><div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying workloads, overlays, enclaves, or platforms. You can use multiple subscriptions for your tiers. |
| Location | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying workloads, overlays, enclaves, or platforms (eastus, usgovvirgina, etc..). |
### Part 1: Create an Overlay Folder
> <span class="note">NOTE</span>: For this demonstration we will be using AZ CLI with PowerShell. You can use AZ CLI with Bash or Azure PowerShell. The commands are the same. The only difference is the syntax.
---
#### Create Sql Server Overlay folder
1. Change to your directory containing the Azure NoOps Accelerator, this demonstration uses **c:\anoa**
1. Open Visual Studio Code in your directory containing the Azure NoOps Accelerator
1. Open folder directory **/src/bicep/overlays/management-services/**
1. Create a folder called **sqlServer** in the **/src/bicep/overlays/management-services/** by right-click the folder and selecting **new folder**
1. In the same folder create a folder called **parameters** by right-click the **sqlServer** folder and selecting **new folder**
2. Add files to the **sqlServer** folder by right-click the **sqlServer** folder, selecting **new file** and naming the file:
- **deploy.bicep**
- **readme.md**
2. Add files to the **sqlServer/parameters** folder by right-click the **sqlServer/parameters** folder and selecting **new file**:
- **deploy.parameters.json**
### Part 2: Build the Terraform for the SQL Server Overlay
---
1. Open the **/deploy.bicep** file in the **sqlServer** folder and make the following changes:
**Terraform**
``` PowerShell
/*
SUMMARY: Overlay Module Example to deploy an Sql Server.
DESCRIPTION: The following components will be options in this deployment
* Sql Server
AUTHOR/S: <<your name>>
*/
targetScope = 'subscription' //Deploying at Subscription scope to allow resource groups to be created and resources in one deployment
// REQUIRED PARAMETERS
// Example (JSON)
// These are the required parameters for the deployment
// -----------------------------
// "parRequired": {
// "value": {
// "orgPrefix": "anoa",
// "templateVersion": "v1.0",
// "deployEnvironment": "dev"
// }
// }
@description('Required values used with all resources.')
param parRequired object
// REQUIRED TAGS
// Example (JSON)
// These are the required tags for the deployment
// -----------------------------
// "parTags": {
// "value": {
// "organization": "anoa",
// "region": "eastus",
// "templateVersion": "v1.0",
// "deployEnvironment": "dev",
// "deploymentType": "NoOpsTerraform"
// }
// }
@description('Required tags values used with all resources.')
param parTags object
@description('The region to deploy resources into. It defaults to the deployment location.')
param parLocation string = deployment().location
```
> <span class="note">IMPORTANT</span>: Since this overlay will be used in workloads, we need to add the **subscription** to the **targetScope** property and add the required parameters. The **targetScope** property is used to define where the Terraform file will be deployed. The **targetScope** property can be set to **resourceGroup** or **subscription**.
2. Next, we will be adding the SQL Server object parameter for the deployment. The SQL Server object parameter is the object that will have all the parameters that defines a Sql Server for Azure. Add the following parameters to the **/deploy.bicep** file:
**Terraform**
``` PowerShell
// SQL SERVER PARAMETERS
@description('Defines the Sql Server Object.')
param parSqlServer object
```
> <span class="note">NOTE</span>: The **parSqlServer** parameter will be used to create the Sql Server resource and will contain the following properties:
| Name | Type | Description |
| --- | --- | --- |
| name | string | The name of the Sql Server. |
| location | string | The location of the Sql Server. |
| tags | object | The tags of the Sql Server. |
| sku | string | The sku of the Sql Server. |
| version | string | The version of the Sql Server.|
| administratorLogin | string | The administrator login of the Sql Server. |
| administratorLoginPassword | string | The administrator login password of the Sql Server. |
| publicNetworkAccess | string | The public network access of the Sql Server. |
| minimalTlsVersion | string | The minimal TLS version of the Sql Server. |
| databases | int | The databases for the Sql Server. |
| firewallRules | array | The firewall rules of the Sql Server. |
| minimalTlsVersion | string | Minimal TLS version allowed. [1.0, 1.1, 1.2]|
| publicNetworkAccess | bool | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set. |
| enableLocks | bool | Enable resource lock |
We will be adding the **parSqlServer** parameters to the **/parameters/deploy.parameters.json** file in Part 3.
3. Next, We will be adding the targets for this overlay. **Targets** are used to specify the subscription and resource group where the Sql Server will be deployed. Add the following to the **/deploy.bicep** file:
**Terraform**
``` PowerShell
// TARGETS
// SUBSCRIPTIONS PARAMETERS
// Target Virtual Network Name
// (JSON Parameter)
// ---------------------------
// "parTargetSubscriptionId": {
// "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxx"
// }
@description('The subscription ID for the Target Network and resources. It defaults to the deployment subscription.')
param parTargetSubscriptionId string = subscription().subscriptionId
// Target Resource Group Name
// (JSON Parameter)
// ---------------------------
// "parTargetResourceGroup": {
// "value": "anoa-eastus-platforms-hub-rg"
// }
@description('The name of the resource group in which the Sql Server will be deployed. If unchanged or not specified, the Azure NoOps Accelerator will create an resource group to be used.')
param parTargetResourceGroup string = ''
```
> <span class="note">IMPORTANT</span>: The **parTargetSubscriptionId** parameter is used to specify the subscription where the Sql Server will be deployed. The **parTargetResourceGroup** parameter is used to specify the resource group where the Sql Server will be deployed. If the **parTargetResourceGroup** parameter is not specified, the Azure NoOps Accelerator will create a resource group for the Sql Server.
3. Next, We will be adding the resource naming parameters for this overlay. The **resource naming** parameters is used in name parameter in each of the modules. Add the following to the **/deploy.bicep** file:
**Terraform**
``` PowerShell
// RESOURCE NAMING PARAMETERS
@description('A suffix to use for naming deployments uniquely. It defaults to the Terraform resolution of the "utcNow()" function.')
param parDeploymentNameSuffix string = utcNow()
@description('The current date - do not override the default value')
param dateUtcNow string = utcNow('yyyy-MM-dd HH:mm:ss')
```
> <span class="note">NOTE</span>: The **parDeploymentNameSuffix** parameter is used to create a unique name for the deployment. The **dateUtcNow** parameter is used to create a unique name for the deployment.
3. Next, We will be adding the resource naming variables for this overlay. The **resource naming** variables is used in naming of the modules. This provides a consistent naming convention for all resources. Add the following to the **/deploy.bicep** file:
**Terraform**
``` PowerShell
/*
NAMING CONVENTION
Here we define a naming conventions for resources.
First, we take `parDeployEnvironment` and `parDeployEnvironment` by params.
Then, using string interpolation "${}", we insert those values into a naming convention.
*/
var varResourceToken = 'resource_token'
var varNameToken = 'name_token'
var varNamingConvention = '${toLower(parRequired.orgPrefix)}-${toLower(parLocation)}-${toLower(parRequired.deployEnvironment)}-${varNameToken}-${toLower(varResourceToken)}'
// RESOURCE NAME CONVENTIONS WITH ABBREVIATIONS
var varResourceGroupNamingConvention = replace(varNamingConvention, varResourceToken, 'rg')
var varSqlServerNamingConvention = replace(varNamingConvention, varResourceToken, 'sql')
// SQL SERVER NAMES
var varSqlServerName = parSqlServer.sqlServerName
var varSqlServerResourceGroupName = replace(varResourceGroupNamingConvention, varNameToken, varSqlServerName)
var varServerName = replace(varSqlServerNamingConvention, varNameToken, varSqlServerName)
```
> <span class="note">NOTE</span>: The **varNamingConvention** variable is used to create the naming convention for the resources. The **varResourceGroupNamingConvention** variable is used to create the naming convention for the resource groups. The **varSqlServerName** variable is used to create the naming convention for the Sql Server. The **varSqlServerResourceGroupName** variable is used to create the naming convention for the Sql Server resource group.
1. Now let's add the sqlServer module from Az Resources to this overlay. Add the following to the **/deploy.bicep** file:
**Terraform**
``` PowerShell
//=== TAGS ===
var referential = {
region: parLocation
deploymentDate: dateUtcNow
}
@description('Resource group tags')
module modTags '../../../azresources/Modules/Microsoft.Resources/tags/az.resources.tags.bicep' = {
name: 'deploy-sqlSvr-tags-${parLocation}-${parDeploymentNameSuffix}'
scope: subscription(parTargetSubscriptionId)
params: {
tags: union(parTags, referential)
}
}
// Sql Server
// Create Sql Server resource group
resource rgSqlServerRg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
name: (!empty(parTargetResourceGroup)) ? parTargetResourceGroup : varSqlServerResourceGroupName
location: parLocation
}
// Create Sql Server
module modSqlServer '../../../azresources/Modules/Microsoft.Sql/servers/az.data.sqlserver.bicep' = {
name: 'deploy-sqlSvr-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(parTargetSubscriptionId, rgSqlServerRg.name)
params: {
location: parLocation
name: varServerName
tags: parTags
administratorLogin: parSqlServer.administratorLogin
administratorLoginPassword: parSqlServer.administratorLoginPassword
minimalTlsVersion: parSqlServer.minimalTlsVersion
publicNetworkAccess: parSqlServer.publicNetworkAccess
databases: parSqlServer.databases
firewallRules: parSqlServer.firewallRules
}
}
```
> <span class="note">IMPORTANT</span>: The **modTags** module is used to create the tags for the Sql Server. The **rgSqlServerRg** resource is used to create the resource group for the Sql Server. The **modSqlServer** module is used to create the Sql Server.
### Part 3: Build the Parameters for the Overlay
1. Now let's build the parameters for the overlay. Add the following to the **/parameters.json** file:
**JSON**
``` PowerShell
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"parRequired": {
"value": {
"orgPrefix": "anoa",
"templateVersion": "v1.0",
"deployEnvironment": "dev"
}
},
"parTags": {
"value": {
"organization": "anoa",
"templateVersion": "v1.0",
"deployEnvironment": "dev",
"deploymentType": "NoOpsTerraform"
}
},
"parTargetSubscriptionId": {
"value": "<<YOUR SUBSCRIPTION ID>>"
},
"parTargetResourceGroup": {
"value": ""
},
"parSqlServer": {
"value": {
"sqlServerName": "sqlsrv-001",
"administratorLogin": "azureuser",
"administratorLoginPassword": "Rem0te@2020246",
"minimalTlsVersion": "1.2",
"publicNetworkAccess": "Enabled",
"enableLocks": true,
"databases": [
{
"name": "anoa",
"collation": "SQL_Latin1_General_CP1_CI_AS",
"licenseType": "LicenseIncluded",
"maxSizeBytes": 34359738368,
"skuCapacity": 12,
"skuFamily": "Gen5",
"skuName": "BC_Gen5",
"skuTier": "BusinessCritical"
}
],
"firewallRules": [
{
"endIpAddress": "0.0.0.0",
"name": "AllowAllWindowsAzureIps",
"startIpAddress": "0.0.0.0"
}
]
}
}
}
}
```
---
1. Make the following changes to the **deploy.parameters.json** file or leave default values:
- parRequired.orgPrefix = **\<your org prefix or the default 'anoa'\>**
- parTags.organization = **\<your org prefix or the default ANOA\>**
- parTags.region = **\<your Azure region (eastus, usgovvirginia, etc...)\>**
- parTargetSubscriptionId = **\<subscription Id to host the sql server\>**
- parTargetResourceGroup = **\<leave blank\>**
- parSqlServer.sqlServerName = **\<your sql server name\>**
- parSqlServer.administratorLogin = **\<your sql server administrator login\>**
- parSqlServer.administratorLoginPassword = **\<your sql server administrator login password\>**
- parSqlServer.databases.name = **\<your sql server database name\>**
> <span class="note">NOTE</span>: The **parTargetResourceGroup** parameter is left blank. This will allow the overlay to create the resource group for the Sql Server.
### Part 4: Deploy Sql Server Overlay
> <span class="note">IMPORTANT</span>: Overlays are not meant to be deployed seperatly but they can be. In this case we are deploying the overlay seperatly to show how it works. In a real world scenario the overlay would be deployed as part of a larger platform or workload deployment.
---
##### Validate the deployment with WhatIf
> <span class="note">NOTE</span>: The **WhatIf** parameter is used to validate the deployment without actually deploying the resources. This is a great way to validate the deployment before actually deploying the resources.
1. Open PowerShell and change to your directory containing the NoOps Accelerator, this demonstration uses **c\anoa**
2. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\overlays\management-services\sqlserver'**
3. Issue **$context = Get-AzContext** and record the following values: -
- Subscription ID: **$context.Subscription.Id**
> <span class="note">NOTE</span>: If more than one value is returned, choose the subscription you are targeting to create the sql server overlay. You can also use **Set-AzContext** to set your current subscription for this session.
4. Issue the command:
**Azure CLI**
``` PowerShell
az deployment sub what-if --subscription $context.Subscription.Id --template-file 'deploy.bicep' --parameters '@parameters/deploy.parameters.json' --location $location
```
> <span class="note">NOTE</span>: The **--location** parameter is used to specify the location for the resource group. This is not the location for the Sql Server. The location for the Sql Server is specified in the **parameters.json** file.
5. Review the output of the command and verify that the deployment will create the resource group and the sql server.
``` PowerShell
Resource and property changes are indicated with these symbols:
+ Create
~ Modify
The deployment will update the following scopes
Scope: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+ resourceGroups/anoa-usgovvirginia-dev-sqlsrv-001-rg [2021-04-01]
apiVersion: "2021-04-01"
id: "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/anoa-usgovvirginia-dev-sqlsrv-001-rg"
location: "usgovvirginia"
name: "anoa-usgovvirginia-dev-sqlsrv-001-rg"
type: "Microsoft.Resources/resourceGroups"
properties.endIpAddress: "0.0.0.0"
properties.startIpAddress: "0.0.0.0"
type: "Microsoft.Sql/servers/firewallRules"
+ Microsoft.Sql/servers/anoa-usgovvirginia-dev-sqlsrv-001-sql/providers/Microsoft.Authorization/locks/anoa-usgovvirginia-dev-sqlsrv-001-sql-CanNotDelete-lock [2017-04-01]
apiVersion: "2017-04-01"
id: "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/anoa-usgovvirginia-dev-sqlsrv-001-rg/providers/Microsoft.Sql/servers/anoa-usgovvirginia-dev-sqlsrv-001-sql/providers/Microsoft.Authorization/locks/anoa-usgovvirginia-dev-sqlsrv-001-sql-CanNotDelete-lock"
name: "anoa-usgovvirginia-dev-sqlsrv-001-sql-CanNotDelete-lock" properties.level: "CanNotDelete"
properties.notes: "Cannot delete resource or child resources."
type: "Microsoft.Authorization/locks"
Resource changes: 4 to create, 1 to modify.
```
7. This ouput tells us that there will be a creation of 2 resources (resource group & sql server) and that the values are as expected. The **WhatIf** command is a great way to validate the deployment before actually deploying the resources. If you are satisfied with the deployment, then deploy the infrastructure by removing the **WhatIf** value.
##### Deploy Sql Server Overlay
1. Issue the command updating the **--subscription** parameter with your subscription id and the **--location** parameter to your location
**Azure CLI**
``` PowerShell
az deployment sub create --name 'deploy-sql-server' --template-file 'deploy.bicep' --parameters '@parameters/deploy.parameters.json' --location $location --subscription $context.Subscription.Id --only-show-errors
```
##### Remove the Sql Server Overlay
1. Issue this command to remove the resources created by the overlay:
**Azure CLI**
``` PowerShell
Remove-AzResourceGroup -Name 'anoa-usgovvirginia-dev-sqlsrv-001-rg'
```
<span class="note">NOTE</span>: The resource group name is based on the parameters you used when deploying the overlay. Change the resource group name to match your previous deployment.
##### References
---
[Deploying Management Groups with the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/management-groups)
[Deploying Roles with the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/roles)
[Deploying Policy for Guardrails with the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/Policy)
[Deploying SCCA Compliant Hub and 1-Spoke using the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/platforms/lz-platform-scca-hub-1spoke)
[Deploying a Kubernetes Private Cluster Workload using the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/workloads/wl-aks-spoke)

547
docs/training/terraform/Demonstration 6 - Workload.md Normal file
Просмотреть файл

@ -0,0 +1,547 @@
<!-- markdownlint-configure-file { "MD004": { "style": "consistent" } } -->
<!-- markdownlint-disable MD033 -->
<style>
body { font-family: Segoe UI Light; }
h1 { font-size: 20pt; }
h2 { font-size: 18pt; }
h3 { color: #002060; font-size: 16pt; font-weight: bold; }
h4 { color: #002060; font-size: 14pt; font-weight: bold; margin-top: 15px; margin-bottom: 15px; }
h5 { color: #002060; font-size: 12pt; font-weight: bold; }
h6 { color: #002060; font-size: 12pt; font-weight: normal; }
.title {color: #002060; font-size: 12pt; font-weight: bold; text-align: right; margin-bottom: 40px;}
hr {border: 0; height: 1px; background: #333; background-image: -webkit-linear-gradient(left, #ccc, #333, #ccc); background-image: -moz-linear-gradient(left, #ccc, #333, #ccc); background-image: -ms-linear-gradient(left, #ccc, #333, #ccc); background-image: -o-linear-gradient(left, #ccc, #333, #ccc);}
.note { color: #ff6347; font-size: 12pt; font-weight: bold; }
pre {font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-weight: normal; white-space: pre-wrap; overflow-x: auto;}
</style>
<!-- markdownlint-enable MD033 -->
# Demonstration: Create an SQL Server Workload Spoke with Terraform using Azure NoOps Accelerator
<div class="title">A step-by-step creation and deployment of a SQL Server Workload Spoke using the Azure NoOps Accelerator.
</div>
### Setup & Prerequisite Software
> If already done this in previous labs, then you can skip to Part 1
1. You must have installed the latest [Git client](https://git-scm.com) for working with source control
1. You must have the latest version of [Visual Studio Code](https://code.visualstudio.com/) for authoring bicep files
1. Installed the [bicep extension](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#vs-code-and-bicep-extension) in Visual Studio Code
1. You must have installed either the the latest version of **AZ CLI**, see [How to install the Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli), or **Azure PowerShell**, see [Install the Azure Az PowerShell module](https://learn.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-9.0.1) for deploying bicep files
**PowerShell Quick Installation for Azure CLI**
``` PowerShell
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
```
**PowerShell Quick Installation for Azure PowerShell**
``` PowerShell
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
```
1. You must have installed the latest version of [Azure Terraform](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#azure-powershell)
1. Either clone, fork, or download the [Azure NoOps Accelerator](https://aka.ms/azurenoops) to your local system. This demonstration uses **c:\anoa** as the root directory containing the downloaded, cloned, or forked project from GitHub
### Before we Begin
You will be making modifications to several .json files for the deployment which require knowing several sensitive pieces of information.
You can record those values here or, preferred, using your terminal save the values as variables. Additionally, you can record and save these values in Azure Key Vault if using the Azure NoOps Accelerator on a pipeline or through a automation platform.
Saving data as variables for use while executing this demonstration or lab will help. This code below will make executing the commands through PowerShell simpler and recalling these values.
``` PowerShell
az cloudset --name [AzureCloud | AzureGovernment]
az login
$context = Get-AzContext
$location = [your region]
```
#### OPTIONAL
If you choose to save and record your values use the table below. This is sensitive information and care should be taken.
| Name | Value(s) | How Used |
| ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- |
| Subscription ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying workloads, overlays, enclaves, or platforms. You can use multiple subscriptions for your tiers. |
| Location | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying workloads, overlays, enclaves, or platforms (eastus, usgovvirgina, etc..). |
### Part 1: Create an Workload Folder
> <span class="note">NOTE</span>: For this demonstration we will be using AZ CLI with PowerShell. You can use AZ CLI with Bash or Azure PowerShell. The commands are the same. The only difference is the syntax.
---
#### Create Sql Server Workload Spoke folder
1. Change to your directory containing the Azure NoOps Accelerator, this demonstration uses **c:\anoa**
1. Open Visual Studio Code in your directory containing the Azure NoOps Accelerator
1. Open folder directory **/src/bicep/workloads/**
1. Create a folder called **wl-sqlserver-spoke** in the **//src/bicep/workloads/** by right-click the folder and selecting **new folder**
> <span class="note">NOTE</span>: The folder name must start with **wl-** and end with **-spoke**. This is how the Azure NoOps Accelerator identifies the folder as a workload spoke.
2. In the same folder create a folder called **parameters** by right-click the **wl-sqlserver-spoke** folder and selecting **new folder**
3. Add files to the **wl-sqlserver-spoke** folder by right-click the **wl-sqlserver-spoke** folder, selecting **new file** and naming the file:
- **deploy.bicep**
- **readme.md**
- **bicepconfig.json**
4. Add files to the **wl-sqlserver-spoke/parameters** folder by right-click the **wl-sqlserver-spoke/parameters** folder and selecting **new file**:
- **deploy.parameters.json**
### Part 2: Build the Terraform for the SQL Server Workload Spoke
> <span class="note">NOTE</span>: In this demonstration, we will be building a SQL Server Workload Spoke with Azure Terraform. This will be a Tier 3 spoke that will be deployed with an VNET. The SQL Server Workload will use the VNET created in the spoke. The spoke will be deployed to a subscription that is the same as the subscription where the platform(hub/spoke network) is deployed. In production scenrieos, you can use different subscriptions for the platform(hub/spoke network) and workloads.
---
1. Open the **/deploy.bicep** file in the **wl-sqlserver-spoke** folder and make the following changes:
**Azure Terraform**
``` PowerShell
/*
SUMMARY: Workload Module to deploy a Sql Server Workload to an target sub.
DESCRIPTION: The following components will be options in this deployment
Sql Server Workload Spoke
AUTHOR/S: <your name>
*/
targetScope = 'subscription' //Deploying at Subscription scope to allow resource groups to be created and resources in one deployment
// REQUIRED PARAMETERS
// Example (JSON)
// These are the required parameters for the deployment
// -----------------------------
// "parRequired": {
// "value": {
// "orgPrefix": "anoa",
// "templateVersion": "v1.0",
// "deployEnvironment": "dev"
// }
// }
@description('Required values used with all resources.')
param parRequired object
// REQUIRED TAGS
// Example (JSON)
// These are the required tags for the deployment
// -----------------------------
// "parTags": {
// "value": {
// "organization": "anoa",
// "region": "eastus",
// "templateVersion": "v1.0",
// "deployEnvironment": "dev",
// "deploymentType": "NoOpsTerraform"
// }
// }
@description('Required tags values used with all resources.')
param parTags object
@description('The region to deploy resources into. It defaults to the deployment location.')
param parLocation string = deployment().location
```
> <span class="note">NOTE</span>: Just like the overlay, we need to add the **subscription** to the **targetScope** property and add the required parameters. The **targetScope** property is used to define where the Terraform file will be deployed. The **targetScope** property can be set to **resourceGroup** or **subscription**.
1. Since this is a workload spoke, we need to add workload specific parameters. Add the following parameters to the **/deploy.bicep** file:
**Azure Terraform**
``` PowerShell
// WORKLOAD PARAMETERS
@description('Required values used with the workload, Please review the Read Me for required parameters')
param parWorkloadSpoke object
```
We will be adding the **parWorkloadSpoke** parameters to the **/parameters/deploy.parameters.json** file in Part 3.
> <span class="note">NOTE</span>: The **parWorkloadSpoke** parameter is a **JSON** object that will contain all the parameters for the workload spoke. The **parWorkloadSpoke** parameter will be used to pass the parameters to the workload spoke overlay to create the Tier 3 spoke as part of a Hub 3 Spoke Platform.
1. The workload spoke has specific parameters it needs to use resources from the Hub 3 Spoke Platform including Hub Network and Log Analytics paramters.Add the following parameters to the **/deploy.bicep** file:
**Azure Terraform**
``` PowerShell
// HUB NETWORK PARAMETERS
@description('The subscription ID for the Hub Network.')
param parHubSubscriptionId string
// Hub Resource Group Name
// (JSON Parameter)
// ---------------------------
// "parHubResourceGroupName": {
// "value": "anoa-eastus-platforms-hub-rg"
// }
@description('The resource group name for the Hub Network.')
param parHubResourceGroupName string
// Hub Virtual Network Name
// (JSON Parameter)
// ---------------------------
// "parHubResourceGroupName": {
// "value": "anoa-eastus-platforms-hub-rg"
// }
@description('The virtual network name for the Hub Network.')
param parHubVirtualNetworkName string
// Hub Virtual Network Resource Id
// (JSON Parameter)
// ---------------------------
// "parHubVirtualNetworkResourceId": {
// "value": "/subscriptions/xxxxxxxx-xxxxxx-xxxxx-xxxxxx-xxxxxx/resourceGroups/anoa-eastus-platforms-hub-rg/providers/Microsoft.Network/virtualNetworks/anoa-eastus-platforms-hub-vnet/subnets/anoa-eastus-platforms-hub-vnet"
// }
@description('The virtual network resource Id for the Hub Network.')
param parHubVirtualNetworkResourceId string
// LOGGING PARAMETERS
@description('Log Analytics Workspace Resource Id Needed for NSG, VNet and Activity Logging')
param parLogAnalyticsWorkspaceResourceId string
@description('Log Analytics Workspace Name Needed Activity Logging')
param parLogAnalyticsWorkspaceName string
```
> <span class="note">NOTE</span>: The **parHubSubscriptionId** parameter is the subscription Id of the Hub Network. The **parHubResourceGroupName** parameter is the resource group name of the Hub Network. The **parHubVirtualNetworkName** parameter is the virtual network name of the Hub Network. The **parHubVirtualNetworkResourceId** parameter is the virtual network resource Id of the Hub Network. The **parLogAnalyticsWorkspaceResourceId** parameter is the Log Analytics Workspace resource Id. The **parLogAnalyticsWorkspaceName** parameter is the Log Analytics Workspace name. These parameters will be used to create the Tier 3 spoke as part of a Hub 3 Spoke Platform.
2. Next, we will be adding the SQL Server object parameter for the deployment. The SQL Server object parameter is the object that will have all the parameters that defines a Sql Server for Azure. Add the following parameters to the **/deploy.bicep** file:
**Azure Terraform**
``` PowerShell
// SQL SERVER PARAMETERS
@description('Defines the Sql Server Object.')
param parSqlServer object
```
> <span class="note">NOTE</span>: The **parSqlServer** parameter will be used to create the Sql Server resource and will contain the following properties:
| Name | Type | Description |
| -------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| name | string | The name of the Sql Server. |
| location | string | The location of the Sql Server. |
| tags | object | The tags of the Sql Server. |
| sku | string | The sku of the Sql Server. |
| version | string | The version of the Sql Server. |
| administratorLogin | string | The administrator login of the Sql Server. |
| administratorLoginPassword | string | The administrator login password of the Sql Server. |
| publicNetworkAccess | string | The public network access of the Sql Server. |
| minimalTlsVersion | string | The minimal TLS version of the Sql Server. |
| databases | int | The databases for the Sql Server. |
| firewallRules | array | The firewall rules of the Sql Server. |
| minimalTlsVersion | string | Minimal TLS version allowed. [1.0, 1.1, 1.2] |
| publicNetworkAccess | bool | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set. |
| enableLocks | bool | Enable resource lock |
We will be adding the **parSqlServer** parameters to the **/parameters/deploy.parameters.json** file in Part 3.
1. Now we will start building the Tier 3 module for the deployment. The Tier 3 module are used to create the resources for the workload deployment. Add the following modules to the **/deploy.bicep** file:
**Azure Terraform**
``` PowerShell
//=== TAGS ===
var referential = {
workload: parWorkloadSpoke.name
}
@description('Resource group tags')
module modTags '../../azresources/Modules/Microsoft.Resources/tags/az.resources.tags.bicep' = {
name: 'Sql-Resource-Tags-${parDeploymentNameSuffix}'
scope: subscription()
params: {
tags: union(parTags, referential)
}
}
//=== Workload Tier 3 Buildout ===
module modTier3 '../../overlays/management-services/workloadSpoke/deploy.bicep' = {
name: 'deploy-wl-vnet-${parLocation}-${parDeploymentNameSuffix}'
scope: subscription(parWorkloadSpoke.subscriptionId)
params: {
//Required Parameters
parRequired:parRequired
parLocation: parLocation
parTags: modTags.outputs.tags
//Hub Network Parameters
parHubSubscriptionId: parHubSubscriptionId
parHubVirtualNetworkResourceId: parHubVirtualNetworkResourceId
parHubVirtualNetworkName: parHubVirtualNetworkName
parHubResourceGroupName: parHubResourceGroupName
//WorkLoad Parameters
parWorkloadSpoke: parWorkloadSpoke
//Logging Parameters
parLogAnalyticsWorkspaceName: parLogAnalyticsWorkspaceName
parLogAnalyticsWorkspaceResourceId: parLogAnalyticsWorkspaceResourceId
parEnableActivityLogging: true
}
}
//=== End Workload Tier 3 Buildout ===
```
1. Next, we will start building the Sql Server Overlay module for the deployment. The Sql Server Overlay module are used to create the resources for the Sql Server deployment. Add the following modules to the **/deploy.bicep** file:
**Azure Terraform**
``` PowerShell
//=== Sql Server Workload Buildout ===
module modSqlServerDeploy '../../overlays/management-services/sqlServer/deploy.bicep' = {
name: 'deploy-sql-${parLocation}-${parDeploymentNameSuffix}'
scope: subscription(parWorkloadSpoke.subscriptionId)
params: {
parLocation: parLocation
parSqlServer: parSqlServer
parRequired: parRequired
parTags: modTags.outputs.tags
parTargetResourceGroup: modTier3.outputs.workloadResourceGroupName
parTargetSubscriptionId: parWorkloadSpoke.subscriptionId
}
dependsOn: [
modTier3
]
}
```
> <span class="note">IMPORTANT</span>: The **modSqlServerDeploy** module uses the Workload Tier 3 module as a dependency. This is because the Sql Server Overlay module will be deployed to the Workload Spoke Tier 3 resource group.
### Part 3: Build the Parameters for the Sql Server Workload Deployment
> <span class="note">NOTE</span>: The following steps will be adding the parameters for the Sql Server Workload deployment. The parameters will be added to the **/parameters/deploy.parameters.json** file.
---
1. Now let's build the parameters for the Sql Server Workload. Add the following to the **/parameters.json** file:
**JSON**
``` JSON
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"parRequired": {
"value": {
"orgPrefix": "anoa",
"templateVersion": "v1.0",
"deployEnvironment": "dev"
}
},
"parTags": {
"value": {
"organization": "anoa",
"templateVersion": "v1.0",
"deployEnvironment": "dev",
"deploymentType": "NoOpsTerraform"
}
},
"parWorkloadSpoke": {
"value": {
"name": "sqlServer",
"shortName": "sqlServer",
"subscriptionId": "<<your subscriptionId>>",
"enableDdosProtectionPlan": false,
"network": {
"virtualNetworkAddressPrefix": "10.0.125.0/26",
"subnetAddressPrefix": "10.0.125.0/26",
"allowVirtualNetworkAccess": true,
"useRemoteGateway": false,
"virtualNetworkDiagnosticsLogs": [],
"virtualNetworkDiagnosticsMetrics": [],
"networkSecurityGroupRules": [],
"NetworkSecurityGroupDiagnosticsLogs": [
"NetworkSecurityGroupEvent",
"NetworkSecurityGroupRuleCounter"
],
"subnetServiceEndpoints": [
{
"service": "Microsoft.Storage"
}
],
"subnets": [],
"routeTable": {
"disableBgpRoutePropagation": true,
"routes": [
{
"name": "wl-routetable",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopIpAddress": "10.0.100.4",
"nextHopType": "VirtualAppliance"
}
}
]
}
},
"storageAccountAccess": {
"enableRoleAssignmentForStorageAccount": false,
"principalIds": [
"<<PrincipalID>>"
],
"roleDefinitionIdOrName": "Contributor"
}
}
},
"parHubSubscriptionId": {
"value": "<<hub subscriptionId>>"
},
"parHubResourceGroupName": {
"value": "anoa-eastus-dev-hub-rg"
},
"parHubVirtualNetworkName": {
"value": "anoa-eastus-dev-hub-vnet"
},
"parHubVirtualNetworkResourceId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/anoa-eastus-dev-hub-rg/providers/Microsoft.Network/virtualNetworks/anoa-eastus-dev-hub-vnet"
},
"parLogAnalyticsWorkspaceResourceId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/anoa-eastus-dev-logging-rg/providers/microsoft.operationalinsights/workspaces/anoa-eastus-dev-logging-log"
},
"parLogAnalyticsWorkspaceName": {
"value": "anoa-eastus-dev-logging-log"
},
"parSqlServer": {
"value": {
"sqlServerName": "sqlsrv-001",
"administratorLogin": "azureuser",
"administratorLoginPassword": "Rem0te@2020246",
"minimalTlsVersion": "1.2",
"publicNetworkAccess": "Enabled",
"enableLocks": 'CanNotDelete',
"databases": [
{
"name": "anoa",
"collation": "SQL_Latin1_General_CP1_CI_AS",
"licenseType": "LicenseIncluded",
"maxSizeBytes": 34359738368,
"skuCapacity": 12,
"skuFamily": "Gen5",
"skuName": "BC_Gen5",
"skuTier": "BusinessCritical"
}
],
"firewallRules": [
{
"endIpAddress": "0.0.0.0",
"name": "AllowAllWindowsAzureIps",
"startIpAddress": "0.0.0.0"
}
]
}
}
}
}
```
> <span class="note">NOTE</span>: The **parWorkloadSpoke** parameter is the same as the one used in the previous section. The **parSqlServer** parameter is the same as the one used in the previous section. It is important make sure that all network parameters are correct. IP addresses and subnet ranges should be unique and not overlap with other subnets in the hub or other workload spokes.
---
1. Make the following changes to the **deploy.parameters.json** file or leave default values:
- parRequired.orgPrefix = **\<your org prefix or the default 'anoa'\>**
- parTags.organization = **\<your org prefix or the default ANOA\>**
- parTags.region = **\<your Azure region (eastus, usgovvirginia, etc...)\>**
- parHubSubscriptionId = **\<subscription Id to Hub subscription\>**
- parHubResourceGroupName = **\<Resource Group Name to Hub RG\>**
- parHubVirtualNetworkResourceId = **\<Virtual Network Resource Id to Hub Network\>**
- parHubVirtualNetworkName = **\<Virtual Network Name of the Hub Network\>**
- parLogAnalyticsWorkspaceResourceId = **\<Log Analytics Workspace Resource Id to Hub Network\>**
- parLogAnalyticsWorkspaceName = **\<Log Analytics Workspace Name to Hub Network\>**
- parSqlServer.sqlServerName = **\<your sql server name\>**
- parSqlServer.administratorLogin = **\<your sql server administrator login\>**
- parSqlServer.administratorLoginPassword = **\<your sql server administrator login password\>**
- parSqlServer.databases.name = **\<your sql server database name\>**
> <span class="note">NOTE</span>: All Hub Network parameters are required. If you are using the default Hub/3 Spoke deployment, you can leave the default values. If you are using a custom Hub/Spoke deployment, you will need to update the parameters with the values from your custom Hub deployment. Make sure to fill in <<subscriptionId>> parameters with the correct subscriptions.
### Part 4: Deploy Sql Server Workload
> <span class="note">NOTE</span>: The following steps will deploy the Sql Server workload with an Tier 3 Spoke Network. The deployment will take approximately 20 minutes to complete. The deployment will fail if there is not a existing Hub/3 Spoke Network deployed. If the deployment fails, check the deployment logs for more information.
---
##### Validate the deployment with WhatIf
> <span class="note">NOTE</span>: The **WhatIf** parameter is used to validate the deployment without actually deploying the resources. This is a great way to validate the deployment before actually deploying the resources.
1. Open PowerShell and change to your directory containing the NoOps Accelerator, this demonstration uses **c\anoa**
2. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\workloads\wl-sqlserver-spoke\'**
3. Issue **$context = Get-AzContext** and record the following values: -
- Subscription ID: **$context.Subscription.Id**
> <span class="note">NOTE</span>: If more than one value is returned, choose the subscription you are targeting to create the sql server workload. You can also use **Set-AzContext** to set your current subscription for this session.
4. Issue the command:
**Azure CLI**
``` PowerShell
az deployment sub what-if --subscription $context.Subscription.Id --template-file 'deploy.bicep' --parameters '@parameters/deploy.parameters.json' --location $location
```
> <span class="note">NOTE</span>: The **--location** parameter is used to specify the location for the resource group. This is not the location for the Sql Server. The location for the Sql Server is specified in the **parameters.json** file.
5. Review the output of the command and verify that the deployment will create the resource group and the sql server.
##### Deploy Sql Server Workload Spoke
1. Open PowerShell and change to your directory containing the NoOps Accelerator, this demonstration uses **c\anoa**
1. Issue the command **az login** and log into your tenant
1. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\overlays\sqlserver'**
1. Issue **$context = Get-AzContext** and record the following values: -
- Subscription ID: **$context.Subscription.Id**
> **NOTE**: If more than one value is returned, choose the subscription you are targeting to create the sql server overlay. You can also use **Set-AzContext** to set your current subscription for this session.
2. Issue the command updating the **--subscription** parameter with your subscription id and the **--location** parameter to your location
**Azure CLI**
``` PowerShell
az deployment sub create --name 'deploy-sql-server' --template-file 'deploy.bicep' --parameters '@parameters/deploy.parameters.json' --location $location --subscription $context.Subscription.Id --only-show-errors
```
##### Remove the Sql Server Overlay
1. Issue thus command:
**Azure CLI**
``` PowerShell
Remove-AzResourceGroup -Name 'anoa-usgovvirginia-dev-sqlsrv-rg'
```
<span class="note">NOTE</span>: The resource group name is based on the parameters you used when deploying the overlay. Change the resource group name to match your previous deployment.
##### References
---
[Deploying Management Groups with the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/management-groups)
[Deploying Roles with the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/roles)
[Deploying Policy for Guardrails with the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/Policy)
[Deploying SCCA Compliant Hub and 1-Spoke using the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/platforms/lz-platform-scca-hub-1spoke)
[Deploying a Kubernetes Private Cluster Workload using the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/workloads/wl-aks-spoke)

573
docs/training/terraform/Demonstration 8 - Enclave.md Normal file
Просмотреть файл

@ -0,0 +1,573 @@
<!-- markdownlint-configure-file { "MD004": { "style": "consistent" } } -->
<!-- markdownlint-disable MD033 -->
<style>
body { font-family: Segoe UI Light; }
h1 { font-size: 20pt; }
h2 { font-size: 18pt; }
h3 { color: #002060; font-size: 16pt; font-weight: bold; }
h4 { color: #002060; font-size: 14pt; font-weight: bold; margin-top: 15px; margin-bottom: 15px; }
h5 { color: #002060; font-size: 12pt; font-weight: bold; }
h6 { color: #002060; font-size: 12pt; font-weight: normal; }
.title {color: #002060; font-size: 12pt; font-weight: bold; text-align: right; margin-bottom: 40px;}
hr {border: 0; height: 1px; background: #333; background-image: -webkit-linear-gradient(left, #ccc, #333, #ccc); background-image: -moz-linear-gradient(left, #ccc, #333, #ccc); background-image: -ms-linear-gradient(left, #ccc, #333, #ccc); background-image: -o-linear-gradient(left, #ccc, #333, #ccc);}
.note { color: #ff6347; font-size: 12pt; font-weight: bold; }
pre {font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-weight: normal; white-space: pre-wrap; overflow-x: auto;}
</style>
<!-- markdownlint-enable MD033 -->
# Demonstration: Deploy an SQL Server Mission Enclave with Terraform using Azure NoOps Accelerator
<div class="title">A step-by-step creation and deployment of an Mission Enclave for a SQL Server and Hub/3 Spoke Platform using the Azure NoOps Accelerator.
</div>
### Setup & Prerequisite Software
> If already done this in previous labs, then you can skip to Part 1
1. You must have installed the latest [Git client](https://git-scm.com) for working with source control
1. You must have the latest version of [Visual Studio Code](https://code.visualstudio.com/) for authoring bicep files
1. Installed the [bicep extension](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#vs-code-and-bicep-extension) in Visual Studio Code
1. You must have installed either the the latest version of **AZ CLI**, see [How to install the Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli), or **Azure PowerShell**, see [Install the Azure Az PowerShell module](https://learn.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-9.0.1) for deploying bicep files
**PowerShell Quick Installation for Azure CLI**
``` PowerShell
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
```
**PowerShell Quick Installation for Azure PowerShell**
``` PowerShell
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
```
1. You must have installed the latest version of [Azure Terraform](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/install#azure-powershell)
1. Either clone, fork, or download the [Azure NoOps Accelerator](https://aka.ms/azurenoops) to your local system. This demonstration uses **c:\anoa** as the root directory containing the downloaded, cloned, or forked project from GitHub
### Before we Begin
You will be making modifications to several .json files for the deployment which require knowing several sensitive pieces of information.
You can record those values here or, preferred, using your terminal save the values as variables. Additionally, you can record and save these values in Azure Key Vault if using the Azure NoOps Accelerator on a pipeline or through a automation platform.
Saving data as variables for use while executing this demonstration or lab will help. This code below will make executing the commands through PowerShell simpler and recalling these values.
``` PowerShell
az cloudset --name [AzureCloud | AzureGovernment]
az login
$context = Get-AzContext
$location = [your region]
```
#### OPTIONAL
If you choose to save and record your values use the table below. This is sensitive information and care should be taken.
| Name | Value(s) | How Used |
| ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- |
| Subscription ID(s) | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying workloads, overlays, enclaves, or platforms. You can use multiple subscriptions for your tiers. |
| Location | <div style="height: 20px;background-color: #CFD8DC;width: 300px;"></div> | When deploying workloads, overlays, enclaves, or platforms (eastus, usgovvirgina, etc..). |
### Part 1: Create an Enclave Folder
> <span class="note">NOTE</span>: For this demonstration we will be using AZ CLI with PowerShell. You can use AZ CLI with Bash or Azure PowerShell. The commands are the same. The only difference is the syntax.
---
#### Create Sql Server Enclave folder
1. Change to your directory containing the Azure NoOps Accelerator, this demonstration uses **c:\anoa**
1. Open Visual Studio Code in your directory containing the Azure NoOps Accelerator
1. Open folder directory **/src/bicep/enclaves/**
1. Create a folder called **enclaves-scca-hub3spoke-sqlserver** in the **/src/bicep/enclaves/** by right-click the folder and selecting **new folder**
> <span class="note">NOTE</span>: The folder name must start with **enclaves-scca-hub3spoke**. This is how the Azure NoOps Accelerator identifies the folder as a enclave. The rest of the folder name is used to identify the workload. The folder name must be unique. If you have multiple enclaves for the same workload, then you can add a suffix to the folder name. For example, **enclaves-scca-hub3spoke-sqlserver-1**. The suffix is not used by the Azure NoOps Accelerator, but it is used to identify the folder.
1. In the same folder create a folder called **parameters** by right-click the **enclaves-scca-hub3spoke-sqlserver** folder and selecting **new folder**
2. Add files to the **enclaves-scca-hub3spoke-sqlserver** folder by right-click the **enclaves-scca-hub3spoke-sqlserver** folder, selecting **new file** and naming the file:
- **deploy.bicep**
- **readme.md**
- **bicepconfig.json**
3. Add files to the **enclaves-scca-hub3spoke-sqlserver/parameters** folder by right-click the **enclaves-scca-hub3spoke-sqlserver/parameters** folder and selecting **new file**:
- **deploy.parameters.json**
### Part 2: Build the Terraform for the SQL Server Mission Enclave
> <span class="note">NOTE</span>: In this demonstration, we will be building a SQL Server Mission Enclave with Azure Terraform.
---
1. Open the **/deploy.bicep** file in the **enclaves-scca-hub3spoke-sqlserver** folder and make the following changes:
**Azure Terraform**
``` PowerShell
/*
SUMMARY: Workload Module to deploy a Sql Server Workload to an target sub.
DESCRIPTION: The following components will be options in this deployment
Sql Server Workload Spoke
AUTHOR/S: <your name>
*/
targetScope = 'subscription' //Deploying at Subscription scope to allow resource groups to be created and resources in one deployment
// REQUIRED PARAMETERS
// Example (JSON)
// These are the required parameters for the deployment
// -----------------------------
// "parRequired": {
// "value": {
// "orgPrefix": "anoa",
// "templateVersion": "v1.0",
// "deployEnvironment": "dev"
// }
// }
@description('Required values used with all resources.')
param parRequired object
// REQUIRED TAGS
// Example (JSON)
// These are the required tags for the deployment
// -----------------------------
// "parTags": {
// "value": {
// "organization": "anoa",
// "region": "eastus",
// "templateVersion": "v1.0",
// "deployEnvironment": "dev",
// "deploymentType": "NoOpsTerraform"
// }
// }
@description('Required tags values used with all resources.')
param parTags object
@description('The region to deploy resources into. It defaults to the deployment location.')
param parLocation string = deployment().location
```
> <span class="note">NOTE</span>: Just like the overlay, we need to add the **subscription** to the **targetScope** property and add the required parameters. The **targetScope** property is used to define where the Terraform file will be deployed. The **targetScope** property can be set to **resourceGroup** or **subscription**.
1. Since this is a mission enclave, we need to add Hub/3 Spoke platform specific parameters. Add the following parameters to the **/deploy.bicep** file:
**Azure Terraform**
``` PowerShell
@description('Hub Virtual network configuration. See azresources/hub-spoke-core/vdss/hub/readme.md')
param parHub object
@description('Operations Spoke Virtual network configuration. See azresources/hub-spoke-core/vdms/operations/readme.md')
param parOperationsSpoke object
@description('Identity Spoke Virtual network configuration. See azresources/hub-spoke-core/vdss/identity/readme.md')
param parIdentitySpoke object
@description('Shared Services Spoke Virtual network configuration. See azresources/hub-spoke-core/vdms/sharedservices/readme.md')
param parSharedServicesSpoke object
@description('Enables Operations Network Artifacts Resource Group with KV and Storage account for the ops subscriptions used in the deployment.')
param parNetworkArtifacts object
@description('Enables DDOS deployment on the Hub Network.')
param parDdosStandard object
@description('A suffix to use for naming deployments uniquely. It defaults to the Terraform resolution of the "utcNow()" function.')
param parDeploymentNameSuffix string = utcNow()
@description('Required. Azure Firewall configuration. Azure Firewall is deployed in Forced Tunneling mode where a route table must be added as the next hop.')
param parAzureFirewall object
@description('Enables logging parmeters and Microsoft Sentinel within the Log Analytics Workspace created in this deployment. See azresources/hub-spoke-core/vdms/logging/readme.md')
param parLogging object
@description('Microsoft Defender for Cloud. It includes contact email and phone.')
param parSecurityCenter object
@description('When set to "true", provisions Azure Bastion Host with Jumpboxes, when specified. It defaults to "false".')
param parRemoteAccess object
```
> <span class="note">NOTE</span>: The **parHub**, **parOperationsSpoke**, **parIdentitySpoke**, **parSharedServicesSpoke**, **parNetworkArtifacts**, **parDdosStandard**, **parAzureFirewall**, **parLogging**, **parSecurityCenter**, and **parRemoteAccess** parameters are used to pass in the configuration for the Hub/3 Spoke platform. The configuration for the Hub/3 Spoke platform is stored in the **/src/bicep/azresources/hub-spoke-core** folder.
1. The workload spoke has specific parameters it needs to use resources from the Hub 3 Spoke Platform including Hub Network and Log Analytics paramters.Add the following parameters to the **/deploy.bicep** file:
**Azure Terraform**
``` PowerShell
// HUB NETWORK PARAMETERS
@description('The subscription ID for the Hub Network.')
param parHubSubscriptionId string
// Hub Resource Group Name
// (JSON Parameter)
// ---------------------------
// "parHubResourceGroupName": {
// "value": "anoa-eastus-platforms-hub-rg"
// }
@description('The resource group name for the Hub Network.')
param parHubResourceGroupName string
// Hub Virtual Network Name
// (JSON Parameter)
// ---------------------------
// "parHubResourceGroupName": {
// "value": "anoa-eastus-platforms-hub-rg"
// }
@description('The virtual network name for the Hub Network.')
param parHubVirtualNetworkName string
// Hub Virtual Network Resource Id
// (JSON Parameter)
// ---------------------------
// "parHubVirtualNetworkResourceId": {
// "value": "/subscriptions/xxxxxxxx-xxxxxx-xxxxx-xxxxxx-xxxxxx/resourceGroups/anoa-eastus-platforms-hub-rg/providers/Microsoft.Network/virtualNetworks/anoa-eastus-platforms-hub-vnet/subnets/anoa-eastus-platforms-hub-vnet"
// }
@description('The virtual network resource Id for the Hub Network.')
param parHubVirtualNetworkResourceId string
// LOGGING PARAMETERS
@description('Log Analytics Workspace Resource Id Needed for NSG, VNet and Activity Logging')
param parLogAnalyticsWorkspaceResourceId string
@description('Log Analytics Workspace Name Needed Activity Logging')
param parLogAnalyticsWorkspaceName string
```
> <span class="note">NOTE</span>: The **parHubSubscriptionId** parameter is the subscription Id of the Hub Network. The **parHubResourceGroupName** parameter is the resource group name of the Hub Network. The **parHubVirtualNetworkName** parameter is the virtual network name of the Hub Network. The **parHubVirtualNetworkResourceId** parameter is the virtual network resource Id of the Hub Network. The **parLogAnalyticsWorkspaceResourceId** parameter is the Log Analytics Workspace resource Id. The **parLogAnalyticsWorkspaceName** parameter is the Log Analytics Workspace name. These parameters will be used to create the Tier 3 spoke as part of a Hub 3 Spoke Platform.
2. Next, we will be adding the SQL Server object parameter for the deployment. The SQL Server object parameter is the object that will have all the parameters that defines a Sql Server for Azure. Add the following parameters to the **/deploy.bicep** file:
**Azure Terraform**
``` PowerShell
// SQL SERVER PARAMETERS
@description('Defines the Sql Server Object.')
param parSqlServer object
```
> <span class="note">NOTE</span>: The **parSqlServer** parameter will be used to create the Sql Server resource and will contain the following properties:
| Name | Type | Description |
| -------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| name | string | The name of the Sql Server. |
| location | string | The location of the Sql Server. |
| tags | object | The tags of the Sql Server. |
| sku | string | The sku of the Sql Server. |
| version | string | The version of the Sql Server. |
| administratorLogin | string | The administrator login of the Sql Server. |
| administratorLoginPassword | string | The administrator login password of the Sql Server. |
| publicNetworkAccess | string | The public network access of the Sql Server. |
| minimalTlsVersion | string | The minimal TLS version of the Sql Server. |
| databases | int | The databases for the Sql Server. |
| firewallRules | array | The firewall rules of the Sql Server. |
| minimalTlsVersion | string | Minimal TLS version allowed. [1.0, 1.1, 1.2] |
| publicNetworkAccess | bool | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and neither firewall rules nor virtual network rules are set. |
| enableLocks | bool | Enable resource lock |
We will be adding the **parSqlServer** parameters to the **/parameters/deploy.parameters.json** file in Part 3.
1. Now we will start building the Tier 3 module for the deployment. The Tier 3 module are used to create the resources for the workload deployment. Add the following modules to the **/deploy.bicep** file:
**Azure Terraform**
``` PowerShell
//=== TAGS ===
var referential = {
workload: parWorkloadSpoke.name
}
@description('Resource group tags')
module modTags '../../azresources/Modules/Microsoft.Resources/tags/az.resources.tags.bicep' = {
name: 'Sql-Resource-Tags-${parDeploymentNameSuffix}'
scope: subscription()
params: {
tags: union(parTags, referential)
}
}
//=== Workload Tier 3 Buildout ===
module modTier3 '../../overlays/management-services/workloadSpoke/deploy.bicep' = {
name: 'deploy-wl-vnet-${parLocation}-${parDeploymentNameSuffix}'
scope: subscription(parWorkloadSpoke.subscriptionId)
params: {
//Required Parameters
parRequired:parRequired
parLocation: parLocation
parTags: modTags.outputs.tags
//Hub Network Parameters
parHubSubscriptionId: parHubSubscriptionId
parHubVirtualNetworkResourceId: parHubVirtualNetworkResourceId
parHubVirtualNetworkName: parHubVirtualNetworkName
parHubResourceGroupName: parHubResourceGroupName
//WorkLoad Parameters
parWorkloadSpoke: parWorkloadSpoke
//Logging Parameters
parLogAnalyticsWorkspaceName: parLogAnalyticsWorkspaceName
parLogAnalyticsWorkspaceResourceId: parLogAnalyticsWorkspaceResourceId
parEnableActivityLogging: true
}
}
//=== End Workload Tier 3 Buildout ===
```
1. Next, we will start building the Sql Server Overlay module for the deployment. The Sql Server Overlay module are used to create the resources for the Sql Server deployment. Add the following modules to the **/deploy.bicep** file:
**Azure Terraform**
``` PowerShell
//=== Sql Server Workload Buildout ===
module modSqlServerDeploy '../../overlays/management-services/sqlServer/deploy.bicep' = {
name: 'deploy-sql-${parLocation}-${parDeploymentNameSuffix}'
scope: subscription(parWorkloadSpoke.subscriptionId)
params: {
parLocation: parLocation
parSqlServer: parSqlServer
parRequired: parRequired
parTags: modTags.outputs.tags
parTargetResourceGroup: modTier3.outputs.workloadResourceGroupName
parTargetSubscriptionId: parWorkloadSpoke.subscriptionId
}
dependsOn: [
modTier3
]
}
```
> <span class="note">IMPORTANT</span>: The **modSqlServerDeploy** module uses the Workload Tier 3 module as a dependency. This is because the Sql Server Overlay module will be deployed to the Workload Spoke Tier 3 resource group.
### Part 3: Build the Parameters for the Sql Server Workload Deployment
> <span class="note">NOTE</span>: The following steps will be adding the parameters for the Sql Server Workload deployment. The parameters will be added to the **/parameters/deploy.parameters.json** file.
---
1. Now let's build the parameters for the Sql Server Workload. Add the following to the **/parameters.json** file:
**JSON**
``` JSON
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"parRequired": {
"value": {
"orgPrefix": "anoa",
"templateVersion": "v1.0",
"deployEnvironment": "dev"
}
},
"parTags": {
"value": {
"organization": "anoa",
"templateVersion": "v1.0",
"deployEnvironment": "dev",
"deploymentType": "NoOpsTerraform"
}
},
"parWorkloadSpoke": {
"value": {
"name": "sqlServer",
"shortName": "sqlServer",
"subscriptionId": "<<your subscriptionId>>",
"enableDdosProtectionPlan": false,
"network": {
"virtualNetworkAddressPrefix": "10.0.125.0/26",
"subnetAddressPrefix": "10.0.125.0/26",
"allowVirtualNetworkAccess": true,
"useRemoteGateway": false,
"virtualNetworkDiagnosticsLogs": [],
"virtualNetworkDiagnosticsMetrics": [],
"networkSecurityGroupRules": [],
"NetworkSecurityGroupDiagnosticsLogs": [
"NetworkSecurityGroupEvent",
"NetworkSecurityGroupRuleCounter"
],
"subnetServiceEndpoints": [
{
"service": "Microsoft.Storage"
}
],
"subnets": [],
"routeTable": {
"disableBgpRoutePropagation": true,
"routes": [
{
"name": "wl-routetable",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopIpAddress": "10.0.100.4",
"nextHopType": "VirtualAppliance"
}
}
]
}
},
"storageAccountAccess": {
"enableRoleAssignmentForStorageAccount": false,
"principalIds": [
"<<PrincipalID>>"
],
"roleDefinitionIdOrName": "Contributor"
}
}
},
"parHubSubscriptionId": {
"value": "<<hub subscriptionId>>"
},
"parHubResourceGroupName": {
"value": "anoa-eastus-dev-hub-rg"
},
"parHubVirtualNetworkName": {
"value": "anoa-eastus-dev-hub-vnet"
},
"parHubVirtualNetworkResourceId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/anoa-eastus-dev-hub-rg/providers/Microsoft.Network/virtualNetworks/anoa-eastus-dev-hub-vnet"
},
"parLogAnalyticsWorkspaceResourceId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/anoa-eastus-dev-logging-rg/providers/microsoft.operationalinsights/workspaces/anoa-eastus-dev-logging-log"
},
"parLogAnalyticsWorkspaceName": {
"value": "anoa-eastus-dev-logging-log"
},
"parSqlServer": {
"value": {
"sqlServerName": "sqlsrv-001",
"administratorLogin": "azureuser",
"administratorLoginPassword": "Rem0te@2020246",
"minimalTlsVersion": "1.2",
"publicNetworkAccess": "Enabled",
"enableLocks": 'CanNotDelete',
"databases": [
{
"name": "anoa",
"collation": "SQL_Latin1_General_CP1_CI_AS",
"licenseType": "LicenseIncluded",
"maxSizeBytes": 34359738368,
"skuCapacity": 12,
"skuFamily": "Gen5",
"skuName": "BC_Gen5",
"skuTier": "BusinessCritical"
}
],
"firewallRules": [
{
"endIpAddress": "0.0.0.0",
"name": "AllowAllWindowsAzureIps",
"startIpAddress": "0.0.0.0"
}
]
}
}
}
}
```
> <span class="note">NOTE</span>: The **parWorkloadSpoke** parameter is the same as the one used in the previous section. The **parSqlServer** parameter is the same as the one used in the previous section. It is important make sure that all network parameters are correct. IP addresses and subnet ranges should be unique and not overlap with other subnets in the hub or other workload spokes.
---
1. Make the following changes to the **deploy.parameters.json** file or leave default values:
- parRequired.orgPrefix = **\<your org prefix or the default 'anoa'\>**
- parTags.organization = **\<your org prefix or the default ANOA\>**
- parTags.region = **\<your Azure region (eastus, usgovvirginia, etc...)\>**
- parHubSubscriptionId = **\<subscription Id to Hub subscription\>**
- parHubResourceGroupName = **\<Resource Group Name to Hub RG\>**
- parHubVirtualNetworkResourceId = **\<Virtual Network Resource Id to Hub Network\>**
- parHubVirtualNetworkName = **\<Virtual Network Name of the Hub Network\>**
- parLogAnalyticsWorkspaceResourceId = **\<Log Analytics Workspace Resource Id to Hub Network\>**
- parLogAnalyticsWorkspaceName = **\<Log Analytics Workspace Name to Hub Network\>**
- parSqlServer.sqlServerName = **\<your sql server name\>**
- parSqlServer.administratorLogin = **\<your sql server administrator login\>**
- parSqlServer.administratorLoginPassword = **\<your sql server administrator login password\>**
- parSqlServer.databases.name = **\<your sql server database name\>**
> <span class="note">NOTE</span>: All Hub Network parameters are required. If you are using the default Hub/3 Spoke deployment, you can leave the default values. If you are using a custom Hub/Spoke deployment, you will need to update the parameters with the values from your custom Hub deployment. Make sure to fill in <<subscriptionId>> parameters with the correct subscriptions.
### Part 4: Deploy Sql Server Workload
> <span class="note">NOTE</span>: The following steps will deploy the Sql Server workload with an Tier 3 Spoke Network. The deployment will take approximately 20 minutes to complete. The deployment will fail if there is not a existing Hub/3 Spoke Network deployed. If the deployment fails, check the deployment logs for more information.
---
##### Validate the deployment with WhatIf
> <span class="note">NOTE</span>: The **WhatIf** parameter is used to validate the deployment without actually deploying the resources. This is a great way to validate the deployment before actually deploying the resources.
1. Open PowerShell and change to your directory containing the NoOps Accelerator, this demonstration uses **c\anoa**
2. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\workloads\wl-sqlserver-spoke\'**
3. Issue **$context = Get-AzContext** and record the following values: -
- Subscription ID: **$context.Subscription.Id**
> <span class="note">NOTE</span>: If more than one value is returned, choose the subscription you are targeting to create the sql server workload. You can also use **Set-AzContext** to set your current subscription for this session.
4. Issue the command:
**Azure CLI**
``` PowerShell
az deployment sub what-if --subscription $context.Subscription.Id --template-file 'deploy.bicep' --parameters '@parameters/deploy.parameters.json' --location $location
```
> <span class="note">NOTE</span>: The **--location** parameter is used to specify the location for the resource group. This is not the location for the Sql Server. The location for the Sql Server is specified in the **parameters.json** file.
5. Review the output of the command and verify that the deployment will create the resource group and the sql server.
##### Deploy Sql Server Workload Spoke
1. Open PowerShell and change to your directory containing the NoOps Accelerator, this demonstration uses **c\anoa**
1. Issue the command **az login** and log into your tenant
1. In your PowerShell session Issue **Set-Location -Path 'c:\anoa\src\bicep\overlays\sqlserver'**
1. Issue **$context = Get-AzContext** and record the following values: -
- Subscription ID: **$context.Subscription.Id**
> **NOTE**: If more than one value is returned, choose the subscription you are targeting to create the sql server overlay. You can also use **Set-AzContext** to set your current subscription for this session.
2. Issue the command updating the **--subscription** parameter with your subscription id and the **--location** parameter to your location
**Azure CLI**
``` PowerShell
az deployment sub create --name 'deploy-sql-server' --template-file 'deploy.bicep' --parameters '@parameters/deploy.parameters.json' --location $location --subscription $context.Subscription.Id --only-show-errors
```
##### Remove the Sql Server Overlay
1. Issue thus command:
**Azure CLI**
``` PowerShell
Remove-AzResourceGroup -Name 'anoa-usgovvirginia-dev-sqlsrv-rg'
```
<span class="note">NOTE</span>: The resource group name is based on the parameters you used when deploying the overlay. Change the resource group name to match your previous deployment.
##### References
---
[Deploying Management Groups with the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/management-groups)
[Deploying Roles with the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/roles)
[Deploying Policy for Guardrails with the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/overlays/Policy)
[Deploying SCCA Compliant Hub and 1-Spoke using the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/platforms/lz-platform-scca-hub-1spoke)
[Deploying a Kubernetes Private Cluster Workload using the Azure NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep/workloads/wl-aks-spoke)

21
docs/training/terraform/Demonstration 9 - RolesManagement.md Normal file
Просмотреть файл

@ -0,0 +1,21 @@
<!-- markdownlint-configure-file { "MD004": { "style": "consistent" } } -->
<!-- markdownlint-disable MD033 -->
<style>
body { font-family: Segoe UI Light; }
h1 { font-size: 20pt; }
h2 { font-size: 18pt; }
h3 { color: #002060; font-size: 16pt; font-weight: bold; }
h4 { color: #002060; font-size: 14pt; font-weight: bold; margin-top: 15px; margin-bottom: 15px; }
h5 { color: #002060; font-size: 12pt; font-weight: bold; }
h6 { color: #002060; font-size: 12pt; font-weight: normal; }
.title {color: #002060; font-size: 12pt; font-weight: bold; text-align: right; margin-bottom: 40px;}
hr {border: 0; height: 1px; background: #333; background-image: -webkit-linear-gradient(left, #ccc, #333, #ccc); background-image: -moz-linear-gradient(left, #ccc, #333, #ccc); background-image: -ms-linear-gradient(left, #ccc, #333, #ccc); background-image: -o-linear-gradient(left, #ccc, #333, #ccc);}
.note { color: #ff6347; font-size: 12pt; font-weight: bold; }
pre {font-family: Consolas, "Andale Mono WT", "Andale Mono", "Lucida Console", "Lucida Sans Typewriter", "DejaVu Sans Mono", "Bitstream Vera Sans Mono", "Liberation Mono", "Nimbus Mono L", Monaco, "Courier New", Courier, monospace; font-weight: normal; white-space: pre-wrap; overflow-x: auto;}
</style>
<!-- markdownlint-enable MD033 -->
# Demonstration: Create and Deploy Roles using Azure NoOps Accelerator
<div class="title">A step-by-step creation and deployment of Roles for an Mission Enclave using the Azure NoOps Accelerator.
</div>

28
docs/wiki/Home.md
Просмотреть файл

@ -1,28 +0,0 @@
<!-- markdownlint-disable -->
## Azure NoOps Accelerator User Guide
<!-- markdownlint-restore -->
**Azure NoOps Accelerator** is a flexible foundation
that enables US Department of Defense and other Public Sector customers
to quickly develop and maintain
opinionated, policy-driven, and self-service
encalves in their Azure environments.
Delivered as a collection of infrastructure as code (IaC) [module templates](https://github.com/Azure/NoOpsAccelerator/tree/main/src/bicep) written in Bicep, the NoOps Accelerator is intended to empower organizations on their journey towards a continuous deployment and governance model for their cloud infrastructure.
## Navigation
* [What is NoOps?](https://github.com/Azure/NoOpsAccelerator/wiki/What-is-NoOps)
* [What's New?](https://github.com/Azure/NoOpsAccelerator/wiki/Whats-new)
* [Frequently Asked Questions (FAQ)](https://github.com/Azure/NoOpsAccelerator/wiki/FAQ)
* [Training on the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/wiki/Training)
* Deploying NoOps Accelerator
* [Pre-requisites](https://github.com/Azure/NoOpsAccelerator/wiki/Deploying-NoOps-Accelerator-Pre-requisites)
* [Telemetry Tracking Using Customer Usage Attribution (PID)](https://github.com/Azure/NoOpsAccelerator/wiki/Deploying-NoOps-Accelerator-CustomerUsage)
* [Deploy NoOps Accelerator with a hub and spoke based network topology](https://github.com/Azure/NoOpsAccelerator/wiki/Deploying-NoOps-Accelerator-HubAndSpoke)
* [Contributing](https://github.com/Azure/NoOpsAccelerator/wiki/NoOpsAccelerator-Contribution)
## Schedule
* Sept 2022 - Initial Deployment to Public
* Jan 2022 - Internal Conception

213
docs/wiki/NoOpsAccelerator-Policies.md
Просмотреть файл

@ -1,213 +0,0 @@
# Policies included in NoOps Accelerator reference implementations
As you increase your deployments and subscriptions in the NoOps Accelerator architecture, Azure Policy and deployIfNotExist provide platform autonomy and lessen operational burden. The main goal is to make sure that resources and subscriptions are compliant while allowing application teams to deploy using their own preferred tools and clients.
> Please refer to [Policy Driven Governance](https://docs.microsoft.com/en-gb/azure/cloud-adoption-framework/ready/landing-zone/design-principles#policy-driven-governance) for further information.
## Why are there custom policy definitions as part of NoOps Accelerator reference implementation?
To make sure that we develop and improve the reference implementations to suit customers requirements, we collaborate with and learn from our customers and partners. We are gradually migrating these rules to built-ins. The main strategies of the policies included in NoOps Accelerator are to be proactive (deployIfNotExist, and modify), and preventive (deny).
## What Azure Policies does NoOps Accelerator reference implementation provide additionally to those already built-in?
There are around 104 custom Azure Policy Definitions included and around 7 Custom Azure Policy Initiatives included as part of the Azure Landing Zones implementation that add on to those already built-in within each Azure customers tenant.
All custom Azure Policy Definitions and Initiatives are the same across all implementation options for NoOps Accelerator.
This is because the single source of truth is the [`NoOps Accelerator` repo](https://github.com/Azure/NoOpsAccelerator) that the Bicep implementation options pull from to build their `policy` folders respectively.
For a complete list of all custom and built-in policies deployed within an Azure Landing Zone deployment, please refer to the following [section](https://github.com/Azure/NoOpsAccelerator/blob/main/docs/NoOpsAccelerator-Policies.md#what-policy-definitions-are-assigned-within-the-azure-landing-zones-custom--built-in).
> Our goal is always to try and use built-in policies where available and also work with product teams to adopt our custom policies and make them built-in, which takes time. This means there will always be a requirement for custom policies.
## What policy definitions are assigned within the NoOps Accelerator reference implementation (Custom & Built-in)?
As part of a default deployment configuration, policy and policy set definitions are deployed at multiple levels within the NoOps Accelerator Landing Zone Management Group hierachy as depicted within the below diagram.
![image](./media/MgmtGroups_Policies_v0.1.jpg)
The subsequent sections will provide a summary of policy sets and policy set definitions applied at each level of the Management Group hierachy.
>NOTE: Although the below sections will define which policy definitions/sets are applied at specific scopes, please remember that policy will inherit within your management group hierachy.
## Intermediate Root
This management group is a parent to all the other management groups created withn the default Azure Landing Zone configuration. Policy assignment is predominantly focused on assignment of security and monitoring best practices to ensure compliance and reduced operational overhead.
<table>
<tr><th>Management Group </th><th>Policy Configuration</th></tr>
<tr></tr>
<tr><td>
![image](./media/IntRoot_v0.1.jpg)
</td><td>
| **Policy Type** | **Count** |
| :--- | :---: |
| `Policy Definition Sets` | **5** |
| `Policy Definitions` | **3** |
</td></tr> </table>
The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Intermediate Root Management Group**.
| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | Version |
| -------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------- | ------- |
### Platform
This management group contains all the platform child management groups, like management, connectivity, and identity. There are currently no policies assigned at this management group
<table>
<tr><th>Management Group </th><th>Policy Configuration</th></tr>
<tr></tr>
<tr><td>
![image](./media/Platform_v0.1.jpg)
</td><td>
| **Policy Type** | **Count** |
| :--- | :---: |
| `Policy Definition Sets` | **0** |
| `Policy Definitions` | **0** |
</td></tr> </table>
### Connectivity
This management group contains a dedicated subscription for connectivity. This subscription will host the Azure networking resources required for the platform, like Azure Virtual WAN, Azure Firewall, and Azure DNS private zones. Policy assignment is predominantly focused on Azure DDoS Protection.
<table>
<tr><th>Management Group </th><th>Policy Configuration</th></tr>
<tr></tr>
<tr><td>
![image](./media/Connectivity_v0.1.jpg)
</td><td>
| **Policy Type** | **Count** |
| :--- | :---: |
| `Policy Definition Sets` | **0** |
| `Policy Definitions` | **1** |
</td></tr> </table>
The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Connectivity Management Group**.
| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | Version |
| -------------------------------------------------------------------------- | -------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | ------- |
### Management
This management group contains a dedicated subscription for management, monitoring, and security. This subscription will host an Azure Log Analytics workspace, including associated solutions, and an Azure Automation account. Policy assignment is predominantly focused on the deployment and configuration of the Log Analytics Workspace.
<table>
<tr><th>Management Group </th><th>Policy Configuration</th></tr>
<tr></tr>
<tr><td>
![image](./media/Management_v0.1.jpg)
</td><td>
| **Policy Type** | **Count** |
| :--- | :---: |
| `Policy Definition Sets` | **0** |
| `Policy Definitions` | **1** |
</td></tr> </table>
The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Management Management Group**.
| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | Version |
| ------------------------ | ---------------------------------------------------------------------------------------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------- | ----------------- | ------- |
### Identity
This management group contains a dedicated subscription for identity. This subscription is a placeholder for Windows Server Active Directory Domain Services (AD DS) virtual machines (VMs) or Azure Active Directory Domain Services. Policy assignment is predominantly focused on hardening and management of resources in the identity subscription.
<table>
<tr><th>Management Group </th><th>Policy Configuration</th></tr>
<tr></tr>
<tr><td>
![image](./media/Identity_v0.1.jpg)
</td><td>
| **Policy Type** | **Count** |
| :--- | :---: |
| `Policy Definition Sets` | **0** |
| `Policy Definitions` | **4** |
</td></tr> </table>
The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Identity Management Group**.
| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | Version |
| ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | ------- |
### Landing Zones
This is the parent management group for all the landing zone child management groups. Policy assignment is predominantly focused on ensuring workloads residing under this hierachy are secure and compliant.
<table>
<tr><th>Management Group </th><th>Policy Configuration</th></tr>
<tr></tr>
<tr><td>
![image](./media/LandingZone_v0.1.jpg)
</td><td>
| **Policy Type** | **Count** |
| :--- | :---: |
| `Policy Definition Sets` | **1** |
| `Policy Definitions` | **12** |
</td></tr> </table>
The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Landing Zones Management Group**.
| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | Version |
| ------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | ------- |
### Internal
This management group is for internal landing zones. This group is for workloads that require connectivity or hybrid connectivity with the corporate network via the hub in the connectivity subscription. Policy assignment is predominantly focused on ensuring workloads residing under this hierachy are secure and compliant.
<table>
<tr><th>Management Group </th><th>Policy Configuration</th></tr>
<tr></tr>
<tr><td>
![image](./media/Internal_v0.1.jpg)
</td><td>
| **Policy Type** | **Count** |
| :--- | :---: |
| `Policy Definition Sets` | **2** |
| `Policy Definitions` | **3** |
</td></tr> </table>
The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Corp Management Group**.
| Assignment Name | Definition Name | Policy Type | Description | Effect(s) | Version |
| -------------------------------------------------------------- | -------------------------------------------------------------- | ----------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------- | ------- |
### Sandbox
This management group is for subscriptions that will only be used for testing and exploration by an organization. These subscriptions will be securely disconnected from the corporate and online landing zones. Sandboxes also have a less restrictive set of policies assigned to enable testing, exploration, and configuration of Azure services. There are currently no policies assigned at this management group.
<table>
<tr><th>Management Group </th><th>Policy Configuration</th></tr>
<tr></tr>
<tr><td>
![image](./media/Sandbox_v0.1.jpg)
</td><td>
| **Policy Type** | **Count** |
| :--- | :---: |
| `Policy Definition Sets` | **0** |
| `Policy Definitions` | **0** |
</td></tr> </table>

6
docs/wiki/NoOpsAccelerator-Roadmap.md
Просмотреть файл

@ -1,6 +0,0 @@
# Roadmap
We intend to update the content within this repo in alignment with Azure Semester planning.
| Milestone | Scope | Status |
|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------|

4
docs/wiki/Whats-new.md
Просмотреть файл

@ -1,4 +0,0 @@
## In this Section
- [In this Section](#in-this-section)
- [Updates](#updates)

5
docs/wiki/_Footer.md
Просмотреть файл

@ -1,5 +0,0 @@
# This wiki is being actively developed
If you discover any documentation bugs or would like to request new content, please raise them as an issue on the repo.
Contributions to this wiki are done through the main repo under [docs/wiki](https://github.com/Azure/NoOpsAccelerator/tree/main/docs/wiki).

11
docs/wiki/_Sidebar.md
Просмотреть файл

@ -1,11 +0,0 @@
# Wiki Top Navigation
* [What is NoOps?](https://github.com/Azure/NoOpsAccelerator/wiki/What-is-NoOps)
* [What's New?](https://github.com/Azure/NoOpsAccelerator/wiki/Whats-new)
* [Frequently Asked Questions (FAQ)](https://github.com/Azure/NoOpsAccelerator/wiki/FAQ)
* [Training on the NoOps Accelerator](https://github.com/Azure/NoOpsAccelerator/wiki/Training)
* Deploying NoOps Accelerator
* [Pre-requisites](https://github.com/Azure/NoOpsAccelerator/wiki/Deploying-NoOps-Accelerator-Pre-requisites)
* [Telemetry Tracking Using Customer Usage Attribution (PID)](https://github.com/Azure/NoOpsAccelerator/wiki/Deploying-NoOps-Accelerator-CustomerUsage)
* [Deploy NoOps Accelerator with a hub and spoke based network topology](https://github.com/Azure/NoOpsAccelerator/wiki/Deploying-NoOps-Accelerator-HubAndSpoke)
* [Contributing](https://github.com/Azure/NoOpsAccelerator/wiki/NoOpsAccelerator-Contribution)

3141
docs/wiki/media/archetypes/archetype-mlz.svg
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу
Режим "рядом"

До

Ширина:  |  Высота:  |  Размер: 190 KiB

Двоичные данные
docs/wiki/media/archetypes/archetype.png
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

До

Ширина:  |  Высота:  |  Размер: 54 KiB

Двоичные данные
docs/wiki/media/architecture/AzurePolicyCompliancedashboard.png
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

До

Ширина:  |  Высота:  |  Размер: 351 KiB

Двоичные данные
docs/wiki/media/architecture/log-analytics-workspace.jpg
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

До

Ширина:  |  Высота:  |  Размер: 116 KiB

Двоичные данные
docs/wiki/media/architecture/management-group-structure.jpg
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

До

Ширина:  |  Высота:  |  Размер: 73 KiB

Двоичные данные
docs/wiki/media/architecture/networking.png
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

До

Ширина:  |  Высота:  |  Размер: 38 KiB

Двоичные данные
docs/wiki/media/architecture/policy-compliance.jpg
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

До

Ширина:  |  Высота:  |  Размер: 493 KiB

Двоичные данные
docs/wiki/media/architecture/remediation-non-compliant.png
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

До

Ширина:  |  Высота:  |  Размер: 48 KiB

Двоичные данные
docs/wiki/media/architecture/remediation-tasks.png
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

До

Ширина:  |  Высота:  |  Размер: 107 KiB

Двоичные данные
docs/wiki/media/architecture/tags.jpg
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

До

Ширина:  |  Высота:  |  Размер: 266 KiB

Двоичные данные
docs/wiki/media/bicep-logo.png
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

До

Ширина:  |  Высота:  |  Размер: 15 KiB

Двоичные данные
docs/wiki/media/clip_image006.jpg
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

До

Ширина:  |  Высота:  |  Размер: 22 KiB

Двоичные данные
docs/wiki/media/clip_image008.jpg
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

До

Ширина:  |  Высота:  |  Размер: 34 KiB

Двоичные данные
docs/wiki/media/high-level-deployment-flow.png
Просмотреть файл

Двоичный файл не отображается.
Режим "рядом"

До

Ширина:  |  Высота:  |  Размер: 128 KiB

201
docs/wiki/overlay-authoring-guide.md
Просмотреть файл

@ -1,201 +0,0 @@
# Overlay Authoring Guide
Azure NoOps Accelerator Overlays are self-contained Bicep deployment templates that allows to extend AzResources services with specific configurations or combine them to create more useful objects. Therefore, deploying an overlay will result in an enahancing a Azure landing zone that can be scaled and refined based on business or deployment need.
The goal of this authoring guide is to provide step-by-step instructions to create new and update existing overlays.
## Table of Contents
- [Overlay Authoring Guide](#overlay-authoring-guide)
- [Table of Contents](#table-of-contents)
- [Folder structure](#folder-structure)
- [Create a new overlays](#create-a-new-overlays)
- [Build new overlays](#build-new-overlays)
- [Requirements for overlays](#requirements-for-overlays)
- [Approach](#approach)
- [Common features](#common-features)
---
## Folder structure
Overlays are located in [`overlays`](../../overlays) folder and organized as folder per overlay. Here are the current overlays with links to documentation:
- Management Group overlay
- [`management-groups`](../src/bicep/../../../src/bicep/overlays/management-groups/readme.md) - Deploys a management group hierarchy in a tenant under the `Tenant Root Group`.
- Management Service overlays
- [`app-service-plan`](../src/bicep/../../../src/bicep/overlays/management-services/app-service-plan/readme.md) - Deploys a app service plan.
- [`applicationGateway`](../src/bicep/../../../src/bicep/overlays/management-services/applicationGateway/readme.md) - Deploys a application gateway.
- [`automation`](../src/bicep/../../../src/bicep/overlays/management-services/automation/readme.md) - Deploys a automation account.
- [`azureSecurityCenter`](../src/bicep/../../../src/bicep/overlays/management-services/azureSecurityCenter/readme.md) - Deploys Azure Security Center.
- [`bastion`](../src/bicep/../../../src/bicep/overlays/management-services/bastion/readme.md) - Deploys a Bastion host for Remote Access.
- [`containerRegistry`](../src/bicep/../../../src/bicep/overlays/management-services/containerRegistry/readme.md) - Deploys a Azure Container Registry.
- [`dataBricksWorkspace`](readme.md) - Deploys a Azure Data Bricks Workspace.
- [`keyVault`](../src/bicep/../../../src/bicep/overlays/management-services/keyvault/readme.md) - Deploys a Azure Key Vault.
- [`KubernetesPrivateCluster-Kubenet`](../src/bicep/../../../src/bicep/overlays/management-services/kubernetesPrivateCluster-Kubnet/readme.md) - Deploys a Azure Kubernetes Private Cluster with Kubenet.
- Policy overlay
- [`policy`](../src/bicep/../../../src/bicep/overlays/policy/readme.md) - Deploys a policy definitions/assignments in a specific `Management Group`.
- Roles overlay
- [`roles`](../src/bicep/../../../src/bicep/overlays/roles/readme.md) - Deploys a role definitions in a specific `Management Group`.
---
## Create a new overlays
Overlays are are self-contained Bicep deployment templates that allows you to extend AzResources services with specific configurations or combine them to create more useful objects.
Overlays provide the ability to build new azure resources with an use case specific architecture in a repeatable method. One Overlay can be used to configure many different deployment sceniros.
### Build new overlays
You should develop new overlays when a common deployment need or azure service need emerges within your organization. The return on investment increases when the overlays is used in workloads and deployed to 10s or 100s of subscriptions.
New features can be placed behind feature flags to provide customization/choices of Azure services to configure at deployment time. For example, we use feature flags to control Bastion and VM Instance deployment in the Remote Access - Bastion Overlay.
The `parRemoteAccess.enable` feature flag for Bastion deployment:
```json
"parRemoteAccess": {
"value": {
"enable": true,
"bastion": {
// excluded
}
}
}
```
The `parRemoteAccess.linux.enable` feature flag for VM Instance deployment:
```json
"linux": {
"enable": true,
"vmName": "bastion-linux",
}
"windows": {
"enable": true,
"vmName": "bastion-windows",
}
```
### Requirements for overlays
Each overlay is intended to be self-contained and provides all deployment templates required to deployed to a subscription.
Key requirements for each overlay are:
- overlay folder must contain the overlay name. For example `app-service-plan`.
- Entrypoint for an overlay is `deploy.bicep`. Every overlay must provide `deploy.bicep` in its respective folder.
- Every overlay must provide `deploy.paramters.json` in its respective parameters folder.
- Deployment must be scoped to `subscription`. Scope is set in `deploy.bicep` using `targetScope` declaration.
```bicep
targetScope = 'subscription'
```
- Implements [common features](#common-features).
### Approach
1. Identify at least 5 use cases that can benefit from an overlay and label all common features. This is the MVP for the overlay. An application team would receive the implementation of the MVP features deployed in their subscription. Use case specific features can be added to a deployment by the application team as they adapt their environment.
2. Design what spoke virtual network to support the overlay. You must consider Hub & Spoke network topology or another network topology.
3. Scaffold the overlay:
- Create a new folder under `management-services` prefixed with the name. For example, `sqlServer`.
- Create `deploy.bicep`, set the `targetScope` as `subscription`
- Create required parameters for [common features](#common-features)
- Create a deploy.parameters.json and run a subscription scoped deployment through Azure CLI.
```bash
az deployment sub create --template-file <path to overlay deploy.bicep> --parameters @<path to overlay parameters file> --subscription-id <subscription id> --location eastus
```
This is a validation that the overlay scaffolding is in-place.
4. Add overlay specific deployment instructions and incrementally verify through deployment.
5. Debug deployment failures.
- Navigate to the subscription in Azure Portal
- Navigate to **Deployments** under **Settings**
- Identify the failed deployment step & troubleshoot
6. Update documentation.
## Common features
An overlay can deploy & configure any number of Azure services. For consistency across all overlays, We recommend the following common features:
- **Required** - all required fields for the deployment module.
- **Resource Tags** - configures tags on resource groups
- **Target Subscription Id** - configures the overlay target subscription.
- **Target Resource Group** - configures the overlay target resource group for the subscription
- **Subscription Role Assignments to Security Groups** - configures role-based access control at subscription scope
- **Hub Subscription Resource Group** - configures Hub subscription resource group
- **Hub VNet Name** - configures Hub subscription Virtual Netwrok Name.
- **Subscription Tags** - configures subscription tags
> **Log Analytics Workspace integration**: `deploy.bicep` must accept an input parameter named `parLogAnalyticsWorkspaceResourceId`. This parameter is used to link Microsoft Defender for Cloud to Log Analytics Workspace.
> **NOTE:** Some overlays will have some or all common features. This is depending on how the overlay is being used.
Input parameters for common features are:
```bicep
// Log Analytics
@description('Log Analytics Resource Id to integrate Microsoft Defender for Cloud.')
param logAnalyticsWorkspaceResourceId string
// Target Resource Group Name
@description('The name of the resource group in which the overlay will be deployed. If unchanged or not specified, the NoOps Accelerator will create an resource group to be used.')
param parTargetResourceGroup string
// Hub Subnet Resource Id
@description('The name of the The Hub Subnet Resource Id')
param parHubSubnetResourceId string
// Hub Virtual Network Name
@description('The Hub Virtual Network Name for the Hub Network.')
param parHubVirtualNetworkName string
// Hub Network Security Group Resource Id
@description('The Hub Network Security Group Resource Id')
param parHubNetworkSecurityGroupResourceId string
@description('Required tags values used with all resources.')
param parTags object
@description('Required values used with all resources.')
param parRequired object
```
These features are packaged into a Bicep module and can be invoked by the overlay (i.e. by `deploy.bicep`).
Example module parameters from `deploy.parameters.json`:
```bicep
// REQUIRED PARAMETERS
"parRequired": {
"value": {
"orgPrefix": "anoa",
"templateVersion": "v1.0",
"deployEnvironment": "mlz"
}
}
// REQUIRED TAGS
"parTags": {
"value": {
"organization": "anoa",
"region": "eastus",
"templateVersion": "v1.0",
"deployEnvironment": "platforms",
"deploymentType": "NoOpsBicep"
}
}
```
---