Azure
/
appservice-landing-zone-accelerator
зеркало из https://github.com/Azure/appservice-landing-zone-accelerator.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Fix/02 auto approval afd pe (#156)

This commit is contained in:
Thodoris Theodorou 2023-06-14 07:32:28 +03:00 коммит произвёл GitHub
Родитель 5216e403ab
Коммит 73bdf82db3
18 изменённых файлов: 761 добавлений и 303 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

20
scenarios/secure-baseline-multitenant/azure-resource-manager/README.md
Просмотреть файл

@ -53,7 +53,7 @@ az deployment sub create \
--template-file main.bicep \
--location $location \
--name $deploymentName \
--parameters ./main.parameters.local.jsonc
--parameters ./main.parameters.jsonc
```
### Powershell (windows based OS)
@ -65,7 +65,7 @@ az deployment sub create `
--template-file main.bicep `
--location $location `
--name $deploymentName `
--parameters ./main.parameters.local.jsonc
--parameters ./main.parameters.jsonc
```
@ -75,10 +75,18 @@ This is a manual step that is required to complete the private endpoint connecti
```bash
# Update the resource group name to match the one used in the deployment of the webapp
rg_name="rg-secure-baseline-dev"
webapp_id=$(az webapp list -g $rg_name --query "[].id" -o tsv)
fd_conn_id=$(az network private-endpoint-connection list --id $webapp_id --query "[?properties.provisioningState == 'Pending'].{id:id}" -o tsv)
az network private-endpoint-connection approve --id $fd_conn_id --description "Approved"
rg_name="rg-spoke-appsvclza1-dev-northeurope"
webapp_ids=$(az webapp list -g $rg_name --query "[].id" -o tsv)
# you might have more than one web apps, check for all of them if there are pending approvals
for webapp_id in $webapp_ids; do
# there might be more than one pending connection per web app
fd_conn_ids=$(az network private-endpoint-connection list --id $webapp_id --query "[?properties.provisioningState == 'Pending'].id" -o tsv)
for fd_conn_id in $fd_conn_ids; do
az network private-endpoint-connection approve --id "$fd_conn_id" --description "Approved"
done
done
```
### Connect to the Jumpbox VM (deployed in the spoke resource group)

17
scenarios/secure-baseline-multitenant/azure-resource-manager/build-arm-json.azcli
Просмотреть файл

@ -14,15 +14,22 @@ az deployment sub create \
--template-file main.json \
--location northeurope \
--name armAppSvcDeployment-01 \
--parameters ./main.parameters.local.jsonc
--parameters ./main.parameters.jsonc
# after the deployment you need to manually Approve the App Service private endpoint connection from Front Door
# Update the resource group name to match the one used in the deployment of the webapp
rg_name="rg-spoke-appsvc-lza-dev-northeurope"
webapp_id=$(az webapp list -g $rg_name --query "[].id" -o tsv)
fd_conn_id=$(az network private-endpoint-connection list --id $webapp_id --query "[?properties.provisioningState == 'Pending'].{id:id}" -o tsv)
az network private-endpoint-connection approve --id $fd_conn_id --description "Approved"
rg_name="rg-spoke-appsvclza1-dev-northeurope"
webapp_ids=$(az webapp list -g $rg_name --query "[].id" -o tsv)
for webapp_id in $webapp_ids; do
fd_conn_ids=$(az network private-endpoint-connection list --id $webapp_id --query "[?properties.provisioningState == 'Pending'].id" -o tsv)
for fd_conn_id in $fd_conn_ids; do
az network private-endpoint-connection approve --id "$fd_conn_id" --description "Approved"
done
done
# test

226
scenarios/secure-baseline-multitenant/azure-resource-manager/main-portal-ux.json
Просмотреть файл

@ -475,7 +475,7 @@
},
{
"name": "extra",
"label": "Extra settings",
"label": "Jump-Box settings (VM)",
"elements": [
{
"name": "location",
@ -586,7 +586,201 @@
"visible": "[equals(steps('extra').jumpBoxSection.deployJumpHost, true)]"
}
]
},
{
"name": "sectionAdditionalTools",
"type": "Microsoft.Common.Section",
"label": "Post-Deployment installation of additional tools",
"visible": "[equals(steps('extra').jumpBoxSection.deployJumpHost, true)]",
"elements": [
{
"name": "txtBlockPostDeploymentInfo",
"type": "Microsoft.Common.TextBlock",
"visible": "[equals(steps('extra').jumpBoxSection.deployJumpHost, true)]",
"options": {
"text": "Below you can select if you wish to deploy some additional tools on the jump-box VM, i.e. azure cli, azure developer cli, git, sql server management studio. Have in mind that the more the tools you select, the more time it will take for the deployment to complete."
}
},
{
"name": "deployClis",
"type": "Microsoft.Common.DropDown",
"label": "Install useful CLIs (Azure, AZD, and Git)?",
"subLabel": "",
"defaultValue": "No",
"toolTip": "set to true if you want to install CLIs on the jump-box VM",
"constraints": {
"required": false,
"allowedValues": [
{
"label": "Yes",
"value": true
},
{
"label": "No",
"value": false
}
],
"validations": []
},
"infoMessages": [],
"visible": "[equals(steps('extra').jumpBoxSection.deployJumpHost, true)]"
},
{
"name": "deploySsms",
"type": "Microsoft.Common.DropDown",
"label": "install Sql Server Management Studio (SSMS)?",
"subLabel": "",
"defaultValue": "No",
"toolTip": "set to true if you want install Sql Server Management Studio (SSMS) on the jump-box VM",
"constraints": {
"required": false,
"allowedValues": [
{
"label": "Yes",
"value": true
},
{
"label": "No",
"value": false
}
],
"validations": []
},
"infoMessages": [],
"visible": "[equals(steps('extra').jumpBoxSection.deployJumpHost, true)]"
}
]
},
{
"name": "jumpBoxGithubRunnerSection",
"type": "Microsoft.Common.Section",
"label": "Jump-box GitHub Runner Settings",
"elements": [
{
"name": "deployGitHubRunner",
"type": "Microsoft.Common.DropDown",
"label": "Install Github Runner?",
"subLabel": "",
"defaultValue": "No",
"toolTip": "set to true if you want to deploy selft hosted GitHub Actions runner",
"constraints": {
"required": false,
"allowedValues": [
{
"label": "Yes",
"value": true
},
{
"label": "No",
"value": false
}
],
"validations": []
},
"infoMessages": [],
"visible": true
},
{
"name": "githubRepositoryUrl",
"type": "Microsoft.Common.TextBox",
"label": "GitHub Repository URL",
"defaultValue": "",
"toolTip": "The URL of the Github repository to use for the Github Actions Runner. If this parameter is provided, then github_token must also be provided.",
"constraints": {
"required": false,
"regex": "",
"validationMessage": "",
"validations": []
},
"infoMessages": [],
"visible": "[equals(steps('extra').jumpBoxGithubRunnerSection.deployGitHubRunner, true)]"
},
{
"name": "githubToken",
"type": "Microsoft.Common.TextBox",
"label": "GitHub Token",
"defaultValue": "",
"toolTip": "The GitHub token to use for the Github Actions Runner. If this parameter is provided, then github_repository_url must also be provided.",
"constraints": {
"required": false,
"regex": "",
"validationMessage": "",
"validations": []
},
"infoMessages": [],
"visible": "[equals(steps('extra').jumpBoxGithubRunnerSection.deployGitHubRunner, true)]"
}
],
"visible": "[equals(steps('extra').jumpBoxSection.deployJumpHost, true)]"
},
{
"name": "jumpBoxAzDoAgentSection",
"type": "Microsoft.Common.Section",
"label": "Azure DevOps Self Hosted Agent Settings",
"elements": [
{
"name": "deployAzDoSelfHostedAgent",
"type": "Microsoft.Common.DropDown",
"label": "Install Azure DevOps Self Hosted Agent?",
"subLabel": "",
"defaultValue": "No",
"toolTip": "set to true if you want to deploy self hosted agent for Azure DevOps",
"constraints": {
"required": false,
"allowedValues": [
{
"label": "Yes",
"value": true
},
{
"label": "No",
"value": false
}
],
"validations": []
},
"infoMessages": [],
"visible": true
},
{
"name": "adoOrganization",
"type": "Microsoft.Common.TextBox",
"label": "URL of the Azure DevOps organization",
"defaultValue": "",
"toolTip": "The URL of the Azure DevOps organization to use for the Azure DevOps Agent. If this parameter is provided, then ado_token must also be provided",
"constraints": {
"required": false,
"regex": "",
"validationMessage": "",
"validations": []
},
"infoMessages": [],
"visible": "[equals(steps('extra').jumpBoxAzDoAgentSection.deployAzDoSelfHostedAgent, true)]"
},
{
"name": "adoToken",
"type": "Microsoft.Common.TextBox",
"label": "Azure DevOps Token",
"defaultValue": "",
"toolTip": "The Azure DevOps token to use for the Azure DevOps Agent. If this parameter is provided, then ado_organization must also be provided.",
"constraints": {
"required": false,
"regex": "",
"validationMessage": "",
"validations": []
},
"infoMessages": [],
"visible": "[equals(steps('extra').jumpBoxAzDoAgentSection.deployAzDoSelfHostedAgent, true)]"
}
],
"visible": "[equals(steps('extra').jumpBoxSection.deployJumpHost, true)]"
}
]
},
{
"name": "SQL",
"label": "Azure SQL settings",
"elements": [
{
"name": "sqlServerIntroSection",
"type": "Microsoft.Common.Section",
@ -630,7 +824,7 @@
"name": "sqlServerDeploySection",
"type": "Microsoft.Common.Section",
"label": "SQL Server settings",
"visible": "[equals(steps('extra').sqlServerIntroSection.deployAzureSql, true)]",
"visible": "[equals(steps('SQL').sqlServerIntroSection.deployAzureSql, true)]",
"elements": [
{
"name": "sqlServerAuthentication",
@ -667,7 +861,7 @@
{
"name": "sqlServerAdministratorsExplanation",
"type": "Microsoft.Common.TextBlock",
"visible": "[equals(steps('extra').sqlServerDeploySection.azureSqlAuthentication, 'AAD')]",
"visible": "[equals(steps('SQL').sqlServerDeploySection.azureSqlAuthentication, 'AAD')]",
"options": {
"text": "Replace AAD_SQL_ADMIN_GROUP with Azure AD group where your Azure administrators are members, sid value (xxxx-xxxx-xxxx-xxxx-xxxx) with Azure AD object ID of that group. The current tenantId value is already filled in."
}
@ -687,7 +881,7 @@
"validations": []
},
"infoMessages": [],
"visible": "[equals(steps('extra').sqlServerDeploySection.azureSqlAuthentication, 'AAD')]"
"visible": "[equals(steps('SQL').sqlServerDeploySection.azureSqlAuthentication, 'AAD')]"
},
{
"name": "sqlAdminLogin",
@ -703,7 +897,7 @@
"validations": []
},
"infoMessages": [],
"visible": "[equals(steps('extra').sqlServerDeploySection.azureSqlAuthentication, 'local')]"
"visible": "[equals(steps('SQL').sqlServerDeploySection.azureSqlAuthentication, 'local')]"
},
{
"name": "sqlAdminPassword",
@ -723,7 +917,7 @@
"options": {
"hideConfirmation": true
},
"visible": "[equals(steps('extra').sqlServerDeploySection.azureSqlAuthentication, 'local')]"
"visible": "[equals(steps('SQL').sqlServerDeploySection.azureSqlAuthentication, 'local')]"
}
]
}
@ -852,15 +1046,25 @@
"webAppBaseOs": "[steps('basics').appSvcPlanSection.webAppBaseOs]",
"adminUsername": "[steps('extra').jumpBoxSection.adminUsername]",
"adminPassword": "[if( equals ( steps('extra').jumpBoxSection.deployJumpHost, true), steps('extra').jumpBoxSection.vmCredentials.password , 'Pass@word123$' )]",
"sqlServerAdministrators": "[steps('extra').sqlServerDeploySection.sqlServerAdministrators]",
"sqlAdminLogin": "[steps('extra').sqlServerDeploySection.sqlAdminLogin]",
"sqlAdminPassword": "[steps('extra').sqlServerDeploySection.sqlAdminPassword]",
"deployAzureSql": "[steps('extra').sqlServerIntroSection.deployAzureSql]",
"sqlServerAdministrators": "[steps('SQL').sqlServerDeploySection.sqlServerAdministrators]",
"sqlAdminLogin": "[steps('SQL').sqlServerDeploySection.sqlAdminLogin]",
"sqlAdminPassword": "[steps('SQL').sqlServerDeploySection.sqlAdminPassword]",
"deployAzureSql": "[steps('SQL').sqlServerIntroSection.deployAzureSql]",
"deployJumpHost": "[steps('extra').jumpBoxSection.deployJumpHost]",
"enableEgressLockdown": "[steps('flags').enableEgressLockdown]",
"deployRedis": "[steps('flags').deployRedis]",
"deployAppConfig": "[steps('flags').deployAppConfig]",
"autoApproveAfdPrivateEndpoint": "[steps('flags').autoApproveAfdPrivateEndpoint]"
"autoApproveAfdPrivateEndpoint": "[steps('flags').autoApproveAfdPrivateEndpoint]",
"githubRepository": "[if( equals ( steps('extra').jumpBoxGithubRunnerSection.deployGitHubRunner, true), steps('extra').jumpBoxGithubRunnerSection.githubRepositoryUrl , '' )]",
"githubToken": "[if( equals ( steps('extra').jumpBoxGithubRunnerSection.deployGitHubRunner, true), steps('extra').jumpBoxGithubRunnerSection.githubToken , '' )]",
"adoOrganization": "[if( equals ( steps('extra').jumpBoxAzDoAgentSection.deployAzDoSelfHostedAgent, true), steps('extra').jumpBoxAzDoAgentSection.adoOrganization , '' )]",
"adoToken": "[if( equals ( steps('extra').jumpBoxAzDoAgentSection.deployAzDoSelfHostedAgent, true), steps('extra').jumpBoxAzDoAgentSection.adoToken , '' )]",
"installClis": "[steps('extra').sectionAdditionalTools.deployClis]",
"installSsms": "[steps('extra').sectionAdditionalTools.deploySsms]"
},
"kind": "Subscription",
"location": "[steps('basics').resourceScope.location.name]",

261
scenarios/secure-baseline-multitenant/azure-resource-manager/main.json
Просмотреть файл

@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.17.1.54307",
"templateHash": "14607136235440263125"
"templateHash": "15757305463107983899"
}
},
"parameters": {
@ -207,6 +207,48 @@
"description": "set to true if you want to deploy a jumpbox/devops VM"
}
},
"githubRepository": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The URL of the Github repository to use for the Github Actions Runner. This parameter is optional. If not provided, the Github Actions Runner will not be installed. If this parameter is provided, then github_token must also be provided."
}
},
"githubToken": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The token to use for the Github Actions Runner. This parameter is optional. If not provided, the Github Actions Runner will not be installed. If this parameter is provided, then github_repository must also be provided."
}
},
"adoOrganization": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The URL of the Azure DevOps organization to use for the Azure DevOps Agent. This parameter is optional. If not provided, the Github Azure DevOps will not be installed. If this parameter is provided, then ado_token must also be provided."
}
},
"adoToken": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The PAT token to use for the Azure DevOps Agent. This parameter is optional. If not provided, the Github Azure DevOps will not be installed. If this parameter is provided, then ado_organization must also be provided."
}
},
"installClis": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "A switch to indicate whether or not to install the Azure CLI, AZD CLI and git. This parameter is optional. If not provided, the Azure CLI, AZD CLI and git will not be installed"
}
},
"installSsms": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "A switch to indicate whether or not to install Sql Server Management Studio (SSMS). This parameter is optional. If not provided, SSMS will not be installed."
}
},
"autoApproveAfdPrivateEndpoint": {
"type": "bool",
"defaultValue": true,
@ -3049,6 +3091,24 @@
},
"autoApproveAfdPrivateEndpoint": {
"value": "[parameters('autoApproveAfdPrivateEndpoint')]"
},
"githubRepository": {
"value": "[parameters('githubRepository')]"
},
"githubToken": {
"value": "[parameters('githubToken')]"
},
"adoOrganization": {
"value": "[parameters('adoOrganization')]"
},
"adoToken": {
"value": "[parameters('adoToken')]"
},
"installClis": {
"value": "[parameters('installClis')]"
},
"installSsms": {
"value": "[parameters('installSsms')]"
}
},
"template": {
@ -3058,7 +3118,7 @@
"_generator": {
"name": "bicep",
"version": "0.17.1.54307",
"templateHash": "16445129936569211151"
"templateHash": "15597731126636010887"
}
},
"parameters": {
@ -3146,6 +3206,48 @@
"description": "Deploy (or not) an Azure virtual machine (to be used as jumphost)"
}
},
"githubRepository": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The URL of the Github repository to use for the Github Actions Runner. This parameter is optional. If not provided, the Github Actions Runner will not be installed. If this parameter is provided, then github_token must also be provided."
}
},
"githubToken": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The token to use for the Github Actions Runner. This parameter is optional. If not provided, the Github Actions Runner will not be installed. If this parameter is provided, then github_repository must also be provided."
}
},
"adoOrganization": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The URL of the Azure DevOps organization to use for the Azure DevOps Agent. This parameter is optional. If not provided, the Github Azure DevOps will not be installed. If this parameter is provided, then ado_token must also be provided."
}
},
"adoToken": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The PAT token to use for the Azure DevOps Agent. This parameter is optional. If not provided, the Github Azure DevOps will not be installed. If this parameter is provided, then ado_organization must also be provided."
}
},
"installClis": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "A switch to indicate whether or not to install the Azure CLI, AZD CLI and git. This parameter is optional. If not provided, the Azure CLI, AZD CLI and git will not be installed"
}
},
"installSsms": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "A switch to indicate whether or not to install Sql Server Management Studio (SSMS). This parameter is optional. If not provided, SSMS will not be installed."
}
},
"webAppPlanSku": {
"type": "string",
"allowedValues": [
@ -8309,7 +8411,7 @@
"_generator": {
"name": "bicep",
"version": "0.17.1.54307",
"templateHash": "13580836858218228590"
"templateHash": "6324920352926996485"
}
},
"parameters": {
@ -8387,7 +8489,7 @@
"value": "[resourceGroup().name]"
}
],
"scriptContent": "rg_name=\"$ResourceGroupName\"; webapp_id=$(az webapp list -g $rg_name --query \"[].id\" -o tsv); fd_conn_id=$(az network private-endpoint-connection list --id $webapp_id --query \"[?properties.provisioningState == 'Pending'].{id:id}\" -o tsv);az network private-endpoint-connection approve --id $fd_conn_id --description \"ApprovedByCli\"",
"scriptContent": "rg_name=\"$ResourceGroupName\"; webapp_ids=$(az webapp list -g $rg_name --query \"[].id\" -o tsv); for webapp_id in $webapp_ids; do fd_conn_ids=$(az network private-endpoint-connection list --id $webapp_id --query \"[?properties.provisioningState == 'Pending'].id\" -o tsv); for fd_conn_id in $fd_conn_ids; do az network private-endpoint-connection approve --id \"$fd_conn_id\" --description \"ApprovedByCli\"; done; done",
"cleanupPreference": "OnSuccess",
"retentionInterval": "P1D"
},
@ -8452,6 +8554,24 @@
},
"subnetDevOpsId": {
"value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', reference(resourceId('Microsoft.Resources/deployments', 'vnetSpoke-Deployment'), '2022-09-01').outputs.vnetName.value, variables('resourceNames').snetDevOps), '/')[0], split(format('{0}/{1}', reference(resourceId('Microsoft.Resources/deployments', 'vnetSpoke-Deployment'), '2022-09-01').outputs.vnetName.value, variables('resourceNames').snetDevOps), '/')[1])]"
},
"githubRepository": {
"value": "[parameters('githubRepository')]"
},
"githubToken": {
"value": "[parameters('githubToken')]"
},
"adoOrganization": {
"value": "[parameters('adoOrganization')]"
},
"adoToken": {
"value": "[parameters('adoToken')]"
},
"installClis": {
"value": "[parameters('installClis')]"
},
"installSsms": {
"value": "[parameters('installSsms')]"
}
},
"template": {
@ -8461,7 +8581,7 @@
"_generator": {
"name": "bicep",
"version": "0.17.1.54307",
"templateHash": "15659440928257256549"
"templateHash": "2982997895193326464"
}
},
"parameters": {
@ -8522,6 +8642,48 @@
"metadata": {
"description": "The name of app config store, if any"
}
},
"githubRepository": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The URL of the Github repository to use for the Github Actions Runner. This parameter is optional. If not provided, the Github Actions Runner will not be installed. If this parameter is provided, then github_token must also be provided."
}
},
"githubToken": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The token to use for the Github Actions Runner. This parameter is optional. If not provided, the Github Actions Runner will not be installed. If this parameter is provided, then github_repository must also be provided."
}
},
"adoOrganization": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The URL of the Azure DevOps organization to use for the Azure DevOps Agent. This parameter is optional. If not provided, the Github Azure DevOps will not be installed. If this parameter is provided, then ado_token must also be provided."
}
},
"adoToken": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The PAT token to use for the Azure DevOps Agent. This parameter is optional. If not provided, the Github Azure DevOps will not be installed. If this parameter is provided, then ado_organization must also be provided."
}
},
"installClis": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "A switch to indicate whether or not to install the Azure CLI, AZD CLI and git. This parameter is optional. If not provided, the Azure CLI, AZD CLI and git will not be installed"
}
},
"installSsms": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "A switch to indicate whether or not to install Sql Server Management Studio (SSMS). This parameter is optional. If not provided, SSMS will not be installed."
}
}
},
"resources": [
@ -8560,6 +8722,24 @@
"value": {
"[format('{0}', reference(resourceId('Microsoft.Resources/deployments', 'vmJumpHostUserAssignedManagedIdenity-Deployment'), '2022-09-01').outputs.id.value)]": {}
}
},
"githubRepository": {
"value": "[parameters('githubRepository')]"
},
"githubToken": {
"value": "[parameters('githubToken')]"
},
"adoOrganization": {
"value": "[parameters('adoOrganization')]"
},
"adoToken": {
"value": "[parameters('adoToken')]"
},
"installClis": {
"value": "[parameters('installClis')]"
},
"installSsms": {
"value": "[parameters('installSsms')]"
}
},
"template": {
@ -8569,7 +8749,7 @@
"_generator": {
"name": "bicep",
"version": "0.17.1.54307",
"templateHash": "16391892586398122206"
"templateHash": "16379613978965958962"
}
},
"parameters": {
@ -8644,6 +8824,48 @@
"metadata": {
"description": "Optional. The ID(s) to assign to the resource."
}
},
"githubRepository": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The URL of the Github repository to use for the Github Actions Runner. This parameter is optional. If not provided, the Github Actions Runner will not be installed. If this parameter is provided, then github_token must also be provided."
}
},
"githubToken": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The token to use for the Github Actions Runner. This parameter is optional. If not provided, the Github Actions Runner will not be installed. If this parameter is provided, then github_repository must also be provided."
}
},
"adoOrganization": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The URL of the Azure DevOps organization to use for the Azure DevOps Agent. This parameter is optional. If not provided, the Github Azure DevOps will not be installed. If this parameter is provided, then ado_token must also be provided."
}
},
"adoToken": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The PAT token to use for the Azure DevOps Agent. This parameter is optional. If not provided, the Github Azure DevOps will not be installed. If this parameter is provided, then ado_organization must also be provided."
}
},
"installClis": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "A switch to indicate whether or not to install the Azure CLI, AZD CLI and git. This parameter is optional. If not provided, the Azure CLI, AZD CLI and git will not be installed"
}
},
"installSsms": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "A switch to indicate whether or not to install Sql Server Management Studio (SSMS). This parameter is optional. If not provided, SSMS will not be installed."
}
}
},
"variables": {
@ -8654,7 +8876,9 @@
"computerNameValid": "[replace(replace(parameters('name'), '-', ''), '_', '')]",
"computerName": "[if(greater(length(variables('computerNameValid')), variables('computerNameLength')), substring(variables('computerNameValid'), 0, variables('computerNameLength')), variables('computerNameValid'))]",
"identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]",
"identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]"
"identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]",
"installClisValue": "[if(parameters('installClis'), '-install_clis', '')]",
"installSsmsValue": "[if(parameters('installSsms'), '-install_ssms', '')]"
},
"resources": [
{
@ -8734,6 +8958,29 @@
"[resourceId('Microsoft.Compute/virtualMachines', variables('vmName'))]"
]
},
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"apiVersion": "2023-03-01",
"name": "[format('{0}/{1}', variables('vmName'), 'customScriptExtension')]",
"location": "[parameters('location')]",
"properties": {
"publisher": "Microsoft.Compute",
"type": "CustomScriptExtension",
"typeHandlerVersion": "1.10",
"autoUpgradeMinorVersion": true,
"settings": {
"fileUris": [
"https://raw.githubusercontent.com/thotheod/appservice-landing-zone-accelerator/fix/02-AutoApprovalAfdPe/scenarios/shared/scripts/win-devops-vm-extensions/post-deployment.ps1"
]
},
"protectedSettings": {
"commandToExecute": "[format('powershell.exe -ExecutionPolicy Unrestricted -File post-deployment.ps1 -github_repository \"{0}\" -github_token \"{1}\" -ado_organization \"{2}\" -ado_token \"{3}\" {4} {5}', parameters('githubRepository'), parameters('githubToken'), parameters('adoOrganization'), parameters('adoToken'), variables('installClisValue'), variables('installSsmsValue'))]"
}
},
"dependsOn": [
"[resourceId('Microsoft.Compute/virtualMachines', variables('vmName'))]"
]
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2022-09-01",

22
scenarios/secure-baseline-multitenant/bicep/README.md
Просмотреть файл

@ -52,7 +52,7 @@ az deployment sub create \
--template-file main.bicep \
--location $location \
--name $deploymentName \
--parameters ./main.parameters.local.jsonc
--parameters ./main.parameters.jsonc
```
### Powershell (windows based OS)
@ -64,7 +64,7 @@ az deployment sub create `
--template-file main.bicep `
--location $location `
--name $deploymentName `
--parameters ./main.parameters.local.jsonc
--parameters ./main.parameters.jsonc
```
### Azure Devloper CLI (azd)
1. [Install the Azure Developer CLI](https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/install-azd?tabs=localinstall%2Cwindows%2Cbrew%2Cdeb)
@ -85,13 +85,21 @@ If before deployment you set the param `autoApproveAfdPrivateEndpoint` to `false
```bash
# Update the resource group name to match the one used in the deployment of the webapp
rg_name="rg-secure-baseline-dev"
webapp_id=$(az webapp list -g $rg_name --query "[].id" -o tsv)
fd_conn_id=$(az network private-endpoint-connection list --id $webapp_id --query "[?properties.provisioningState == 'Pending'].{id:id}" -o tsv)
az network private-endpoint-connection approve --id $fd_conn_id --description "Approved"
rg_name="rg-spoke-appsvclza1-dev-northeurope"
webapp_ids=$(az webapp list -g $rg_name --query "[].id" -o tsv)
# you might have more than one web apps, check for all of them if there are pending approvals
for webapp_id in $webapp_ids; do
# there might be more than one pending connection per web app
fd_conn_ids=$(az network private-endpoint-connection list --id $webapp_id --query "[?properties.provisioningState == 'Pending'].id" -o tsv)
for fd_conn_id in $fd_conn_ids; do
az network private-endpoint-connection approve --id "$fd_conn_id" --description "Approved"
done
done
```
### Verify Deployment and Approval of Azure Front Door Private Endpoint Connection approval
### Verify Deployment and Approval of Azure Front Door Private Endpoint Connection
Go to the portal, find the spoke resource group you have just deployed, and identify the Azure Front Door resource (names starts with *afd-*). In the Overview page, find the URL named *Endpoint hostname*, copy it, and try it on a browser. If everything is successful then you should see a sample web app page with title *"Your web app is running and waiting for your content"*. If you get any errors verify that you have approved the private endpoint connection between Azure Front Door and the Web App.
### Connect to the Jumpbox VM (deployed in the spoke resource group)

25
scenarios/secure-baseline-multitenant/bicep/deploy.spoke.bicep
Просмотреть файл

@ -42,6 +42,25 @@ param deployAppConfig bool
@description('Deploy (or not) an Azure virtual machine (to be used as jumphost)')
param deployJumpHost bool
// post deployment specific parameters for the jumpBox
@description('The URL of the Github repository to use for the Github Actions Runner. This parameter is optional. If not provided, the Github Actions Runner will not be installed. If this parameter is provided, then github_token must also be provided.')
param githubRepository string = ''
@description('The token to use for the Github Actions Runner. This parameter is optional. If not provided, the Github Actions Runner will not be installed. If this parameter is provided, then github_repository must also be provided.')
param githubToken string = ''
@description('The URL of the Azure DevOps organization to use for the Azure DevOps Agent. This parameter is optional. If not provided, the Github Azure DevOps will not be installed. If this parameter is provided, then ado_token must also be provided.')
param adoOrganization string = ''
@description('The PAT token to use for the Azure DevOps Agent. This parameter is optional. If not provided, the Github Azure DevOps will not be installed. If this parameter is provided, then ado_organization must also be provided.')
param adoToken string = ''
@description('A switch to indicate whether or not to install the Azure CLI, AZD CLI and git. This parameter is optional. If not provided, the Azure CLI, AZD CLI and git will not be installed')
param installClis bool = false
@description('A switch to indicate whether or not to install Sql Server Management Studio (SSMS). This parameter is optional. If not provided, SSMS will not be installed.')
param installSsms bool = false
@description('Optional S1 is default. Defines the name, tier, size, family and capacity of the App Service Plan. Plans ending to _AZ, are deplying at least three instances in three Availability Zones. EP* is only for functions')
@allowed([ 'S1', 'S2', 'S3', 'P1V3', 'P2V3', 'P3V3', 'P1V3_AZ', 'P2V3_AZ', 'P3V3_AZ', 'EP1', 'EP2', 'EP3' ])
param webAppPlanSku string
@ -295,6 +314,12 @@ module vmWindowsModule 'modules/vmJumphost.module.bicep' = if (deployJumpHost) {
keyvaultName: keyvault.outputs.keyvaultName
appConfigStoreId: webApp.outputs.appConfigStoreId
subnetDevOpsId: snetDevOps.id
githubRepository: githubRepository
githubToken: githubToken
adoOrganization: adoOrganization
adoToken: adoToken
installClis: installClis
installSsms: installSsms
}
}

25
scenarios/secure-baseline-multitenant/bicep/main.bicep
Просмотреть файл

@ -88,6 +88,25 @@ param deployAppConfig bool = false
@description('set to true if you want to deploy a jumpbox/devops VM')
param deployJumpHost bool = true
// post deployment specific parameters for the jumpBox
@description('The URL of the Github repository to use for the Github Actions Runner. This parameter is optional. If not provided, the Github Actions Runner will not be installed. If this parameter is provided, then github_token must also be provided.')
param githubRepository string = ''
@description('The token to use for the Github Actions Runner. This parameter is optional. If not provided, the Github Actions Runner will not be installed. If this parameter is provided, then github_repository must also be provided.')
param githubToken string = ''
@description('The URL of the Azure DevOps organization to use for the Azure DevOps Agent. This parameter is optional. If not provided, the Github Azure DevOps will not be installed. If this parameter is provided, then ado_token must also be provided.')
param adoOrganization string = ''
@description('The PAT token to use for the Azure DevOps Agent. This parameter is optional. If not provided, the Github Azure DevOps will not be installed. If this parameter is provided, then ado_organization must also be provided.')
param adoToken string = ''
@description('A switch to indicate whether or not to install the Azure CLI, AZD CLI and git. This parameter is optional. If not provided, the Azure CLI, AZD CLI and git will not be installed')
param installClis bool = false
@description('A switch to indicate whether or not to install Sql Server Management Studio (SSMS). This parameter is optional. If not provided, SSMS will not be installed.')
param installSsms bool = false
@description('set to true if you want to auto approve the Private Endpoint of the AFD')
param autoApproveAfdPrivateEndpoint bool = true
@ -192,6 +211,12 @@ module spoke 'deploy.spoke.bicep' = {
deployAzureSql: deployAzureSql
deployAppConfig: deployAppConfig
autoApproveAfdPrivateEndpoint: autoApproveAfdPrivateEndpoint
githubRepository: githubRepository
githubToken: githubToken
adoOrganization: adoOrganization
adoToken: adoToken
installClis: installClis
installSsms: installSsms
}
}

18
scenarios/secure-baseline-multitenant/bicep/main.parameters.json
Просмотреть файл

@ -3,7 +3,7 @@
"contentVersion": "1.0.0.0",
"parameters": {
"workloadName" : {
"value": "appsvclza3"
"value": "appsvclza2"
},
"environmentName": {
"value": "${AZURE_ENV_NAME}"
@ -18,22 +18,22 @@
"value": "10.242.0.0/20"
},
"enableEgressLockdown" : {
"value": "false"
"value": true
},
"deployRedis": {
"value": "false"
"value": false
},
"deployAzureSql": {
"value": "true"
"value": true
},
"deployAppConfig": {
"value": "true"
"value": false
},
"deployJumpHost": {
"value": "true"
"value": true
},
"autoApproveAfdPrivateEndpoint": {
"value": "true"
"value": true
},
"subnetHubFirewallAddressSpace": {
"value": "10.242.0.0/26"
@ -74,8 +74,8 @@
"sqlServerAdministrators": {
"value": {
"login": "Azure AD SQL Admins",
"sid": "xxxx-xxxx-xxxx-xxxx-xxxx",
"tenantId": "xxxx-xxxx-xxxx-xxxx-xxxx"
"sid": "xxx-xxxx-xxxx-xxxx",
"tenantId": "xxx-xxxx-xxxx-xxxx"
}
}
}

10
scenarios/secure-baseline-multitenant/bicep/main.parameters.jsonc
Просмотреть файл

@ -24,11 +24,11 @@
// Feature Flags
// set to true if you want to intercept all outbound traffic with azure firewall
"enableEgressLockdown" : {
"value": "true"
"value": true
},
// set to true if you want to a redis cache
"deployRedis": {
"value": "true"
"value": true
},
// set to true if you want to deploy a azure SQL server and default database
"deployAzureSql": {
@ -36,15 +36,15 @@
},
// set to true if you want to deploy application configuration
"deployAppConfig": {
"value": "true"
"value": true
},
// set to true if you want to deploy a jumpbox/devops VM
"deployJumpHost": {
"value": "true"
"value": true
},
// set to true if you want to auto approve the Private Endpoint of the AFD Premium
"autoApproveAfdPrivateEndpoint": {
"value": "true"
"value": true
},
// CIDR of the subnet that will host the azure Firewall
"subnetHubFirewallAddressSpace": {

2
scenarios/secure-baseline-multitenant/bicep/modules/approve-afd-pe.module.bicep
Просмотреть файл

@ -52,7 +52,7 @@ resource runAfdApproval 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
value: resourceGroup().name
}
]
scriptContent: 'rg_name="$ResourceGroupName"; webapp_id=$(az webapp list -g $rg_name --query "[].id" -o tsv); fd_conn_id=$(az network private-endpoint-connection list --id $webapp_id --query "[?properties.provisioningState == \'Pending\'].{id:id}" -o tsv);az network private-endpoint-connection approve --id $fd_conn_id --description "ApprovedByCli"'
scriptContent: 'rg_name="$ResourceGroupName"; webapp_ids=$(az webapp list -g $rg_name --query "[].id" -o tsv); for webapp_id in $webapp_ids; do fd_conn_ids=$(az network private-endpoint-connection list --id $webapp_id --query "[?properties.provisioningState == \'Pending\'].id" -o tsv); for fd_conn_id in $fd_conn_ids; do az network private-endpoint-connection approve --id "$fd_conn_id" --description "ApprovedByCli"; done; done'
cleanupPreference: 'OnSuccess'
retentionInterval: 'P1D'
}

26
scenarios/secure-baseline-multitenant/bicep/modules/vmJumphost.module.bicep
Просмотреть файл

@ -30,6 +30,26 @@ param keyvaultName string
@description('The name of app config store, if any' )
param appConfigStoreId string
// post deployment specific parameters
@description('The URL of the Github repository to use for the Github Actions Runner. This parameter is optional. If not provided, the Github Actions Runner will not be installed. If this parameter is provided, then github_token must also be provided.')
param githubRepository string = ''
@description('The token to use for the Github Actions Runner. This parameter is optional. If not provided, the Github Actions Runner will not be installed. If this parameter is provided, then github_repository must also be provided.')
param githubToken string = ''
@description('The URL of the Azure DevOps organization to use for the Azure DevOps Agent. This parameter is optional. If not provided, the Github Azure DevOps will not be installed. If this parameter is provided, then ado_token must also be provided.')
param adoOrganization string = ''
@description('The PAT token to use for the Azure DevOps Agent. This parameter is optional. If not provided, the Github Azure DevOps will not be installed. If this parameter is provided, then ado_organization must also be provided.')
param adoToken string = ''
@description('A switch to indicate whether or not to install the Azure CLI, AZD CLI and git. This parameter is optional. If not provided, the Azure CLI, AZD CLI and git will not be installed')
param installClis bool = false
@description('A switch to indicate whether or not to install Sql Server Management Studio (SSMS). This parameter is optional. If not provided, SSMS will not be installed.')
param installSsms bool = false
resource keyvault 'Microsoft.KeyVault/vaults@2022-11-01' existing = {
name: keyvaultName
}
@ -47,6 +67,12 @@ module vmWindows '../../../shared/bicep/compute/jumphost-win11.bicep' = {
userAssignedIdentities: {
'${vmJumpHostUserAssignedManagedIdentity.outputs.id}': {}
}
githubRepository: githubRepository
githubToken: githubToken
adoOrganization: adoOrganization
adoToken: adoToken
installClis: installClis
installSsms: installSsms
}
}

16
scenarios/secure-baseline-multitenant/terraform/README.md
Просмотреть файл

@ -148,10 +148,18 @@ This is a manual step that is required to complete the private endpoint connecti
```bash
# Update the resource group name to match the one used in the deployment of the webapp
rg_name="rg-secure-baseline-dev"
webapp_id=$(az webapp list -g $rg_name --query "[].id" -o tsv)
fd_conn_id=$(az network private-endpoint-connection list --id $webapp_id --query "[?properties.provisioningState == 'Pending'].{id:id}" -o tsv)
az network private-endpoint-connection approve --id $fd_conn_id --description "Approved"
rg_name="rg-spoke-appsvclza1-dev-northeurope"
webapp_ids=$(az webapp list -g $rg_name --query "[].id" -o tsv)
# you might have more than one web apps, check for all of them if there are pending approvals
for webapp_id in $webapp_ids; do
# there might be more than one pending connection per web app
fd_conn_ids=$(az network private-endpoint-connection list --id $webapp_id --query "[?properties.provisioningState == 'Pending'].id" -o tsv)
for fd_conn_id in $fd_conn_ids; do
az network private-endpoint-connection approve --id "$fd_conn_id" --description "Approved"
done
done
```
### Connect to the DevOps VM

2
scenarios/secure-baseline-multitenant/terraform/modules/windows-vm-ext/main.tf
Просмотреть файл

@ -37,7 +37,7 @@ resource "azurerm_virtual_machine_extension" "post_deployment" {
# protected_settings = <<PROTECTED_SETTINGS
# {
# "commandToExecute": "powershell.exe -ExecutionPolicy Unrestricted -File post-deployment.ps1 -az_cli_commands \\"${var.azure_cli_commands}\\" -install_ssms -github_repository \\"${local.gh_repo}\\" -github_token \\"${local.gh_token}\\" -ado_organization \\"${local.ado_org}\\" -ado_token \\"${local.ado_token}\\"",
# "fileUris": ["https://raw.githubusercontent.com/Azure/appservice-landing-zone-accelerator/feature/secure-baseline-scenario-v2/scenarios/secure-baseline-multitenant/terraform/modules/windows-vm-ext/post-deployment.ps1"]
# "fileUris": ["https://raw.githubusercontent.com/Azure/appservice-landing-zone-accelerator/main/scenarios/shared/scripts/win-devops-vm-extensions/post-deployment.ps1"]
# }
# PROTECTED_SETTINGS

214
scenarios/secure-baseline-multitenant/terraform/modules/windows-vm-ext/post-deployment.ps1
Просмотреть файл

@ -1,214 +0,0 @@
<#
.SYNOPSIS
This script is used to install and configure the following tools on a Windows VM:
- Azure CLI
- Sql Server Management Studio (SSMS)
- Github Actions Runner
- Azure DevOps Agent
.PARAMETER az_cli_commands
A string containing the commands to run after installing the Azure CLI.
This parameter is optional. If not provided, the Azure CLI will not be installed.
.PARAMETER github_repository
The URL of the Github repository to use for the Github Actions Runner.
This parameter is optional. If not provided, the Github Actions Runner will not be installed.
If this parameter is provided, then github_token must also be provided.
.PARAMETER github_token
The token to use for the Github Actions Runner.
This parameter is optional. If not provided, the Github Actions Runner will not be installed.
If this parameter is provided, then github_repository must also be provided.
.PARAMETER ado_organization
The URL of the Azure DevOps organization to use for the Azure DevOps Agent.
This parameter is optional. If not provided, the Azure DevOps Agent will not be installed.
If this parameter is provided, then ado_token must also be provided.
.PARAMETER ado_token
The PAT token to use for the Azure DevOps Agent.
This parameter is optional. If not provided, the Azure DevOps Agent will not be installed.
If this parameter is provided, then ado_organization must also be provided.
.PARAMETER install_ssms
A switch to indicate whether or not to install Sql Server Management Studio (SSMS).
This parameter is optional. If not provided, SSMS will not be installed.
#>
param (
[Parameter(Mandatory = $false)]
[string]$az_cli_commands,
[Parameter(Mandatory = $false)]
[string]$github_repository,
[Parameter(Mandatory = $false)]
[string]$github_token,
[Parameter(Mandatory = $false)]
[string]$ado_organization,
[Parameter(Mandatory = $false)]
[string]$ado_token,
[switch]
$install_ssms = $false
)
#Validate parameters
if (-not [string]::IsNullOrEmpty($github_token) -and [string]::IsNullOrEmpty($github_repository)) {
throw "If github_token is provided, then github_repository must also be provided."
}
if (-not [string]::IsNullOrEmpty($github_repository) -and [string]::IsNullOrEmpty($github_token)) {
throw "If github_repository is provided, then github_token must also be provided."
}
if (-not [string]::IsNullOrEmpty($ado_organization) -and [string]::IsNullOrEmpty($ado_token)) {
throw "If ado_organization is provided, then ado_token must also be provided."
}
if (-not [string]::IsNullOrEmpty($ado_token) -and [string]::IsNullOrEmpty($ado_organization)) {
throw "If ado_token is provided, then ado_organization must also be provided."
}
$basePath = "D:"
$logsFolder = "$($basePath)\post-deployment-extension\"
if ((Test-Path -Path $logsFolder) -ne $true) {
mkdir $logsFolder
}
$date = Get-Date -Format "yyyyMMdd-HHmmss"
Start-Transcript ($logsFolder + "post-deployment-script" + $date + ".log")
$downloads = @()
if (-not [string]::IsNullOrEmpty($az_cli_commands)) {
$azCliInstallPath = "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin"
$downloads += @{
name = "Azure CLI"
url = "https://aka.ms/installazurecliwindows"
path = "$($basePath)\ac-cli-runner\"
file = "AzureCLI.msi"
installCmd = "Start-Process msiexec.exe -Wait -ArgumentList '/I D:\ac-cli-runner\AzureCLI.msi /quiet'"
testInstallPath = "$($azCliInstallPath)\az.cmd"
postInstallCmd = $az_cli_commands
}
$env:Path += ";C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\"
}
if ($install_ssms) {
$ssmsInstallPath = "C:\Program Files (x86)\Microsoft SQL Server Management Studio 19"
$downloads += @{
name = "Sql Server Management Studio (SSMS)"
url = "https://aka.ms/ssmsfullsetup"
path = "$($basePath)\sql-server-mgmt-studio\"
file = "SSMS-Setup-ENU.exe"
installCmd = "Start-Process -FilePath '$($basePath)\sql-server-mgmt-studio\SSMS-Setup-ENU.exe' -Args '/install /quiet' -Verb RunAs -Wait"
testInstallPath = "$($ssmsInstallPath)\Common7\IDE\Ssms.exe"
postInstallCmd = ""
}
}
if (-not [string]::isNullorEmpty($github_repository) -and -not [string]::isNullorEmpty($github_token)) {
$ghInstallPath = "C:\github-actions"
$ghZipPath = "$($basePath)\github-actions\actions-runner-win-x64-2.303.0.zip"
$downloads += @{
name = "Github Actions Runner"
url = "https://github.com/actions/runner/releases/download/v2.303.0/actions-runner-win-x64-2.303.0.zip"
path = "$($basePath)\github-actions\"
file = "actions-runner-win-x64-2.303.0.zip"
installCmd = "Add-Type -AssemblyName System.IO.Compression.FileSystem; " +
"[System.IO.Compression.ZipFile]::ExtractToDirectory(`"$($ghZipPath)`", `"$($ghInstallPath)`");"
testInstallPath = "$($ghInstallPath)\bin\Runner.Listener.exe"
postInstallCmd = "$($ghInstallPath)\config.cmd --url $($github_repository) --token $($github_token) --unattended --replace --runasservice;"
}
}
if (-not [string]::isNullorEmpty($ado_organization) -and -not [string]::isNullorEmpty($ado_token)) {
$adoInstallPath = "C:\azure-devops-agent"
$adoZipPath = "$($basePath)\azure-devops-agent\vsts-agent-win-x64-2.218.1.zip"
$downloads += @{
name = "Azure DevOps Agent"
url = "https://vstsagentpackage.azureedge.net/agent/2.218.1/vsts-agent-win-x64-2.218.1.zip"
path = "$($basePath)\azure-devops-agent\"
file = "vsts-agent-win-x64-2.218.1.zip"
installCmd = "Add-Type -AssemblyName System.IO.Compression.FileSystem; " +
"[System.IO.Compression.ZipFile]::ExtractToDirectory(`"$($adoZipPath)`", `"$($adoInstallPath)`");"
testInstallPath = "$($adoInstallPath)\bin\Agent.Listener.exe"
postInstallCmd = "$($adoInstallPath)\config.cmd --url $($ado_organization) --auth pat --token $($ado_token) --unattended --replace --runasservice;"
}
}
$downloadJob = {
param($url, $filePath)
Invoke-WebRequest -Uri $url -OutFile $filePath
Write-Host "Download from $($url) completed!"
}
$jobs = @()
foreach ($download in $downloads) {
$filePath = $download.path + $download.file
if ((Test-Path -Path $download.path) -ne $true) {
mkdir $download.path | Out-Null
}
Write-Host "Checking if file is already present: $filePath"
if ((Test-Path -Path $filePath) -eq $true) {
Write-Host "File already exists, skipping download."
continue
}
Write-Host "File not present, downloading from: $($download.url)"
$job = Start-Job -Name $download.name -ScriptBlock $downloadJob -ArgumentList $download.url, $filePath
$jobs += $job
}
# Wait for all downloads to complete
if ($jobs.Count -gt 0) {
while ($jobs | Where-Object { $_.State -eq 'Running' }) {
Start-Sleep -Seconds 5
Write-Host "Installers are still downloading:"
$jobs | Format-Table -Property Name, State
}
# Get the output from each job and add it to an array
$output = $jobs | Receive-Job | Sort-Object
# Display the output
Write-Host $output
}
foreach ($download in $downloads) {
$filePath = $download.path + $download.file
Write-Host "Checking if $($download.name) is already installed in $($download.testInstallPath)."
if ((Test-Path -Path $download.testInstallPath) -eq $true) {
Write-Host "$($download.name) is already installed, skipping install."
continue
}
Write-Host "Running install command: $($download.installCmd)"
Invoke-Expression $download.installCmd
}
foreach ($download in $downloads) {
if (-not [string]::IsNullOrEmpty($download.postInstallCmd)) {
Write-Host "Running post install command: $($download.postInstallCmd)"
Invoke-Expression $download.postInstallCmd
Write-Host "Post install command completed: $($download.postInstallCmd)"
}
}
# # Run Azure CLI commands
# if (-not [string]::IsNullOrEmpty($az_cli_commands)) {
# Write-Host "Running Azure CLI commands: $($az_cli_commands)"
# Invoke-Expression $az_cli_commands
# }
# # Run Github Actions Runner commands

4
scenarios/secure-baseline-multitenant/terraform/modules/windows-vm-ext/test-vm-extension.sh
Просмотреть файл

@ -1,7 +1,7 @@
# /bin/bash
commandToExecute='powershell.exe -ExecutionPolicy Unrestricted -File post-deployment.ps1 -az_cli_commands "az version" -install_ssms'
fileUris="'https://raw.githubusercontent.com/Azure/appservice-landing-zone-accelerator/feature/secure-baseline-scenario-v2/scenarios/secure-baseline-multitenant/terraform/modules/shared/windows-vm-ext/post-deployment.ps1'"
fileUris="'https://raw.githubusercontent.com/Azure/appservice-landing-zone-accelerator/main/scenarios/shared/scripts/win-devops-vm-extensions/post-deployment.ps1'"
protectedSettings='{"fileUris": "['$fileUris']", "commandToExecute": "'$commandToExecute'" }'
echo $protectedSettings
@ -14,5 +14,5 @@ az vm extension set -n CustomScriptExtension \
az vm extension set -n CustomScriptExtension \
--publisher Microsoft.Compute --version 1.10 \
--vm-name vm-devops-1201 --resource-group rg-secure-appsvc-prod \
--protected-settings '{"fileUris": "['https://raw.githubusercontent.com/Azure/appservice-landing-zone-accelerator/feature/secure-baseline-scenario-v2/scenarios/secure-baseline-multitenant/terraform/modules/shared/windows-vm-ext/post-deployment.ps1']", "commandToExecute": "powershell.exe -ExecutionPolicy Unrestricted -File post-deployment.ps1 -az_cli_commands \"az version\" -install_ssms" }' \
--protected-settings '{"fileUris": "['https://raw.githubusercontent.com/Azure/appservice-landing-zone-accelerator/main/scenarios/shared/scripts/win-devops-vm-extensions/post-deployment.ps1']", "commandToExecute": "powershell.exe -ExecutionPolicy Unrestricted -File post-deployment.ps1 -az_cli_commands \"az version\" -install_ssms" }' \
--verbose

58
scenarios/shared/bicep/compute/jumphost-win11.bicep
Просмотреть файл

@ -1,4 +1,6 @@
//TODO: needs some expansion to have less hardcoded things tt20230214
// ================ //
// Parameters //
// ================ //
@description('Name of the resource Virtual Network (The name must begin with a letter or number, end with a letter, number or underscore, and may contain only letters, numbers, underscores, periods, or hyphens)')
@minLength(2)
@ -36,6 +38,31 @@ param systemAssignedIdentity bool = false
@description('Optional. The ID(s) to assign to the resource.')
param userAssignedIdentities object = {}
// post deployment specific parameters
@description('The URL of the Github repository to use for the Github Actions Runner. This parameter is optional. If not provided, the Github Actions Runner will not be installed. If this parameter is provided, then github_token must also be provided.')
param githubRepository string = ''
@description('The token to use for the Github Actions Runner. This parameter is optional. If not provided, the Github Actions Runner will not be installed. If this parameter is provided, then github_repository must also be provided.')
param githubToken string = ''
@description('The URL of the Azure DevOps organization to use for the Azure DevOps Agent. This parameter is optional. If not provided, the Github Azure DevOps will not be installed. If this parameter is provided, then ado_token must also be provided.')
param adoOrganization string = ''
@description('The PAT token to use for the Azure DevOps Agent. This parameter is optional. If not provided, the Github Azure DevOps will not be installed. If this parameter is provided, then ado_organization must also be provided.')
param adoToken string = ''
@description('A switch to indicate whether or not to install the Azure CLI, AZD CLI and git. This parameter is optional. If not provided, the Azure CLI, AZD CLI and git will not be installed')
param installClis bool = false
@description('A switch to indicate whether or not to install Sql Server Management Studio (SSMS). This parameter is optional. If not provided, SSMS will not be installed.')
param installSsms bool = false
// =========== //
// Variables //
// =========== //
var aadLoginExtensionName = 'AADLoginForWindows'
var vmNameMaxLength = 64
@ -52,6 +79,11 @@ var identity = identityType != 'None' ? {
userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null
} : null
// ================ //
// Resources //
// ================ //
module jumphostNic '../network/nic.private.dynamic.bicep' = {
name: 'jumphostNicDeployment'
params: {
@ -130,3 +162,27 @@ resource virtualMachineName_aadLoginExtensionName 'Microsoft.Compute/virtualMach
autoUpgradeMinorVersion: true
}
}
var installClisValue = installClis ? '-install_clis' : ''
var installSsmsValue = installSsms ? '-install_ssms' : ''
resource vmPostDeploymentScript 'Microsoft.Compute/virtualMachines/extensions@2023-03-01' = {
parent: jumphost
name: 'customScriptExtension'
location: location
properties: {
publisher: 'Microsoft.Compute'
type: 'CustomScriptExtension'
typeHandlerVersion: '1.10'
autoUpgradeMinorVersion: true
settings: {
fileUris: [
'https://raw.githubusercontent.com/Azure/appservice-landing-zone-accelerator/main/scenarios/shared/scripts/win-devops-vm-extensions/post-deployment.ps1'
]
}
protectedSettings: {
// commandToExecute: 'powershell.exe -ExecutionPolicy Unrestricted -File post-deployment.ps1 -install_ssms '
commandToExecute: 'powershell.exe -ExecutionPolicy Unrestricted -File post-deployment.ps1 -github_repository "${githubRepository}" -github_token "${githubToken}" -ado_organization "${adoOrganization}" -ado_token "${adoToken}" ${installClisValue} ${installSsmsValue}'
}
}
}

114
scenarios/shared/scripts/win-devops-vm-extensions/post-deployment.ps1
Просмотреть файл

@ -1,14 +1,14 @@
<#
.SYNOPSIS
This script is used to install and configure the following tools on a Windows VM:
- Azure CLI
- Azure CLI, Azure Developer CLI (AZD), and Git
- Sql Server Management Studio (SSMS)
- Github Actions Runner
- Azure DevOps Agent
.PARAMETER az_cli_commands
A string containing the commands to run after installing the Azure CLI.
This parameter is optional. If not provided, the Azure CLI will not be installed.
This parameter is optional. If not provided, the Azure CLI will not be installed. unless install_clis is set to true.
.PARAMETER github_repository
The URL of the Github repository to use for the Github Actions Runner.
@ -33,6 +33,10 @@
.PARAMETER install_ssms
A switch to indicate whether or not to install Sql Server Management Studio (SSMS).
This parameter is optional. If not provided, SSMS will not be installed.
.PARAMETER install_clis
A switch to indicate whether or not to install the Azure CLI, AZD CLI and git.
This parameter is optional. If not provided, the Azure CLI, AZD CLI and git will not be installed.
#>
param (
[Parameter(Mandatory = $false)]
@ -51,9 +55,14 @@ param (
[string]$ado_token,
[switch]
$install_ssms = $false
$install_ssms = $false,
[switch]
$install_clis = $false
)
Write-Host "script started"
#Validate parameters
if (-not [string]::IsNullOrEmpty($github_token) -and [string]::IsNullOrEmpty($github_repository)) {
throw "If github_token is provided, then github_repository must also be provided."
@ -79,22 +88,73 @@ Start-Transcript ($logsFolder + "post-deployment-script" + $date + ".log")
$downloads = @()
if (-not [string]::IsNullOrEmpty($az_cli_commands)) {
$azCliInstallPath = "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin"
$downloads += @{
name = "Azure CLI"
url = "https://aka.ms/installazurecliwindows"
path = "$($basePath)\ac-cli-runner\"
file = "AzureCLI.msi"
installCmd = "Start-Process msiexec.exe -Wait -ArgumentList '/I D:\ac-cli-runner\AzureCLI.msi /quiet'"
testInstallPath = "$($azCliInstallPath)\az.cmd"
postInstallCmd = $az_cli_commands
}
##############################################################################################################
if (-not [string]::IsNullOrEmpty($az_cli_commands) -or $install_clis) {
# install azure CLI
$azCliInstallPath = "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin"
$env:Path += ";C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\"
$downloads += @{
name = "Azure CLI"
url = "https://aka.ms/installazurecliwindows"
path = "$($basePath)\ac-cli-runner\"
file = "AzureCLI.msi"
installCmd = "Start-Process msiexec.exe -Wait -ArgumentList '/I D:\ac-cli-runner\AzureCLI.msi /quiet'"
testInstallPath = "$($azCliInstallPath)\az.cmd"
postInstallCmd = $az_cli_commands
}
$env:Path += ";C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\"
}
##############################################################################################################
## install azure developer CLI AZD
if ($install_clis) {
$azdInstallPath = "$($env:LOCALAPPDATA)\Programs\Azure Dev CLI"
$downloads += @{
name = "AZD CLI"
url = "https://azure-dev.azureedge.net/azd/standalone/release/latest/azd-windows-amd64.msi"
path = "$($basePath)\azd\"
file = "azd-windows-amd64.msi"
installCmd = "Start-Process msiexec.exe -Wait -ArgumentList '/i D:\azd\azd-windows-amd64.msi /qn /quiet'"
testInstallPath = "$($azdInstallPath)\azd.exe"
postInstallCmd = ""
}
$env:Path += ";$($azdInstallPath)\"
}
##############################################################################################################
# install the latest 64-bit Git
if ($install_clis) {
$pattern = 'https:\/\/github\.com\/git-for-windows\/git\/releases\/download\/v\d+\.\d+\.\d+\.windows\.\d+\/Git-\d+\.\d+\.\d+-64-bit\.exe'
$URL = "https://api.github.com/repos/git-for-windows/git/releases"
$URL = (Invoke-WebRequest -Uri $URL -UseBasicParsing).Content | ConvertFrom-Json
Write-Host "got the json content"
# hmm when chained together it doesn't work
$URL = $URL | Select-Object -ExpandProperty "assets" |
Where-Object "browser_download_url" -Match $pattern |
Select-Object -ExpandProperty "browser_download_url"
# https://github.com/git-for-windows/git/releases/download/v2.40.1.windows.1/Git-2.40.1-64-bit.exe
# Start-Process -FilePath "git-latest-64-bit.exe" -ArgumentList "/SILENT" -Wait
Write-Host "got the URLs to Download from $($URL[0])"
$gitInstallPath = "C:\Program Files\Git\bin"
}
$downloads += @{
name = "Git 64bit"
url = "$($URL[0])"
path = "$($basePath)\git\"
file = "git-latest-64-bit.exe"
installCmd = "Start-Process -Wait -FilePath D:\git\git-latest-64-bit.exe -ArgumentList '/verysilent /norestart /suppressmsgboxes'"
testInstallPath = "$($gitInstallPath)\git.exe"
postInstallCmd = ""
}
##############################################################################################################
# install the SSMS
if ($install_ssms) {
$ssmsInstallPath = "C:\Program Files (x86)\Microsoft SQL Server Management Studio 19"
@ -109,6 +169,8 @@ if ($install_ssms) {
}
}
##############################################################################################################
# install the guthub actions runner
if (-not [string]::isNullorEmpty($github_repository) -and -not [string]::isNullorEmpty($github_token)) {
$ghInstallPath = "C:\github-actions"
$ghZipPath = "$($basePath)\github-actions\actions-runner-win-x64-2.303.0.zip"
@ -125,15 +187,17 @@ if (-not [string]::isNullorEmpty($github_repository) -and -not [string]::isNullo
}
}
##############################################################################################################
# install the azure devops agent
if (-not [string]::isNullorEmpty($ado_organization) -and -not [string]::isNullorEmpty($ado_token)) {
$adoInstallPath = "C:\azure-devops-agent"
$adoZipPath = "$($basePath)\azure-devops-agent\vsts-agent-win-x64-2.218.1.zip"
$adoZipPath = "$($basePath)\azure-devops-agent\vsts-agent-win-x64-3.220.2.zip"
$downloads += @{
name = "Azure DevOps Agent"
url = "https://vstsagentpackage.azureedge.net/agent/2.218.1/vsts-agent-win-x64-2.218.1.zip"
url = "https://vstsagentpackage.azureedge.net/agent/3.220.2/vsts-agent-win-x64-3.220.2.zip"
path = "$($basePath)\azure-devops-agent\"
file = "vsts-agent-win-x64-2.218.1.zip"
file = "vsts-agent-win-x64-3.220.2.zip"
installCmd = "Add-Type -AssemblyName System.IO.Compression.FileSystem; " +
"[System.IO.Compression.ZipFile]::ExtractToDirectory(`"$($adoZipPath)`", `"$($adoInstallPath)`");"
testInstallPath = "$($adoInstallPath)\bin\Agent.Listener.exe"
@ -164,7 +228,7 @@ foreach ($download in $downloads) {
}
Write-Host "File not present, downloading from: $($download.url)"
$job = Start-Job -Name $download.name -ScriptBlock $downloadJob -ArgumentList $download.url, $filePath
$job = Start-Job -Name $download.name -ScriptBlock $downloadJob -ArgumentList $download.url, $filePath
$jobs += $job
}
@ -204,11 +268,5 @@ foreach ($download in $downloads) {
}
}
# # Run Azure CLI commands
# if (-not [string]::IsNullOrEmpty($az_cli_commands)) {
# Write-Host "Running Azure CLI commands: $($az_cli_commands)"
# Invoke-Expression $az_cli_commands
# }
# # Run Github Actions Runner commands
Write-Host "All done!"
```

4
scenarios/shared/scripts/win-devops-vm-extensions/test-vm-extension.sh
Просмотреть файл

@ -1,7 +1,7 @@
# /bin/bash
commandToExecute='powershell.exe -ExecutionPolicy Unrestricted -File post-deployment.ps1 -az_cli_commands "az version" -install_ssms'
fileUris="'https://raw.githubusercontent.com/Azure/appservice-landing-zone-accelerator/feature/secure-baseline-scenario-v2/scenarios/secure-baseline-multitenant/terraform/modules/shared/windows-vm-ext/post-deployment.ps1'"
fileUris="'https://raw.githubusercontent.com/Azure/appservice-landing-zone-accelerator/main/scenarios/shared/scripts/win-devops-vm-extensions/post-deployment.ps1'"
protectedSettings='{"fileUris": "['$fileUris']", "commandToExecute": "'$commandToExecute'" }'
echo $protectedSettings
@ -14,5 +14,5 @@ az vm extension set -n CustomScriptExtension \
az vm extension set -n CustomScriptExtension \
--publisher Microsoft.Compute --version 1.10 \
--vm-name vm-devops-1201 --resource-group rg-secure-appsvc-prod \
--protected-settings '{"fileUris": "['https://raw.githubusercontent.com/Azure/appservice-landing-zone-accelerator/feature/secure-baseline-scenario-v2/scenarios/secure-baseline-multitenant/terraform/modules/shared/windows-vm-ext/post-deployment.ps1']", "commandToExecute": "powershell.exe -ExecutionPolicy Unrestricted -File post-deployment.ps1 -az_cli_commands \"az version\" -install_ssms" }' \
--protected-settings '{"fileUris": "['https://raw.githubusercontent.com/Azure/appservice-landing-zone-accelerator/main/scenarios/shared/scripts/win-devops-vm-extensions/post-deployment.ps1']", "commandToExecute": "powershell.exe -ExecutionPolicy Unrestricted -File post-deployment.ps1 -az_cli_commands \"az version\" -install_ssms" }' \
--verbose